Consulting® FEBRUARY 2016 17
ultimately, a security-awareness increase amongst
CONSULTING: WHAT TYPES OF CYBERSECURITY
OFFERINGS ARE YOU DELIVERING?
Jared Hamilton: Addressing cybersecurity risks
involves four major phases, including assessment,
design, implementation, and maintenance. Crowe’s
cybersecurity services provide consulting across
each of these four phases. Through our assessment
services, we can identify overarching trends from
risk management and compliance gaps, down to
deep technical issues discovered from network
penetration testing. We can then help design a
remediation plan which prioritizes top risks, as well
as assist with the implementation of the plan by
enhancing or introducing new people, process and
technology controls. Finally, we provide continuous
IT security assistance through the management of
specific programs such as third-party or vulnerability
management, up to and including co-sourcing or
full IT security outsourcing to experienced security
CONSULTING: WHAT ARE THE BIGGEST
CHALLENGES CYBERSECURITY PRACTICES AND
CONSULTANTS NEED TO ADDRESS? HOW ARE YOU
ADDRESSING THESE ISSUES?
Raj Chaudhary: Consultants confront the same
challenges that our clients face—keeping pace
with the new threats and advanced techniques
used by hackers to exploit our clients’ systems. We
subscribe to different threat intelligence sources
across multiple industries to keep up, and this
helps us service our clients better.
CONSULTING: AMONG THE FIVE ATTRIBUTES YOU
IDENTIFY IN YOUR PAPER, WHICH DO CLIENT
COMPANIES TYPICALLY NEED THE HIGHEST LEVEL
OF CONSULTING HELP TO ADDRESS?
Jared Hamilton: Attribute One: An Effective
Framework—companies are putting a lot of effort
and finances into addressing cybersecurity risks, but
they are generally lacking organization and focus.
The best efforts currently involve handling day-to-day
fires and issues, but companies often lack an overall
strategic plan or way to measure their success, or
lack thereof. Questions such as “What should be
addressed first?” or “How secure do we need to be?”
often crop up when there is not an effective security
framework in place. A framework helps organize
efforts and provide the foundation to provide
metrics to ensure an organization is identifying
and meeting its risk management goals. —E.K.
Given this need to customize, some cybersecurity consulting leaders emphasize the importance of a couple of surprising qualities as the
demand for their services soars: self-knowledge and patience. Lee says it is crucial to remember what his firm does and does not do. If
a happy client asks Grant Thornton to provide
managed security, “We would immediately and
candidly say, No, but here are three names that
we’d recommend,” Lee notes.
EY, on the other hand, does provide a managed security service. “But we don’t want to
build managed security for 100 clients when
we know that in this year, we can probably do
it for 20 [companies] and do it very well,” says
Allan. “…I think it is a mistake to think that,
in order to meet margin, you have to create a
solution and then to sell it many times over.
The nature of cyber security is so bespoke,
that the solutions also have to be.” ■