Making the Case for Consulting Services

By Tom Schmidt

Everything about your company -- from product development to sales to finance to policy compliance to human resources -- is managed through your information system. In a very real sense, your information is your company. And how you protect it, manage it, and put it to work will ultimately determine your business success.

Because of the increasingly vital role played by information technology, more and more enterprises are turning to consulting services to help them determine the best ways to safeguard it. Security consulting services provide organizations with best-practice security measures through assessments, planning, and design consultation -- all of which help organizations establish and maintain a more secure business environment. Indeed, for many organizations, security consulting services have become essential and trusted partners. This article will examine some of the specific capabilities consulting services can provide, and how they can help organizations understand their current security posture and adopt an approach to security based on organizational priorities.

A growing market

How important are consulting services to today's enterprises? According to researcher Gartner Inc., the market for security services in North America is expected to grow from $4.108 billion in 2001 to $8.999 billion in 2006, a compound annual growth rate of 17 percent. Security consulting will be the largest segment of the security services market (40 percent) in 2006, Gartner predicts.

What services in particular enable organizations to establish and maintain a secure business environment? The following services are critical:

• Baseline Information Security Risk Assessment
• Vulnerability Assessment
• Anti-virus Policy, Planning, and Design
• Incident Response and Recovery

Let's take a closer look at each of these services.

Baseline Information Security Risk Assessment

In recent years, the number of attacks against companies' information systems and networks has increased alarmingly. The Internet Security Threat Report from security firm Symantec found more than 1,237 new vulnerabilities in the first six months of 2004, an average of 48 new vulnerabilities per week. Seventy percent of these vulnerabilities were considered easy to exploit, and 96 percent were considered moderately or highly severe.

Such numbers make a strong argument for a Baseline Information Security Risk Assessment, which can provide the cornerstone of a company's information security risk management program. In this assessment, security consultants examine the administrative, technical, and physical security controls that a company uses to protect its computing environment. The resulting report provides a basis for designing and implementing cost-effective information security controls. Such an assessment not only helps companies demonstrate due diligence and fiduciary responsibility, but it also provides a true picture of vulnerabilities in their critical systems and the corresponding potential business impact should those vulnerabilities be exploited.

• To provide a Baseline Information Security Risk Assessment, consultants perform the following tasks:
  
  
• Determine the status of a client's information classification program
  
  
• Document critical business assets
  
  
• Evaluate an organization's administrative security controls
  
  
• Assess physical security
  
  
• Evaluate a company's information security implementation and configuration management
  
  
• Conduct a "controlled intrusion" test
  
  
• Develop an information security roadmap

Vulnerability Assessment

In a vulnerability assessment, consultants conduct a review of all possible technical and administrative vulnerabilities that can be leveraged to launch an attack against an organization's critical data and information systems.

As part of this assessment, consultants:

• Interview key company members to gather the data necessary to support the technical portion of the assessment
  
  
• Gather data about administrative, physical, and technical controls in an organization's environment
  
  
• Perform host-based and network-based vulnerability assessments
  
  
• Analyze data to determine existing vulnerabilities, the potential for exploitation, and the impact that would result

The result of the assessment is a set of reports that outline an organization's administrative, physical, and technical control shortfalls. It also provides companies with an accurate security profile of essential information systems, enabling them to track their security measures and demonstrate progress to management, stakeholders, and regulators.

Anti-virus Policy, Planning, and Design

Planning and designing an enterprise-wide anti-virus security solution isn't simple -- companies require the right skills and experience to assess their network architecture, identify points of entry for virus threats and develop appropriate security policies. But developing such a solution has never been as urgent as it is now. According to the Internet Security Threat Report, the time between the announcement of a vulnerability and the release of associated exploit code is now extremely short. The data indicates that, in the first six months of 2004, the average vulnerability-to-exploit window was just 5.8 days.

As part of an Anti-virus Policy, Planning and Design, service consultants:

• Review and assess a company's virus protection practices
  
• Document how a client's network topology is structured and used
  
  
• Fully test a pilot implementation
  
  
• Advise clients on how to implement policy and technology decisions necessary for the successful integration of an anti-virus product
  
  
• Provide documentation that clients can use as a reference when they need to update or change networks or anti-virus operations
  
  
• Provide documentation that a company needs to roll out and manage full virus protection deployment across the entire enterprise

The bottom-line goal of an Anti-virus Policy, Planning, and Design service is to help clients get the most from their anti-virus protection. Such a service educates customers on how to properly install and deploy their anti-virus solutions in a way that works best for their unique computing environment.

Incident Response and Recovery

The challenge facing IT departments today is clearer than ever: support the business goals of the enterprise by ensuring the safety and accessibility of its information assets. Anything that disrupts this safety and accessibility creates downtime, and downtime costs the company money.

When an incident does occur, a security consulting service can help IT by working quickly to define the scope of the security breach, minimize damage, and correct vulnerabilities that contributed to the event. Consultants also know how to preserve evidence for criminal proceedings and work with international law enforcement agencies as needed.

Consultants can help develop a client's security operations to detect, respond to, and quickly recover from information security incidents. Such a service offers a combination of policy development, emergency planning, and disaster-recovery components.

Specifically, a security consulting service can:

• Establish an incident response and recovery function within a company
  
  
• Develop incident response policies and procedures.
  
  
• Establish an incident response communications plan that details how to notify team members, management, and other entities, as necessary, when a security incident occurs
  
  
• Identify and categorize information security events so the organization's security staff can identify genuine security incidents and take steps to contain and eradicate the threat
  
  
• Contain an incident and eradicate the cause of a security incident. Consultants can also develop a course of action for company incident response and recovery team members to follow once they positively identify a security incident.
  
  
• Recover and follow up after an incident. Consultants can help clients outline procedures to recover systems that have been damaged as the result of a security incident.
  
  
• Conduct training

Conclusion

Today's CIOs are not only being asked to keep the business up and running, but to implement and maintain new capabilities that will enable the enterprise to pursue new opportunities, attack new markets, and maintain competitive advantage. In this challenging environment, consulting services have an increasingly important role to play. Ultimately, an effective partnership with a security consulting service can help you manage your IT resources to prevent disruptions, minimize downtime, and expand your capabilities.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.