Demystifying the information security consultant selection process

Finding the right information security consultant is a boon for organizational security. We consult India's top CISOs to discover the optimal means to select an IT security consultant.

While some companies may be hesitant to spend an already tight budget on security consulting services, Indian companies often need security consultants for two reasons. The first is that these companies often lack the requisite skill sets for a specific information security project. The second reason is that information security consultants can provide a different (yet objective) viewpoint on a specific company initiative or security management process. Thus a consultant offers the most feasible approach for such organizations.

The kinds of information security management typically outsourced to external information security consultants range from routine IT security activities (such as management of firewalls and antivirus) to management processes such as physical and environmental security, incident management, vendor management processes, vulnerabilities that may cause severe information leaks, and business continuity planning.

In case your organization is yet to make such a list of information security consultants, use Google, technology forums and blogs to create vendor lists

Sachin Jain,
CIO at Evalueserve

Boiling down the options

Most Indian organizations maintain lists of vendors and consultants. It's essential that such lists are maintained for information security consultants as well. "In case your organization is yet to make such a list of information security consultants, use Google, technology forums and blogs to create vendor lists," says Sachin Jain, the chief information officer at Evalueserve. For Satish Das, the chief security officer of Cognizant Technology Solutions, the professional peer network is yet another source for information security consultants.

Once your organization has created a list of service providers, it's time to raise a request for proposal (RFP) to these vendors. Vendors respond to these RFPs with bids that usually give a snapshot of the vendor's methodology, proposed team structure, expertise with similar projects in the past, timelines and, in some cases, client testimonials. These bids also include fees to be paid to the consultant. From these multiple bids, your organization's head of IT security should select the consultant best suited for the job.

When selecting an external information security consultant, the first parameter to consider is the consultant's background. Also consider industry verticals served by the consultant and the projects he has handled previously. "If a consultant has been able to handle complex projects in verticals like large financial sector companies where security is top priority, I have the confidence that my project is in safe hands," says Sachin Vaidya, the associate principal in charge of information security at eClerx Ltd., a Mumbai-based knowledge process outsourcing firm.

The right fix

  • Be in the know: Identify exactly what is needed from the information security consultant
  • Client sensitivities: Ensure that your client is comfortable with your consultant
  • Background checks: Ask for references, or ask your network of professionals for feedback on the consultant's past work
  • Education and certification: Select only those consultants who have the skills with which you are comfortable
  • Beware of big talk: Ensure that a consultant can deliver on the value promised

For many Indian chief information security officers (CISOs), a consultant's brand name and market reputation are paramount. Most Indian businesses with foreign clients (such as business process outsourcing companies) typically choose names that are well-known abroad so that their clients are comfortable. "Since I have clients based mostly out of the U.S. and U.K., I want only those who are well-known to my clients on board," Vaidya says. He notes that even when a consultant has a small team rich in skill sets, experience and qualification, he may not opt for them if he is sensitive about his client's preferences.

When it comes to lesser-known information security consultants, India offers an abundance of choice. Many companies set up by highly experienced information security consultants with teams that comprise brain power from reputed Indian institutes. But Evalueserve's Jain may not opt for such a consultant, especially for a client-facing project.

On the other hand, CISOs like Das are more open to selecting a lesser-known but capable information security consultant. These CISOs may not necessarily opt for the likes of the big four. As long as the consultant gets good references from Das' trusted peer CISO community, he places the vendor on his short list. "I will look for quality of service, the consultant's background, resources employed (certifications, expertise, etc.) and how well known they are in the industry," Das says.

The consultant selection process should also involve looking into a consultant's methodology in solving problems. During this process, factor in the method of evaluation in case the consultant has been hired to check for loopholes and vulnerabilities in existing processes.

In India, it's common to find consultants who respond to RFPs by presenting their offerings in a well-packaged format (to gain an advantage over the competition). In such situations, it's essential to gauge whether the consultant has glossed over facts and exaggerated his offerings simply to win the deal.


Companies must also clearly identify the areas where an external consultant's help is required. It's best if your organization defines these areas. Once you define the scope of work, conduct negotiations to include staff education and training depending on the assignment's nature.

According to Jain, it's essential to be wary of vendors that price their offerings substantially below what is offered by the "big four." "Smaller companies claim to offer more than is expected of them at a much lesser price than those offered by the big four," Jain notes. "However, quality often gets compromised in such cases."

Read more on IT risk management