Are you looking for a cyber security consultant in Minneapolis / St. Paul Minnesota area to help you with your information security program? Look no further, you’ve found the right place.
Finding the right consultant is difficult. Industry demands combined with high technical skills combined with a low number of qualified workers makes it challenging to find the right person. In addition, when you look at the breadth and knowledge of the cybersecurity consulting field, it can be even more difficult to find the person with the unique niche skills you want to see. You’re also going to want someone that has good social, communication, and business skills to help you execute your project.
Here at Asher Security, we want to be the best at what we do. We offer cybersecurity consulting in a few select areas of information security pillars. Let us explain what we offer, and if we can’t service your information security needs we have a list of other great Minnesota cyber security consultants you can look at to ensure you get someone with the right skills and abilities to make your program a success.
We are information security experts on the following topics:
Assessments:
-
Cyber Security Risk Assessments
-
Information Security Maturity Assessments
-
Cyber Security Controls Review & Governance
Program Development:
-
Cyber Security Policy & Program Development
-
Data Classification Programs
-
Secure Configuration & Standards Development
-
Cyber Security Awareness
-
Vulnerability Management Program Development
-
Secure Endpoint Program
Procedure & Process Development:
-
Procedure: Incident Handling & Response
-
Governance Control Process
We offer these services to businesses we know we can deliver outstanding value to. We offer our cybersecurity consulting to:
-
Companies > 2,000 Employees
-
Manufacturing Industry
-
Healthcare Industry
-
Financial Industry
Photo by Kaleidico on Unsplash
How Do You Know if Someone is A good cybersecurity consultant?
Certifications
Many people will look at their information security certification and validate they have been accredited by an industry-leading organization on their security skills. You’ll often see CISSP (Certified Information System Security Professional), and GIAC (Global Information Assurance Certification), CEH (Certified Ethical Hacker), CISM (Certified Information Security Manager). These are the leading security certifications.
And even though this is an important attribute to a successful cybersecurity consultant, it doesn’t define how good they are engaging with you as a consultant. The certification is evidence that the consultant has proven they have sufficient cybersecurity skills as measured against these professional institutions.
Ability to Diagnose
The best attribute any successful cyber security consultant should have is the ability to ask questions, listen, and diagnose. At the heart of any consultant, engagement is a problem. The successful of the engagement, and how successful the solution will be, is all dependent on the diagnosis of the problem.
That is why at Asher Security we do not sell products. We believe that selling products can influence the motivation of problem diagnosis. So we don’t sell products.
Some cybersecurity consultants will offer ‘Free’ assessments. What you will receive in the end is a list of products you should buy to secure your business. We don’t perform these free assessments.
We believe our cyber security risk assessments provide exponential value over free assessments because we get to the heart of the issue and provide recommendations and road-maps on process improvements, procedure enhancements, security control improvements, and cyber maturity paths. When we deliver these results, and your business sees the issue, the crux of the problem, and a road-map to the solution, the consulting engagement is a success. We can always help recommend products to you afterward. Recommendations are free. But often, these improvements can be made without additional investment in cyber security tools.
The best analogy I can give is let’s say you wake up with chest pain. You’ve heard that heart disease, stroke, and high blood pressure all have related symptoms and critically serious issues to your health, and life. It might be nothing, maybe just the coffee had too late in the evening after going out for Mexican food. But without addressing these symptoms and diagnosing what’s happening it could have fatal consequences. So you decide to go to a professional. You’ve got two options.
Option 1 – The free professional
He has offered to see you for free and hear about your chest pain. The catch is he’s got a case full of a single brand of heart medicine and he makes his living selling it. If your symptoms match some of the symptoms his medicine solves, he will recommend you buy his medicine and this should solve your problem.
Option 2 – The paid professional
He charges to see you and for that cost will diagnose the exact problem you are having without selling you anything. They will take samples, measurements, and use high tech tools to get the root of the issue. They will be able to figure out if this is serious or benign. They are on the side hoping this is benign. It doesn’t cost them any more or less if this is serious (unlike other professionals that make you feel the weight of the sky falling to motivate your actions). At the end of the engagement, they will tell you if this is high blood pressure, serious heart issues, or just temporary heartburn. They will prescribe a solution and steps you can take to address the issue. These steps might include a prescription for medicine (often you can choose a generic or ask for a different brand) or they might include improvements you can make in your lifestyle, like diet and exercise to decrease the symptoms. Either way, the professional doesn’t make any more money by recommending a healthier lifestyle than medicine.
Case Study
We recently engaged with a client that had been the victim of several spear phishing attempts. The business contact was already engaged with another security company that offered security consultants. These security consultants specialized recommended to the client that they purchase an information security awareness training program. This was prepacked, ready to go solution. The other consulting company told the client that they had been the victims of spear phishing because untrained users were clicking on malicious messages. They told the client their users needed training. If they bought this training and supplied it to all their users, this problem should go away.
The client reached out to us at Asher Security because they wanted to know if the price of this security awareness training was normal and acceptable. They had got our name from a friend that told them they could trust us. (We really appreciate that – what a compliment!).
We began the conversation by doing what the client asked us to do, provide an opinion on the price. We quickly considered what the leading vendors were charging and asked the client how many users they planned on taking the training. Based on that information we told them we felt the price was above the industry standard for ab ‘online’self-paced program that did not provide on-premises training. We then asked if we could ask some questions. They gave us permission to take a little more of their time.
We were able to figure out that root issue was that one of the C-Level administrative assistants were getting emails posed as the executive telling them to transfer money. This was a ‘spear phishing’ attempt and not a general ‘phishing’ attempt. We looked at their email security and we were able to confirm over 95% of inbound phishing attempts were getting blocked.
We recommended to the client that they allow us to train the administrative staff on spear phishing. We would cover in less than an hour how to identify it, how to respond, how to notify security. The scope would be three people included in the onsite training and provide plenty of time for Q&A. We would also provide a quick one-page instruction for the C-Levels to properly request a transfer. The cost savings were significant, approximately 2% of the original solution proposed by the other consulting company. Not only that, the money saved on labor that would have been accounted for by everyone in the company attending training was not calculated.
By diagnosing the exact issue, we recommended a solution. Would an Information Security Awareness training for the entire company have been beneficial? Yes, it would have benefited them. But based on the risk and the current set of controls it was not required to fix the immediate problem the client was trying to solve. The client was made aware of the long term benefits of the security training for the staff and is going to consider budgeting in the future.
Industry Experience
The next, very best, attribute a cybersecurity consultant can offer is industry experience. At Asher Security, we appreciate all cyber security professionals, young, old, new, mature, funky, traditional. But we only put the ones with experience in front of you to help you with your specific security issue. We sometimes have a consultant with less experience partner up with them, but you always get depth and breadth of experience.
Why is industry experience important? Aren’t all security issues the same?
We have found through our experience that security issues are often unique to the business vertical. At the core of those issues are technologies that can help, and those technologies can have features that are universal across industries. But the issues themselves are often unique. Not only are the issues unique, but the criticality of the issue and the connectivity and connection of that issue to other issues is unique within industries.
An example of this is the type of data. We believe at the heart of every cyber security issues is a data issue. So then, we must be experts in data and how to protect it. To be an expert on the data, you need to understand and comprehend where the data is born, how the data moves, where it goes, what does it leave behind, what vehicles does it travel in, and where does it go to die. We’ve observed that this behavior of data is unique within each industry.
Understanding the type of data that is critical to the business, where the data begins, where it goes, how it gets there, and where and how it’s destroyed is fundamental to the success of a cyber security consultant. You want someone with experience to help you with this. When someone has experience, it speeds up the process. The decrease in time often equals an increase in savings.
We also focus on certain industries not only because we can add the most value to the businesses, and we have the most experience, but we’ve also made a lot of mistakes. We’ve learned from those mistakes and can use them to prevent the business from having another consultant make the same mistake. We learn. Sometimes hard, sometimes fast, but we do learn from our failures and you are the benefactor of that.
Cyber Security Skills
Photo by Drew Graham on Unsplash
After the ability to diagnose and industry experience the consultant should have cyber security skills. There is a wide range of security skills a professional can develop. Skills range from policy development to security coding and development. A great resource to compare and organize these skill categories against is the eight pillars of security developed by ISC(2) and used to test professionals in their pursuit of a leading cybersecurity certification achievement.
Here are the eight domains of security as outlined by ISC(2):
- Security and Risk Management
- Asset Security
- Security Engineering
- Communications & Network Security
- Identity & Access Management
- Security Assessment & Testing
- Security Operations
- Software Development Security
For a summary of each, I will quote the well-explained descriptions from NetComLearning.com (https://www.netcomlearning.com/blogs/76/133/What-You-Need-to-Know-About-CISSP-Domains-in-2018-training.html.)
1. Security and Risk Management: This domain explains various aspects of potential security risks. Basic concepts of information security, including CIA (Confidentiality, Integrity, and Availability), are focused areas in this domain. Aspiring CISSP certification professionals are educated and then evaluated on the key skills of defining and implementing security policies and procedures. High-level risk management to safeguard hardware, software, and services are expertly illustrated in the Security and Risk Management domain, along with the primary key areas of security governance principles, control frameworks, legal and investigation regulatory compliance, security policies, standards, procedures and guidelines, risk management concepts, and threat modeling.
2. Asset Security: Asset security domain deals with data management issues. It explains various roles and permissions regarding data processing and privacy concerns. This domain focuses on teaching the fundamentals of information and asset classification, data and system ownership, protecting privacy, data retention, data security controls, data handling requirements, and public key infrastructure (PKI).
3. Security Engineering: This comprehensive domain addresses the requirement to understand the vital elements of engineering models, designs, and processes. Database security, vulnerabilities, clouds, and crypto systems are the primary topics covered in this domain.
4. Communications & Network Security: Network design and protection is the focused area of this domain. Key areas for achieving expertise in this domain include the essentials of various communication protocols, network architecture, segmentations, firewalls, IDS & IPS, network attacks and countermeasures, routing, and wireless transmissions.
5. Identity & Access Management: The identity and access management domain aims to describe the diverse methods used to control the ways data is accessed. This domain elaborates access control categories, identification, authentication, authorization, identity, and access provisioning.
6. Security Assessment & Testing: This is a crucial domain which offers a far-reaching explanation of the most recent techniques and tools used in assessing a system’s security and identifying the vulnerabilities. This domain teaches penetration testing, disaster recovery, test strategies, security control testing, and much more.
7. Security Operations: The security operations domain illustrates digital forensic and investigations, intrusion prevention and detection tools, firewalls, sandboxing, resource protection techniques, disaster recovery processes and plans, incident management, and change management processes, along with other vital concepts with practical implementation.
8. Software Development Security: This domain teaches how to implement security controls during the entire software development lifecycle. You become familiar with various software development models, risk analysis, auditing, and the identification of vulnerabilities in the source codes of software.
As you can see, the industry is really attempting to organize cyber security skills into professional development categories that stand alone without being specifically tied to cybersecurity disciplines. If proper skills are learned and developed they can be applied to various security disciplines we commonly associate program maturity with.
What are cybersecurity disciplines to look for in a cybersecurity consultant?
Let’s attempt to list out some of these security disciplines. But before we do it might be beneficial to build a framework that these consulting disciplines are relative to. Here is my attempt:
Policy / Awareness / Standards / Governance / Controls Assurance / Vulnerability / Threat / Incident / Recovery
Some could view this on a spectrum of proactive determination of behavior, driven by education and then security controls. Then the development of detection, and then finally incident handling and recovering.
It’s important to point out that it would be a mistake to relate this spectrum relative to the maturity of a program, or relative to a cybersecurity consultants maturity. I’ve known personally some of the best cybersecurity professionals I’ve ever worked with eventually settled into security policy development. This was not done out of ease, but out of drive and passion that they believed the best risk-return for the business could be done here. Nor should a cyber security consultant be put on a pedestal that specializes in intrusion detection systems. Although this deep and vast field requires a range of technical and business skills, it doesn’t necessarily mean they are the best consultant in Minnesota to service your needs.
References
If you think you’ve found a good cybersecurity consultant in Minnesota there is one more thing you should consider doing before writing up and signing the contract. That is finding some references.
Photo by Paul Hanaoka on Unsplash
The quickest and easiest way to get a reference is by asking the cyber consultant to provide them. Unfortely, those are probably the worse reference you can get. They don’t provide you with much value because you’re allowing the consultant to hand pick and choose which references they provide. Chances are almost guaranteed they’re going to pick their best ones. I’m an honest guy, and even I would choose to put my best effort forward here by providing clients I’ve had a positive experience with.
So how do you bridge this gap?
Good thing for you that Minnesota has a tight-knit group of professional, especially cybersecurity. We almost all know each other. So by talking to some your industry friends and contacts a name is sure to come up quickly. A quick LinkedIn search on your potential consulting candidate is also great. This will provide you connection you have in common. You can then use this connection to reach out and have a quick discussion of what service the consultant performed for your industry contact.
It’s important to really to scope the conversation to the work they were asked to perform, how well they performed it, and the value the client received from the completed work. Try to stay away from questions like, ‘How did you like them?” Most of us cybersecurity folks, even though called ‘professionals’ are kind of weird. So sometimes people don’t like us. It’s important to focus on the quality of the work, more than the quality of the personality.
Conclusion
As you can see, there is a lot that goes into finding the right Minnesota cybersecurity consultant. It can feel overwhelming, and often times companies delay this critical partnership until there is an urgent issue.
By allowing yourself some time to have the right conversations with potential security consultants on the matters of their ability to diagnose issues, their industry experience, and their cybersecurity skills you can ensure that you are successful in this worthwhile pursuit.
Again, here at Asher Security, we’re building a consulting company built on relationships. We’d enjoy the opportunity to help you, even if that isn’t our professionals servicing your needs. As we stated below, Minnesota is a tight-knit group of security professionals. It’s like a big happy family of security geeks. Many of have known each other for decades and together have contacts across the industry.
I invite you to give us a call and let us know what you’d like help on and we can either try to help you or provide some names of trusted cybersecurity consultants we know and love.
FAQs
I’ve found a cyber security consultant in Minneapolis / St Paul that I like but they want to sub out some of the project work to another consultant. Should I be comfortable with this?
Yes. As we’ve stated earlier, it’s super hard for any one person to be an expert in all areas. By them reaching out to their network shows that they’re willing to share the investment you are making in them, with others they know and trust, so that your project can be a success. I’ve personally been a subcontractor on other cybersecurity consulting agencies projects. It was a pleasure, as they were upfront with the client, they allowed me to be transparent about having my own practice, and I was able to make new friends.
I feel like the consultant we have is just reselling services to bigger security companies that are not in Minnesota, but might be national. Should I be concerned?
There are two reasons to be concerned. First is that a good security consultant will be direct and upfront about any reselling, or reseller agreements. They should review these with you, and invite the downstream company to be a part of those conversations so that you can all get on the same page and be comfortable with the services being performed. It is a mistake (although tempting) for a cybersecurity consultant to act bigger than they really are.
The second reason to be concerned is if you have a requirement, desire, or company culture, that support all services be performed by a Minnesota company. Sometimes these requirements come in based on the state’s designation of minority ownership and others. Review this with your team and make sure your expectations are being communicated to the security consultant so that there is not a failure to deliver on your requirements.
How much time should I plan ahead to contact a cybersecurity consultant to when we want to start our project?
A good cybersecurity consultant is like an apple tree, it just keeps producing fruit. But as it was once said, the best time to plant a tree was thirty years ago, the next best time is today.
It’s never too early to reach out and start building your relationship with a cybersecurity consultant. Most of the time, the earlier they can get involved in understanding what you’d like to do, the better and more successful they project can be.
With that said, you should give most cybersecurity consultants about six months head notice on new relationships as there are contracts and often NDA’s that need to be addressed. Often times the finalizing of the NDA is on the client side and requires time.
If all contracts and agreements are already in place and take care, you should plan at least thirty days ahead of time to get proper planning and scheduling in place for important projects.
Recent Comments