Category: Management

Posted on

Consultant v Assessor

I know we have been mostly focusing on PCI’s Digital Security Standard (DSS) version 4 for the past couple of months, working to put out some initial information on the topic for those who don’t know what questions to start with between themselves and their PCI team members.  For this week I wanted to take a break from PCI, just to give everyone a breather.  We will keep going over v4, and other PCI topics throughout 2023 (and beyond), but we can’t ignore the other topics worthy of inclusion.

Overall Thoughts

In today’s complicated realm of IT Governance, Security, and Regulations, the need for companies to bring in outside guidance has never been greater.  I am constantly having conversations with people about what they need to be aware of to keep their data protected.  Some of these conversations happen between me and my clients.  Luckily, I have been able to put of these discussions off when they come up during a formal assessment period.  This dialogue has gotten me thinking about the need to clarify the differences between my roles as a consultant and assessor.

The main differences between a consultant and an assessor

So, what is the difference between the two?  Let us discuss the two individually and see what they each have to offer you.

  • Consultants – A consultant is an independent third party that works as a subject matter expert, or SME.  The subject in which they specialize can vary across many different areas.  The key things to keep in mind regarding a consultant are:
    • Consultants are paid for their expertise/knowledge.  Consultants working in the compliance arena have expertise/knowledge of industry standards.  They are not experts on “your” environment.
    • Good communicators – The consultant should be able to help you understand the industry standard that are relevant and work with your staff to appl them to your environment through a collaborative effort.
    • End goal is to help you and their focus is on using their knowledge to assist you in achieving the goals of your company, or at the very least the engagement they were hired for at the time.
  • Assessor (Auditor) – An assessor is also an independent third party that is a SME.  The similarities of the two end there.  The assessor does exactly as their name implies, they “assess” your environment against a standard, either regulatory or industry to determine your level of compliance.
    • Assessors are experts over auditing standards, usually over multiple standards but some do specialize.
    • The assessor should have some widespread knowledge of technical architecture and business processes.
    • Probably a good communicator.  I say probably because the need to fully communicate and determine compliance is a skill that makes the engagements more enjoyable, but the requirement to properly communicate rests more heavily on the shoulders of the entity being assessed.  The company will bear the brunt of a non-compliant finding, is the reason for this.  There are plenty of people that are great communicators working as auditors, so if you happen to work with someone that is not you are not required to stay with them for any reason.
    • Most important thing to note – They are there to determine your compliance with the standard associated with the engagement.  They are NOT there to help solve issues.  Once it becomes a “fix” situation, this falls under remediation and is the role of the consultant (even if it is same person doing it outside of the assessment.)

What should you expect from a consultant?

When working with a consultant you want to make certain that you work amongst your management and effected internal staff, prior to hiring/selecting the company, and person, that you will be working with on the engagement.  Prior to signing a contract, you should get everyone internally on the same page and agree to a clearly defined area of need and focus.  Consultants tend to bill by the hour, so making sure everyone is marching in the same direction, so to speak will save money by reducing the risk that you will be changing course multiple times within the efforts.

However, you also must be open minded throughout the project and accept the notion that things may change based on feedback from your consultant.  If you are not agreeable to the idea of having to do things differently then you had originally planned, you should not have hired a consultant.  It is a waste of money to pay someone to sit back and tell you how great your ideas area and add nothing else to the conversation.  Any consultant worth the money spent on them should be able to help you grow in some fashion, otherwise they are just cashing in on your lack of understanding.

Even if you have the most technically savvy consultant you can find, do not expect them to be true miracle workers.  What I mean by that is this – If they show up and impress you with a lot of amazing ideas that you have never considered and are not capable of implementing without them, how will you support the changes once they are gone?  It is one thing to have someone that has experienced so many environments throughout their career, seen every option out there throughout their travels, and able to solve any problem they come across.  It is something entirely different to find a person that can sit down with your staff, learn your environment and business processes, and come up with solutions that are custom tailored for your needs (and on your budget).  Do not be fooled or feel pressured to take on work that is beyond your company’s capabilities (technical or financial).

Managing the assessor

If you find yourself in a situation where you are going through an audit or assessment, let us discuss some behavior and thoughts to make the process easier for both you and the person working to find a determination on your state of compliance.  These are some ideas that are based on previous experiences from sitting in the room as a member of internal operations and from the other side of the table as the independent third-party assessor.

Be friendly.  It seems odd to have to state this, but there have been times when the conversation can get contentious when pouring over the details of an environment and other evidence to determine if everything looks the way it should, based on a standard that is outside the control of anyone sitting at the table.  Remember that most assessors/auditors have no personal interest in the findings, other than it being their day job and reflects on their personal and professional integrity.  No assessor worth hiring will compromise their own integrity by doing something unethical, so rest assured they will produce reports that accurately reflect what they see throughout the assessment.  You may not see eye to eye on something but find a way to convey this without crossing the line and expect them to do the same.

Keep the non-assessment chatter to a minimum and away from hot button items.  By this, what I mean is don’t say things in front of your assessor that has them questioning why it was said or if they have missed something (or worse if you are hiding something).  Here are some examples I have heard over the years that caused some undue work to prove they were only said in jest:

  • Hypothetical questions – Asking an assessor during the formal engagement about some “situation where we may have done this, knowing it was not ok, but we felt we had to do it anyway.”  This will never be an acceptable conversation.  I am not advocating for you to hide things from your auditor, quite the opposite, but if it really is a true hypothetical – sit on it until after everything is wrapped up.
  • Jokes about poor security and/or business practices – Between evidence reviews it is a bad idea to make jokes about “Joe from accounting that keeps his password to the financial system written on a post-it note stuck to his monitor and what a pain it is to support him because he has admin access to the systems.”  You can probably set the over/under in under 5 minutes before Joe’s desk comes into scope and you need to pay Joe a surprise visit.  Again, even if it is a joke it is in poor taste and puts your company’s compliance in jeopardy.  Best to save these until afterwards when jokes are not going to increase risk for you (or just say them internally when the assessor is not around.)

Conclusion (What is the big take away from all of this?)

So, what have we determined?  First off, consultants and assessors are mostly the same people, from a skills perspective.  While they have a focus that is opposites of each other.  Consultants are there to augment your knowledge and help you to find manageable solutions, while Assessors focus on documenting the working details of your environment in a way to show compliance to the stated standards.  Ideally you will work with a company that has enough people among their staff to allow you to negotiate a single contract that can cover all your needs.  I know that among my team at Protiviti we have multiple clients with one person serving as a consultant and someone else working on assessments.

When looking to engage either for work to be done on your enterprise do the work ahead of time to have a clear direction and understanding of what it is you need to accomplish.  This will save you time and money, while increasing the chance of you getting a result you are happy about.  When seeking out the person you are working with look for a company with a history and track record of providing knowledgeable people that can deliver in the areas where you feel you have the most need.  Once you have decided that you need/want assistance from a third-party do your homework, both from an internal and external perspective.  Talk to people you trust about who they have worked with previously and ask for contact information.

As always, I hope this tidbit of information gives you a base to have discussions with your internal management about third-party needs within your IT and Data Privacy space.  Feel free to reach out to me directly with questions or to have a conversation via my email and/or social media information on the TBF website. 

Posted on

Decluttering the IT Sec Alphabet for Data Privacy

With the focus over the past few years on Data Privacy at the institutional level continuing to gain traction across the globe, it is important for companies to understand how these (potential) changes will affect their IT department.  With that in mind, I thought it good to start with some of the foundational concepts regarding data privacy.  Specifically, what role do the key players actually represent, assuming they are properly vetted and sourced to fill the correct business needs within the enterprise.  Today I will discuss three of the key leadership positions and the ideals and focus of each – in a perfect (well-funded) IT department.

Chief Technology Officer/Chief Information Officer (CTO) – The CTO, also known as CIO, is the head of the company’s technical assets

The CTO’s focus should be on making certain that the Enterprise is running as smoothly as possible and it set up to support the key business objectives.  Depending on the size of the company, the departments under the CTO umbrella have a wide range of responsibilities that have some aspect of building and supporting electronic products and/or business processes. In a nutshell, the CTO is the person that translates the executive plans for the company into “technical speak” and controls how the IT related staff works to support those executive plans.

Chief Information Security Officer (CISO – sounds like See So) – The responsibility of this position is the integrity of the technical systems

The CISO, in most situations, will report to the CTO.  IT Security is the primary driving point of this person/department.  Again, depending on the size of the company the title may change some (Director of IT Sec, VP of Cybersecurity, etc.), but the function will remain the same.  A number of companies I work with also “outsource” some of the work to internal operations or third-party companies to manage the day to day efforts, while serving in an oversight and advisory manner.  The where and how the work get’s done is less important than making sure that it is done correctly.  This group also tends to be the primary point of contact when working with external auditors/assessors on compliance related efforts.

Data Privacy Officer (DPO) – Tasked with representing the customer’s interest within the environment

This position is a relatively new position that is quickly becoming one of, if not the most important leadership position in the enterprise.  It also has a much different approach to the focus of their mission.  The Data Privacy Officer’s main focus is on the integrity and management of the customer data.  I know what you may be thinking right now.  “Didn’t you just say that was the job of the CISO?” Well, yes.  I did say something similar to that.  Let us look again.  The DPO’s main focus is on the integrity and management of the CUSTOMER DATA.  There are two subtle differences in the approach between a CISO and DPO.

  1. Customer Data – The DPO’s approach is that as a representative of the customer.  Their job is to make certain that the company isn’t doing anything that places the customer at risk or acts in a way that is outside of the agreed upon terms between the company and the customer that provided their personal data.  This is a direct response to the focus of privacy acts and regulations popping up around the globe, such as GDPR (EU Privacy) and CCPA (California) and the expectation of many more governments passing similar laws.
  2. Hierarchy – Typically the DPO is outside of the IT department.  While they are a technical resource, and require technical knowledge to do their job properly, due to the nature of them being a voice on behalf of the customer they usually report outside of IT to avoid conflicts or internal pressure that may sway them from doing their job correctly out of fear of losing it.  In larger companies the DPO will report to the legal department.  In companies that don’t have legal departments in house, they can also report directly to the President/CEO.  Of course, that does not mean there is a need to do a reorg if this isn’t how you have the structure within your company.  If things are working well and the DPO is a Rockstar – then don’t fix something that isn’t broken.
conclusion – What does this mean for the data privacy needs of your organization? 

To be honest, I cannot give a specific answer on that (without talking to you.)  My best suggestion would be to have the round table discussion with the leadership of your company and confirm that you have someone that is designated as the “voice of the customer” and get them trained on how the relevant security regulations will affect your business operations.  You can also hire a DPO.  According to Glassdoor, the average salary for a DPO (as of Sep 2022) is right at $113,000, ranging up to $277,000.  This is a national average, so cost will vary drastically based on the market.  You can also hire consultants if looking to save money on annual spending.  You could probably get a good privacy consultant for a third of the cost of a full time DPO, that can work with  your IT and HR leadership to build, design, and implement your privacy program in a compliant manner across all areas you are doing business.

As always, if you have any questions reach out to us via social media or the contact information listed on the website.

Thanks for reading.  Talk to you soon!

Shawn Adams – @TBF_shawn (twitter)