The exponential rise in security incidents has caused many businesses to look hard at getting their own houses in order before they become the next headline.
All too often, in their rush to move forward with these assessments, businesses fail to adequately address the most fundamental of contract terms. In some instances, security consultants create more risk than they resolve.
In hiring a potential security consultant, businesses should consider the following best practices:
Use an RFP. If timing permits, the use of a request for proposals (RFP) process will aid the business in receiving the most creative proposals, with the best pricing and contract terms. Vendors who know they are in competition with other respondents will be far more inclined to negotiate than those that believe they already have the deal sealed.
Conduct due diligence. Contacting former and existing clients of the vendor; negotiate as you would with any critical vendor. It is an ugly truth that most businesses simply do not negotiate their security consulting agreements with the same level of care that they apply to other critical vendor agreements. At best, this may lead to serious cost overruns. At worst, this may result in the compromise of sensitive business data.
Appropriate contractual protections should be negotiated in every security consulting agreement. Key points to address include the following:
Define the project. The contract should clearly define the scope of the security assessment – for example, on the facilities, systems, servers and networks – to be conducted. This means a detailed statement of work should be drafted, with the tasks to be performed by each party expressly identified.
Control costs. The contract should contain a clear budget, with all fees stated. The consultant should be precluded from exceeding that budget without the client’s written authorisation. If the vendor is unable to provide a detailed budget because “things will evolve based on the assessment,” consider entering into a more limited initial statement of work to better scope the assignment.
Detail security and confidentiality protections. All too often, security consulting agreements provide little or no detail regarding the security and confidentiality measures to be used. Worse yet, even if those measures are well defined, the consultant has little liability if it breaches those obligations.
Since the consultant will have access to the most sensitive data of the client and highly confidential information about the security of its systems, the contract should clearly define the security measures to be used, detailed confidentiality protections, and, generally, exclude breach of those requirements from any limitations or exclusions of liability.
Control vendor personnel. Given the sensitivity of the work to be performed, the agreement should include controls over the ability of the vendor to subcontract the work to third parties. The agreement should also require the vendor to do background checks on its personnel, including criminal activities, particularly those involving a breach of trust.
Warranties. While no security vendor can guarantee the security of a customer’s systems following an audit, the security vendor should be willing to warranty that it will comply with all applicable laws and regulations and best practices in the security industry for performance of the assessment.
Liability. Most security vendors strictly limit their liability in the performance of their services. There is nothing wrong with such an approach, but the vendor should not be permitted to limit its liability to such an extent that it has no real responsibility for breaches of confidentiality or its own gross negligence or willful misconduct. In most instances, the customer should expect the vendor to assume unlimited or, at least, very significant liability in those areas.
By being more proactive in the hiring of security consultants, businesses can ensure that they will receive the expert advice they desire, while protecting their systems and data and ensuring that costs are controlled. Businesses should expect these basic protections, and reputable vendors should be willing to provide them.