I know we have been mostly focusing on PCI’s Digital Security Standard (DSS) version 4 for the past couple of months, working to put out some initial information on the topic for those who don’t know what questions to start with between themselves and their PCI team members. For this week I wanted to take a break from PCI, just to give everyone a breather. We will keep going over v4, and other PCI topics throughout 2023 (and beyond), but we can’t ignore the other topics worthy of inclusion.
Overall Thoughts
In today’s complicated realm of IT Governance, Security, and Regulations, the need for companies to bring in outside guidance has never been greater. I am constantly having conversations with people about what they need to be aware of to keep their data protected. Some of these conversations happen between me and my clients. Luckily, I have been able to put of these discussions off when they come up during a formal assessment period. This dialogue has gotten me thinking about the need to clarify the differences between my roles as a consultant and assessor.
The main differences between a consultant and an assessor
So, what is the difference between the two? Let us discuss the two individually and see what they each have to offer you.
- Consultants – A consultant is an independent third party that works as a subject matter expert, or SME. The subject in which they specialize can vary across many different areas. The key things to keep in mind regarding a consultant are:
- Consultants are paid for their expertise/knowledge. Consultants working in the compliance arena have expertise/knowledge of industry standards. They are not experts on “your” environment.
- Good communicators – The consultant should be able to help you understand the industry standard that are relevant and work with your staff to appl them to your environment through a collaborative effort.
- End goal is to help you and their focus is on using their knowledge to assist you in achieving the goals of your company, or at the very least the engagement they were hired for at the time.
- Assessor (Auditor) – An assessor is also an independent third party that is a SME. The similarities of the two end there. The assessor does exactly as their name implies, they “assess” your environment against a standard, either regulatory or industry to determine your level of compliance.
- Assessors are experts over auditing standards, usually over multiple standards but some do specialize.
- The assessor should have some widespread knowledge of technical architecture and business processes.
- Probably a good communicator. I say probably because the need to fully communicate and determine compliance is a skill that makes the engagements more enjoyable, but the requirement to properly communicate rests more heavily on the shoulders of the entity being assessed. The company will bear the brunt of a non-compliant finding, is the reason for this. There are plenty of people that are great communicators working as auditors, so if you happen to work with someone that is not you are not required to stay with them for any reason.
- Most important thing to note – They are there to determine your compliance with the standard associated with the engagement. They are NOT there to help solve issues. Once it becomes a “fix” situation, this falls under remediation and is the role of the consultant (even if it is same person doing it outside of the assessment.)
What should you expect from a consultant?
When working with a consultant you want to make certain that you work amongst your management and effected internal staff, prior to hiring/selecting the company, and person, that you will be working with on the engagement. Prior to signing a contract, you should get everyone internally on the same page and agree to a clearly defined area of need and focus. Consultants tend to bill by the hour, so making sure everyone is marching in the same direction, so to speak will save money by reducing the risk that you will be changing course multiple times within the efforts.
However, you also must be open minded throughout the project and accept the notion that things may change based on feedback from your consultant. If you are not agreeable to the idea of having to do things differently then you had originally planned, you should not have hired a consultant. It is a waste of money to pay someone to sit back and tell you how great your ideas area and add nothing else to the conversation. Any consultant worth the money spent on them should be able to help you grow in some fashion, otherwise they are just cashing in on your lack of understanding.
Even if you have the most technically savvy consultant you can find, do not expect them to be true miracle workers. What I mean by that is this – If they show up and impress you with a lot of amazing ideas that you have never considered and are not capable of implementing without them, how will you support the changes once they are gone? It is one thing to have someone that has experienced so many environments throughout their career, seen every option out there throughout their travels, and able to solve any problem they come across. It is something entirely different to find a person that can sit down with your staff, learn your environment and business processes, and come up with solutions that are custom tailored for your needs (and on your budget). Do not be fooled or feel pressured to take on work that is beyond your company’s capabilities (technical or financial).
Managing the assessor
If you find yourself in a situation where you are going through an audit or assessment, let us discuss some behavior and thoughts to make the process easier for both you and the person working to find a determination on your state of compliance. These are some ideas that are based on previous experiences from sitting in the room as a member of internal operations and from the other side of the table as the independent third-party assessor.
Be friendly. It seems odd to have to state this, but there have been times when the conversation can get contentious when pouring over the details of an environment and other evidence to determine if everything looks the way it should, based on a standard that is outside the control of anyone sitting at the table. Remember that most assessors/auditors have no personal interest in the findings, other than it being their day job and reflects on their personal and professional integrity. No assessor worth hiring will compromise their own integrity by doing something unethical, so rest assured they will produce reports that accurately reflect what they see throughout the assessment. You may not see eye to eye on something but find a way to convey this without crossing the line and expect them to do the same.
Keep the non-assessment chatter to a minimum and away from hot button items. By this, what I mean is don’t say things in front of your assessor that has them questioning why it was said or if they have missed something (or worse if you are hiding something). Here are some examples I have heard over the years that caused some undue work to prove they were only said in jest:
- Hypothetical questions – Asking an assessor during the formal engagement about some “situation where we may have done this, knowing it was not ok, but we felt we had to do it anyway.” This will never be an acceptable conversation. I am not advocating for you to hide things from your auditor, quite the opposite, but if it really is a true hypothetical – sit on it until after everything is wrapped up.
- Jokes about poor security and/or business practices – Between evidence reviews it is a bad idea to make jokes about “Joe from accounting that keeps his password to the financial system written on a post-it note stuck to his monitor and what a pain it is to support him because he has admin access to the systems.” You can probably set the over/under in under 5 minutes before Joe’s desk comes into scope and you need to pay Joe a surprise visit. Again, even if it is a joke it is in poor taste and puts your company’s compliance in jeopardy. Best to save these until afterwards when jokes are not going to increase risk for you (or just say them internally when the assessor is not around.)
Conclusion (What is the big take away from all of this?)
So, what have we determined? First off, consultants and assessors are mostly the same people, from a skills perspective. While they have a focus that is opposites of each other. Consultants are there to augment your knowledge and help you to find manageable solutions, while Assessors focus on documenting the working details of your environment in a way to show compliance to the stated standards. Ideally you will work with a company that has enough people among their staff to allow you to negotiate a single contract that can cover all your needs. I know that among my team at Protiviti we have multiple clients with one person serving as a consultant and someone else working on assessments.
When looking to engage either for work to be done on your enterprise do the work ahead of time to have a clear direction and understanding of what it is you need to accomplish. This will save you time and money, while increasing the chance of you getting a result you are happy about. When seeking out the person you are working with look for a company with a history and track record of providing knowledgeable people that can deliver in the areas where you feel you have the most need. Once you have decided that you need/want assistance from a third-party do your homework, both from an internal and external perspective. Talk to people you trust about who they have worked with previously and ask for contact information.
As always, I hope this tidbit of information gives you a base to have discussions with your internal management about third-party needs within your IT and Data Privacy space. Feel free to reach out to me directly with questions or to have a conversation via my email and/or social media information on the TBF website.