If there's one topic that is likely to make any CIO's or IT Manager's wallet hurt, it's information security.
With all the media coverage lately on data theft, credit card theft, Personally Identifiable Information (PII) theft and identity theft, every organisation from the sole proprietorship to the massive international megacorp to the critical government agency knows that they need it and suspects that they lack it.
It's one thing when a small-town restaurant's Twitter account gets hacked, but it's something else entirely when a government agency charged with performing background checks for security clearances cannot keep the PII of its investigation subjects secure.
And while the megacorps can call on mega-consultancies, and the big government agencies can call on - well, let's hope they figure that one out - who are the smaller organisations supposed to call upon for help?
Information security is a specialty trade and experts do not come cheaply.
With so much demand and relatively little supply, the market is primed for a rise in specialty firms and independent consultants offering Security as a Service (SaaS), at great savings.
These may be tempting, especially when the latest hacks are front page news, but small to medium sized organisations should think before they act. Here's what you should consider.
There are no silver bullets
First and foremost, there are no silver bullets, quick fixes or easy outs here. Security is a mindset, a way of life, and must be pervasive throughout all your information systems, from logons through drive encryption to application hardening and secure remote access, and dozens of other things as well.
If you are looking to ensure your information technology infrastructure is secure, you need to make sure that the consultant or firm you choose to assist you has practical experience with all of your systems.
One size does not fit all
Two organisations with the same number of employees, the same annual revenues and the same number of systems will not have the same needs.
You may want to go with a fixed fee engagement, but unless the provider is so large and has such a mark up on services that they can afford a variance from one project to the next, expect the really good ones to quote on time and materials.
Security is best when it is layered, and security assessments have to peel back the layers to truly understand what is going on. Until you get three layers down, you won't know what to expect at the fourth layer, so plan for this to cost what it costs.
Expertise is not gained overnight
A lot of consultants may choose to hang their shingle out to meet this rising demand, and may be relatively new working for themselves, but they should have years of industry experience working for companies as security experts in order to be truly qualified to help you with your security.