Skip to content

6 Signs You Need a New Cybersecurity Firm

When you devote yourself to ensuring your company is compliant and not at risk for a data breach, you should count on your cybersecurity firm to do the same.

No matter how skilled and knowledgeable you are, you cannot perform the necessary audits on your own. You need a partner to help you stay compliant. But you don’t want just any audit firm. Only a true partner will help you reach your goal of protecting your company’s data.

Your audit partner should be able to spot any issues quickly and notify you promptly. They should know the latest standards and best practices and keep you apprised of them, as well.

Not all audit firms have the experience and qualifications to run the audits your company needs, nor do they all communicate well. Too often, firms fall short of the quality or level of service that you need.

Here are six signs you need a new cybersecurity firm:

1) Your current cybersecurity firm isn’t keeping up with new regulations and standards.

You need a partner who can help you learn what is required of your business in order to pass the audit. If your auditors don’t know what is required, you need a new audit firm.

For example, if you are in healthcare and need to comply with the HITRUST Common Security Framework (CSF), then you need a firm which is competent in regulatory requirements from NIST, HIPAA/HITECH, ISO 27001, PCI DSS, FTC, COBIT, CSA Cloud Controls, and various state-specific regulations that HITRUST CSF unifies. A qualified firm also could assist you with cyber risk programs that are in sync with the HITRUST CSF certification requirements.

Checking for certifications, such as a certified HITRUST Assessor, can help you identify a suitable audit partner. You also can check to ensure the firm’s employees have other certifications that may be relevant to your company and its needs, like Certified Public Accountant (CPA), Certified Information Systems Auditor (CISA), Certified Information Systems Manager (CISM), or Certified Internal Auditor (CIA).

CPA firms that are registered with the Public Company Accounting Oversight Board (PCAOB) are particularly apt to be current with new regulations and standards. PCAOB-registered firms are held to the strictest of auditing standards, meaning they must be at the cutting edge of their practice. In addition to providing you assurance that your audit firm is keeping up with new regulations and standards to maintain their registration, if you have clients who are publicly held, having your SOC audit performed by a PCAOB-registered CPA firm will give your client’s auditors the comfort they need when relying on your firm’s SOC report.

2) You aren’t being treated like a partner.

A true partner treats your needs as their own. They should be just as concerned about your business as they are about your compliance. If your auditors don’t seem to care about either, then you may need a new firm.

For example, your cybersecurity firm should be working closely and collaboratively with you to ensure all service-related risks are addressed with appropriate procedures. They also should have a detailed approach that identifies opportunities for improvement within your operations.

A true partner doesn’t miss the business impacts when focusing on the technical. A business-focused auditor can identify issues whichaffect your company’s bottom line, like IT inefficiencies and how leveraging IT can enhance product innovation and increase customer retention while improving internal organizational efficiencies, according to a SearchSecurity.com article on best practices for choosing an outside IT auditor.

3) You are worried your firm may be missing something important.

You are already worried about compliance and your audit results. If you are worried about your auditors, you are worrying too much.

You should have confidence that your auditors know what they are doing and have faith in how they are doing it. Involvement by your firm’s most experienced professionals is a good indicator. Leadership should be experienced and involved. You may need a new firm if the partners, directors, and managers of your current one don’t take an active role in each engagement.

Your audit firm should begin an engagement by gaining an understanding of your business. If your firm doesn’t take the time to understand your business, they may not be right for you.

Your audit firm should also have a proven methodology they apply to produce the best results possible. An effective methodology typically includes three phases:

  • Planning and scoping
  • Fieldwork
  • Reporting of results

If your firm is constantly communicating with your personnel in order to acquire the information necessary to complete the engagement objectives, you can be assured your firm is not missing something important.

4) Your cybersecurity firm isn’t quick to respond to your questions or concerns.

You will work closely with your auditor for several weeks, sometimes dealing with sensitive issues and tight deadlines. Your auditors should be timely and responsive when issues arise. If you must wait hours, days, or even weeks for a reply, then you need to change audit firms.

You want a partner who is:

  • a collaborator
  • a good communicator
  • able to speak your industry’s language
  • able to resolve issues as they present themselves

Look for a firm that will work closely and collaboratively with you to ensure all service-related risks are addressed with appropriate procedures.

5) Your auditors seem to lack experience.

Do you feel as if you are not getting what you signed up for when you hired your audit firm? Maybe you were sold on the credentials of the senior partners who pitched you but have only dealt with inexperienced auditors since then?

Sometimes, an audit firm will use one set of personnel to sell an engagement and another to service it, often personnel with less experience and efficiency than you were promised. This may indicate that it’s time to switch auditors.

Look for a firm that provides professionals who each have at least 10 years of relevant experience and appropriate certification. Also, consider the diversity of their experience, such as whether they have previously worked with companies in your industry and of your size. Examining examples of their previous work can be particularly insightful.

6) Your firm hits you with surprise bills.

Many firms quote a low fee with a lot of assumptions and then hit the client with change orders when the work inevitably takes longer. If this is happening to you, then you may want to look for a partner who will work on a fixed fee instead.

When a firm commits to a fixed fee, they are willing to write off any excess time to get the work done properly. In doing so, they likely view any time incurred on top of their fixed fee as a first-year investment in hopes of establishing a long-term relationship with you. This is indicative of a firm looking for a true partnership, not just revenue.

The right audit firm can support your efforts at ensuring your company is compliant and not at risk for a data breach by providing expertise in all relevant areas of audits and assessments. If you don’t know about a particular set of standards, you should be able to lean on them to ensure your company meets the requirements.

You want a strategic partner that is there to advise you and provides an unparalleled level of service, regardless of what you need when it comes to audits and assessments.

If you have spotted any of the six signs above, it is time to switch to a new cybersecurity firm.

Have questions about your audit and assessment needs? Contact us for a free consultation.

 

 

The Guide to Finding the Right Auditing Partner for Your Organization