The 4 Questions You Need To Ask When Purchasing Cybersecurity Professional Services
A professional services engagement can be critical for companies looking to successfully implement cybersecurity. From solutions to vendors, new cybersecurity solutions contain a lot of complexity and variables, and many IT teams don’t have the time or capacity to handle them entirely themselves. That makes a professional services engagement a necessary investment, which means you need to ask firms the right questions to ensure everything goes smoothly and you maximize your value.
What are professional services?
Let's level set!
Professional services are services a person or organization provides to a customer whereby they share in-depth knowledge of a particular topic(s), typically to help them manage or improve a specific area of their business.
Think of Aaron Rodgers (future hall of fame quarterback now tasked with the impossible - making my New York Jets a contender again) running a football camp. In this example, he would provide professional services on what to focus on as a quarterback and how to improve. He is a person with in-depth knowledge of a particular topic. The topics vary from industry to industry. In cybersecurity, organizations (or individuals) and vendors (or consultants) can offer professional services. Those services equip customers with expertise, advice, and support to effectively plan, implement, or manage their cybersecurity solutions.
In this article, I will focus on vendors who offer a product or service AND sell (or give) professional services to help you get the most out of their offering.
Why are professional services critical for cybersecurity?
Over the last decade, nearly every organization has seen its attack surface (basically all the ways into your organization’s network) dramatically change and rapidly grow. This growth has increased cyber risks for businesses, which has increased the number of cybersecurity threats a company can address. Cybersecurity is big business, with revenue in the global market forecast to be $273 billion by 2028. Looking around today, I counted 32 cybersecurity domains, including attack surface management, proactive security, cloud security, API security, data security, and threat intelligence. With more cybersecurity domains, more organizations are trying to address these issues. It seems like I learn about a new cybersecurity vendor or advisory firm every week. The macroeconomic environment may be challenging, but there are plenty of companies offering new technologies or services to:
Provide better visibility into and monitoring of Internet-connected assets for potential attack vectors and exposures
Protect systems, applications, networks, and data
Test the defenses of an organization to a greater degree
Implement more effective and efficient policies, processes, and plans for security programs
Improve the quantification of cyber risk
Fully outsource the security function
Many of these innovations are not straightforward, reflecting the complicated nature of defending an organization from the vast array of cyber threats. So, the companies providing them will typically include a suggested professional services engagement, whether baked into the solution fee or offered at an additional cost. When delivered with high quality, these engagements can ensure you extract the most value from your purchase.
But how do you make sure that happens? Ask the right questions before you sign the dotted line. Here are the four key questions you should start with.
1. What are the success criteria for this engagement?
Defining success criteria is the most crucial part of your professional services engagement; hence, you must come to a satisfactory agreement from the get-go. If you’re choosing a hill to die on, this is it. Before you do anything, determine what is needed to make you happy. What do you want (and need) to get out of this engagement? Once you know this, then (and only then) can you start to evaluate a vendor’s professional services offering.
Take a vulnerability management solution, for example. What constitutes a successful deployment? Is 80% coverage of your assets sufficient, or do you require 100% coverage? What will meet your expectations? But I advise you to go beyond meeting expectations; like I noted above, what will make you happy? Start there. Yes, you need to ensure your expectations are aligned with the vendor’s ability and in line with reality, but you should know what you want.
Once you have your success criteria in mind, then start to have conversations with the vendor. These conversations are your prime opportunity to align with them on what success looks like for each stage of the engagement.
Use these discussions to confirm whether the engagement will be result or time-orientated. Result-orientated engagements are designed to deliver a specific outcome(s) devoid of time. In contrast, time-orientated engagements are designed to provide a set amount of time with professional services without set outcomes. Each option has pros and cons; knowing which suits you and agreeing on it beforehand is key.
In summary, you must have your final goal in mind to be confident you’ll get the most out of the professional services engagement and, ultimately, be happy with the product or service you purchased!
2. What level of participation do you need from my team?
Professional services engagements for cybersecurity can cause businesses to sink into “sit back, relax, and enjoy the show” mode. It’s logical to think that if you engage someone to install software to defend your business, it’s because you don’t have the team to do it yourself, and therefore, the hired team does the work, not you. This may even be the case for some engagements.
But the reality is that many, if not most, will require at least some active participation from you or your team. Your team knows your business solutions, and the professional services team knows its business solutions, so your project has to be a collaboration. But how much of a collaboration? That’s what you need to figure out ahead of time, down to the personnel and hours necessary. Ask questions like:
What level of access needs to be provided and when? (such as in the deployment of agents for a Managed Detection and Response (MDR) solution)
What documentation or knowledge needs to be supplied, and when? (such as the scope and timing of a penetration test to ensure you’re not surprised by any of its activity)
What approvals need to be granted, and when? (to ensure your leadership is aware that the security solution is being implemented in production and there’s a roll-back plan in place in case of any issues)
In summary, determining the required level of participation from your team and validating its details ensures the engagement will be completed successfully and on schedule and minimizes unforeseen logistical issues.
3. When should the engagement be completed?
Now that you’ve confirmed the outcome of the engagement and what’s needed from you to make that happen, dig into a timeline. From the beginning, you need to learn exactly how long it will take to finish and why. I recommend pushing the professional services team for a best-case and a worst-case estimate, along with the assumptions attached to each. Here’s why.
A best-case scenario speaks for itself. It’s a blueprint for your engagement being flawlessly executed — and identifying it is an opportunity for you to push the firm on how and why they believe they can meet that deadline.
A worst-case scenario is something to work through. This scenario might cause you to miss a critical deadline for something else, like meeting compliance requirements or adhering to a security framework. If that is the case, relay your concern to the vendor or firm immediately so that you can determine what needs to change about this project for you to meet all your critical deadlines. You might need to modify the success criteria or change your team's participation level.
Pro-Tip: One final component of the timeline to keep in mind is time-to-value. If the professional services engagement is expected to deploy or implement a product, ask for the expected time-to-first-value (e.g., when the first asset will be prioritized and monitored as part of an attack surface management solution). You don’t just want to know when the engagement will be successfully completed — you also want to know when you can start reaping the benefits of your purchase and when you’ll begin to have some quality data to report on the return on your investment.
In summary, you want to know the expected time to completion early on to understand its impact on other deadlines and help determine if you need to modify the success criteria or change your team's participation level.
4. When does the contract expire, and what happens after that date?
Ideally, as soon as you’ve signed a contract that includes professional services, there’s a kickoff call, and everyone hits the ground running. In reality, things tend to be different.
There will be dependencies with the vendor’s product or service that will hinder deployment, such as a requirement that your team perform specific tasks to get the environment ready for deployment. The resources you committed to the engagement only have so much time and bandwidth. Plus, they have other priorities. All of which can delay the engagement.
Complications are common; you must know your contract’s expiration date and what happens afterward. Will your time with the professional services team be forfeited? Can you extend it? If so, what is the extension fee? This will help you schedule your other priorities accordingly. You might need to negotiate with the vendor on the contract’s expiration date or what happens once it has passed.
In summary, you must understand all of the terms and timing of the contract to ensure you get the most value from your professional services engagement.
I asked the four questions: Am I done?
The four questions above are critical to ask when beginning a professional services engagement with a cybersecurity vendor. Whether it’s part of another purchase or for an additional cost, validating the engagement’s success criteria, the level of participation needed from your team, when it is scheduled to be completed, and what happens after the contract expires will help ensure you’re set up to extract optimal value and bear the fruits of delivery promptly with no (or, at most, minimal) surprises throughout the process.
As important as these questions are, they're just the start. You’ll also want to dig into the communication cadence you should expect, deliverables (e.g., reports, presentations, debriefs, etc.) you’ll receive, and how the engagement will be conducted (i.e., onsite or remotely), amongst other topics. With the security landscape ever-evolving but budgets still constrained, we can’t afford to put the successful implementation of new technologies or services at risk. Ask the right questions before signing the dotted line to avoid that risk.
If you aren't going all the way, why go at all? So let’s get out there and share this article like there is no tomorrow!
Are you looking to go to a persona page?
Cyber 101 | The Solopreneur | SMB | BoD