3 Questions to Ask Your Single-Provider Cybersecurity Firm
If you remember Larry King, you might know that during his time at CNN he became a legendary interviewer, having spoken with politicians, celebrities, athletes, and royalty all during his tenure.
The interesting thing about King—who died in 2021—was his technique when he spoke to all these prominent figures. Rather than ask highly convoluted questions, he was short and to the point in his interviews, forcing his subjects to dominate the conversation.
When it comes to selecting your auditor—particularly if you’re considering a single-provider cybersecurity firm—it’s important to do the same as Mr. King would’ve done and make them do the talking to convince you they’re the one for you.
Vetting your potential assessor well can mean the difference in not only how your compliance is reported, but your experience during the audit. If you’ve been through this before—or even if you haven’t—it’s likely you have a list of questions ready to go for your prospects.
What we’d like to offer now, is an “addendum” to those. Schellman has been providing assessment and audit services for two decades now, and we’ve been on the other side of the table with our clients. Larry King might’ve had a proven interview technique, but in this article, we’ll provide you with three very specific questions to ask all your assessor candidates—the answers to which can help prove them worthy.
There are several advantages to using one firm for all your compliance needs, and we’ll get into that too. But in using these questions, you’ll be able to obtain unique insight into each organization you consider working with, ensuring that you get the best fit for you and all the upside of consolidating your compliance.
What are the Benefits of a Single-Provider Cybersecurity Firm?
First things first: why would you want to opt for a single provider of all your audit and assessment needs?
Many organizations do choose to use multiple firms for different compliance initiatives, but there are a few big advantages to bringing all those underneath one “umbrella,” so to speak:
- It can drive audit efficiencies.
- The most obvious benefit, of course, is that one audit firm makes sharing evidence a lot easier. You can work with assessor staff to establish central collection and dissemination, rather than having to pull and send from multiple sources.
- It can drive administrative efficiencies.
- Only working with one assessor can minimize contract actions. Your procurement department would only be working with one legal team, and similarly, your billing personnel would only need to send and collect invoices from one place.
- It can make things easier on your internal team.
- Our client, Lumen, who did choose Schellman as its single-provider firm, said it like this: “Working with multiple audit firms is like being in a swivel chair, constantly moving left and right—there’s a lot of extra diligence in that.” But when it’s just the one they’ve got to coordinate with, that can ease the burden on your staff and make the entire experience much easier.
Of course, this isn’t a simple thing to set up—compliance is complicated and it would take effort to strategically align everything to a positive point.
But if you are so inclined to take advantage, you’ll also need to ensure you get the best firm for you. That’s where these questions come in. For a clearer picture of what you might be working with, add the following to your list of inquiries for each single-provider firm you vet.
What Should You Ask Your Auditor?
1. Ask Them About the Companies They Work With.
Because oftentimes audit firms can offer so much, that usually means they serve a wide variety of organizations. You may come to find that they work with upwards of a thousand clients, but you need to probe deeper than just pure numbers, and here’s why:
- To get a clearer idea, it’s important to distinguish between the volume of clients overall that may use them for one service (like pen testing or SOC) versus those that successfully use them for multiple services across different compliance domains.
- If they’ve worked with an organization similar to yours—whether in size, industry, or other criteria you value—there’s a certain degree of likelihood of some familiarity transferring over when they work with you. Make sure they can cite references for you.
- Moreover, if they’ve worked with organizations you recognize and respect, that may win them some subtler points with you as well.
2. Ask Them About Their Commitments to Their Service Lines.
Before you choose a firm, you should understand their actual commitment to the specific services you’re procuring from them. Why? Because “all services under one umbrella” is a great concept, but everyone has different specialties among all the products they offer.
Of course, you’ll need to understand what all they’re accredited to do for you, but dig deeper. Ask them:
- How long have you been providing this service?
- How many people do you have working in that service? Or, how many trained personnel support that service?
- What’s been the growth over the years of the service, and do they project any in the future?
- What level of interaction do the service line leaders have with the accreditation bodies and/or industry support groups that help support and mature the standards themselves?
You might even push deeper to understand if they also participate within industry standard bodies to get an idea of their leadership in those spaces.
If you’re committing to an organization for an extended amount of time, you need to make sure that the assessor you choose can continue to deliver quality in the area you need.
3. Ask Them How They Promote Consistency on Their Audit Teams Year over Year.
If you’re going to put all your eggs in one basket, you want the benefits. And one of those is the advantage of the same—at least to a degree—audit team.
Compliance generally requires continual assessment over time. What would make that easier is the same team coming in to work with yours, year after year.
Not only will having the same team conducting your audits mean that you can expect the same process—and efficiencies—but it’ll mean an easy building of rapport between your people and the external assessor.
Having to reestablish relationships with new auditors is exactly what you would have to do if you were bringing in different organizations to assess different things. If you’re going to use just the one, ask them about their internal culture regarding how they staff projects and if getting the same team is likely.
Next Steps in Choosing Your Assessor
There are a lot of reasons to opt for a single-provider cybersecurity firm, like efficiencies in more than just your audits and less of a workload on your internal staff. But to reap the advantages, you need to find the best cybersecurity services firm to meet your needs.
Now, you have three more quick questions to add to your arsenal when making a decision. You might not be Larry King, but you’ll glean plenty of useful insight to inform your final decision.
Schellman is one of these single-provider firms that you might consider, and if you think you’d like to discern our answers to these questions, we’d love for you to reach out to us. And while we’re obviously partial, we do recognize that there are other firms out there who have similar skill sets in many different kinds of compliance.
For more information on some of your other single-provider options, read our article on other cybersecurity firms and their services and how Schellman stacks up against them.
About JORDAN HICKS
Jordan Hicks is the Manager of Content at Schellman. As the owner of content marketing initiatives across all digital platforms and formats, she is responsible for the ideation of content, the authoring and development of the content, as well as developing and managing the editorial calendar to ensure the marketing goals are met as it relates to content.