An Insider’s Perspective on Choosing a Security and Compliance Partner That Is Right for Your Business

A few things to consider when choosing a consulting firm partner.

At risk3sixty, we interact with a lot of prospective customers who want us as a security consulting partner. Some firms ask great questions and have a clear understanding of what they are looking for. Others need a little more help figuring things out.
Security, privacy, and compliance are complex topics too. Customers often face two challenges:
  1. Understanding the requirement they are trying to tackle.
  2. Trying to differentiate which provider is likely going to be the best partner for the job.
And, of course, customers need to make quick decisions with a high degree of confidence, not to mention within a budget the company can live with.
It’s no easy task.
We also realize that there is no clear guide to selecting a consulting firm partner. As insiders, we are well equipped to build a guide to simplify the process.
So, if you are trying to choose a consulting firm partner, here are the hard questions you should ask to cut through the sales pitch.

Five Things to Consider When Selecting a Security Partner

1. Does the Firm Understand Your Needs?

The first thing to consider is if the consulting firm partner does a good job of understanding your specific needs. They should also walk you through an engagement process that makes sense.
Consider if they are pushing a product or creating a solution that makes sense for your business.
You have an idea of what you are looking for, so explain it to them and ask them to reiterate their understanding of your needs. If you are a subject matter expert, you may want to play a bigger role in designing a custom solution for your firm. The consulting firm should do a good job making recommendations and providing insight based on what worked for other clients.
If you aren’t sure exactly what you need, describe your problem and ask for a recommendation on how to solve it. The key is to clearly communicate your desired end-state. A good consulting firm partner should be able to fill in the gaps and rely on a proven process.
In either case, you should feel comfortable that the agreed-upon process will meet your needs and that the firm did a good job helping you design a process.

2. The Resumes of the People Staffed on your Project

During the sales process, you may be interacting with a salesperson or high-level partner that either has no influence on the execution of the work or will be completely disconnected from the process. As a result, what you agreed to during the sales cycle versus what is provided to you once the work begins might be different.
This happens because many firms have dedicated sales teams or firm partners responsible for sales. They then pass clients on to delivery teams. If the transition process between the sales and delivery teams is weak, there may be major quality problems upon delivery.
To avoid these issues, here are a few fair questions to ask:
  • What is the handoff process between sales and delivery? How do you ensure the delivery team has all the right information?
  • Who will be executing my engagement? Can I have their resume? What percentage of time will each person staffed on my project be working on my engagement? (Be wary of firms that provide great resumes of people who will not have a significant role in your engagement).
  • How many other engagements are my project team working on at that same time? Do they have the time to learn my business and meet my needs?
At risk3sixty, we are completely transparent with the specific individuals who will be executing your project, their resumes, and relevant qualifications. This way, our clients can be confidant that their project team has the knowledge, skills, and availability to execute the project.

3. Project Plans and Status Reporting

One thing that rarely comes up during the sales process is how the consulting firm plans to ensure they keep your project on track. Security and compliance projects are complex and often span many months or years.
As a result, the consulting firm should have a well-thought-out process to keep your team updated as the project progresses.
Here are a few things to ask:
  • Will I get a detailed project plan upfront?
  • How will you ensure our project stays on track? What is the status reporting process?
At risk3sixty, project plans and due dates are sacred commitments. To name a few ways we handle project management, we:
  • Provide a detailed project plan before the project starts and in our welcome package
  • Provide real-time status in our tool, Phalanx (just log in and check out the project plan)
  • During project kick-off, we set up standing status report meetings to discuss any hot topics or project risks
  • Send detailed status reports every Friday (we call it “Status Report Friday”)

4. Example Deliverables

It shouldn’t be out of bounds to request example deliverables. If examples are proprietary, it may not be workable to send it over via email, but a screen share is always fair game.
If the firm cannot provide an example of prior work, it may be cause for concern.
I am a big fan of “show me” over “tell me”. At risk3sixty, we are always happy to show off our example reports, detailed project plans, status reports, example policies and procedures, and other prior deliverable types.

5. References

Sometimes the best way to understand if a consulting firm partner is the right partner is to hear it directly from other clients.
Here are a few questions to ask:
  • Request that the consulting firm partner helps arrange a meeting with at least one reference. They shouldn’t just provide the reference. They should help set up the meeting.
  • Request that the reference is in a similar industry and has a similar project as yourself. It is best to have an apples-to-apples comparison.
One of our favorite statistics at risk3sixty is that 100% of our clients are willing to be referenced. We are proud that our clients are willing “to go to bat” for us, and it is because they know we are willing to do the same for them.

Let’s Get Started

Hopefully, you are reading this blog post because you are considering risk3sixty as a consulting firm partner. If that’s the case – please send us an email or fill out a contact form. We usually respond on the same day!
Questions about policies or compliance and where to start? Contact us here! We’d love to chat with you and see how risk3sixty can meet your organization’s needs.

Share to


Share to

Like our content? Subscribe and stay informed.