“Knox has delivered sound education to the financial community around their responsibilities ” – Investment Group
"Their process has identified departments that handle financial data for which we were unaware" _Customer's Compliance Officer
What to look for in a Security Consultant!
Q1. As an organization, how do I identify the right consultant?
Information Security has their Big 3, which is Governance, Risk and Compliance. Corporate America has their big 3 industries, which are Financial Services, Healthcare and Ecommerce. Here is my Big 3 - ECF, Experience, Certifications and Former Executive.
As an organization, you want a consultant with valid years of experience in the private and public sectors. This type of experience will yield great success in the planning and securing of your operations. As an organization you should want a former executive because they have experience speaking with the C-suite, making decisions globally, adept in cultural reform, well versed in implementing frameworks from zero and also well versed in making effective decisions in a collapsed budget.
A consultant with a proven track record of success in the private and public sector will yield great dividends for your organization.
Q2. What knowledge should the consultant have in relation to Compliance?
Your consultant should have non-consultant experience in leading global initiatives for compliance. The reason why I say non-consultant experience is because a consultant can only give you a consultant’s perspective based on the number of clients they have engaged; they don’t have a track record of implementing compliance at the highest level, they haven’t dealt with collapsed budgets, board communication and cultural changes. As an organization you should aspire to engage with a consultant with these type of skillsets.
Q3. Should my consultant have knowledge in both the business and technology fields?
Having business knowledge is paramount in speaking with the Board and other C-suite executives. An experienced individual will understand how to speak tech talk when needed and how to speak with non-technical staff to ensure the message and mission is understood. Business leaders are concerned with the bottom line and profitability. Speaking in these terms will ensure that security is given the attention it deserves once the Board understands the impact of a breach on financials, customer loyalty and brand reputation.
Having a sound technical understanding of networks and how they are connected is paramount when setting the direction and auditing a firm's information technology controls. A true security leader must wear two hats while having two legs on both sides of the firm. One leg must be planted in the information technology side, while the other on the non-technical side of the house. Being able to relate and explain the direction to technology is will gain their respect and loyalty in trusting decisions that are recommended.
Present business risk:
Having experience in presenting business risk, impact to Boards and defending the strategy is the type of experience that is required to shape an organization. It takes that type of experience to persuade Boards to follow your strategy. Gaining the confidence of the decision makers and showing value is the only objective along with defending the enterprise so the business can grow, expand and maintain profitability.
Information security has always been a threat to businesses, however, threats and breaches are being publicized and this gives leaders the impression that these issues are new. Information security will continue to evolve and while the threats are far more complex than we are capable of handling, aligning yourself with the right consultant and firm to aid you in this war is no longer a non-option.