Beware of "Do-It-All" Information Technology Companies

While most businesses are now considering the security of their network, hundreds of IT service providers are already battling for a share in a market that's showing strong growth. Business-technology managers should be especially cautious, since not all of the service providers can do what they claim.

Nothing frustrates me more than "we do it all" IT companies. I even know of a company president giving security presentations to groups who three months ago was asking me for advice. These companies typically consist of a couple of people who act as if they have expertise in commercial and residential security, web design, networking, communications, washing cars, and so forth. The fact is, about 68% of these companies will not be around after two years. With many clients unclear about the variety of technology in the marketplace, these companies simply give all IT professionals a bad name.

We know that the competition is expected to intensify. With the Sarbanes-Oxley act, HIPAA, and the Gramm-Leach-Bliley Financial Services Modernization Act starting the precedence, many industries will be forced to adapt prudent security measures in their computer network. Demand is increasing, and predators are well aware. The following will help the technology decision makers make an informed decision:

• References: Unfortunately, many companies are sensitive about the outcome of their assessments and elect to keep their identity confidential. I would suggest that you ask the IT company for non-company-specific details about recent assessments. Questions may include:
  • What was done,
  • How was it done,
  • Why was it requested, and
  • What was the outcome.
• Technicians: Verify who will be performing the assessment. Is information security their only profession? What tools do the use? They should mention at least five without even thinking about it. Ask them about their experience. Do you want someone you can pass a test or someone with years of hands on experience? The answer: Both!
• Certifications: If someone is going to break into your network, you should consider if they have had some formal guidance. I would not consider anyone without at least one of the following certifications: CISSP, CISA, CCIE, SSCP
• Assessments: The most common is probably the vulnerability assessment, or VA, where the assessor is the security person. The VA can be wide (an entire network) or narrow (a single application). The goal of a VA is to expose and understand vulnerabilities within a system, then offer recommendations for improvement.
  
  Pen testing is an extension of a VA. This often utilizes the results of VA and requires specialized knowledge and tools. People often confuse this with a VA, but they are very different. This type of test is to 'prove' that vulnerabilities exist or, more commonly, to test network or application defenses and response teams. Truthfully, I've only seen a few networks that would benefit from this type of test. VA's are a better way to improve system security.
  
  The third type is a risk assessment. This is a very technical assessment that categorizes and ranks various risks within an organization. Inputs for this type of audit vary, and may include a VA, previous audits, and reviews of policy, standards and procedures, and staff interviews.

Business-technology managers should be cautious when choosing IT services. Resist the temptation of jumping for the cheapest price: your entire company or division is at risk.

— Anthony Integlia