When I moved to the UAE about two years ago, one of the biggest challenges I was facing was identifying a good or even a value-added service, starting from simple things like choosing a maid or a hairdresser. I had to learn it the hard way that there is nothing guaranteeing a good service – unlike in Europe, where the rule of thumb “what you pay for is what you get” works quite well. I had several iterations, from expensive services being bad to cheaper services being even worse. In the end I was close to giving up before I finally found a way towards a solution:
- Choose somebody you either know very well, or somebody who was strongly recommended to you by customers with similar needs
- Get enough knowledge on the topic in question to judge the service provider. I mutated into an expert in cleaning devices and liquids, as well as in hairdressers’ jargon just to make sure the person I am speaking to was knowledgeable in their subject
- Find a service provider you can relate to, e.g. through a similar background (culture, language, etc.)
You would think that similar considerations could be applied when selecting services for information security. Unfortunately, the situation is not quite as easy to manage. Relating the recommendations made above to the situation you might be facing when selecting services for information security consultancy, the following might be of help:
a) Reference customers: it is always good to speak to others that have been using the service before, so checking on references provided by a consultant can always help. It is even better when you can go to a reputable source of opinion, i.e. an independent organisation that knows about different service providers.However, the mere amount of references alone should not guide you, it is more important to check on the quality of service that was provided.
b) Judging the quality of information security services is quite difficult, and becoming an expert in the subject is not realistic in a short time frame, so other criteria need to be used. As long as it is just the implementation of a product, there are indicators that can be used, e.g. “Has the implementation been concluded in the expected time?”, “Does the product work as intended?” or “Does the product provide the protection expected?”
Judging the quality of strategic consultancy services, such as a risk assessment or preparation for ISO/IEC 27001 or ADSIC certification is far more difficult. The obvious criterion “Can certification be achieved or even guaranteed?” is not as helpful as it sounds – the efforts going into the implementation of an information security management system are worth far more than having just the certificate on the wall.
An organisation does not gain much if the management system in place cannot easily be maintained and is not integrated in the organisation’s work processes, so the service provider should be questioned on how they intend to provide sustainability of the processes and controls implemented and the knowledge transfer that is achieved.
c) Check on the background of the consultants working for the service provider, whether these people have sufficient and broad experience, the right background, come from the regions you can relate to, are involved in regulation or standards creating bodies (which ensures understanding of frameworks to be applied), are high profile consultants in an organisation available for your project, the service provider applies professional and ethical work practices, etc.
d) Eventually, if you discover that your choice of an information security service provider was sub-optimal, you should make use of your prerogative to determine who you would like to work with. It is not true that the unknown is naturally worse than what you are facing at the moment, and the energy you waste fighting for your fair share of service might well be put to other important issues.
Hopefully, this blog will help you in choosing good services. Remember: The choice is yours, so choose wisely!