Questions to Ask When Evaluating Cybersecurity Assessments

Cybersecurity is a topic that’s on everyone’s mind these days. With the constant news of data breaches, it can be hard to know what you should do to protect your business and personal information. This article will help you answer 6 questions when evaluating cybersecurity assessments for your company or organization. These are important questions that every business owner needs to ask before they sign up with any cybersecurity assessment provider.

6 Questions to Ask When Evaluating Cybersecurity Assessments

There are many questions to ask when evaluating a cybersecurity assessment. Here are five of the most important:

1) What is the scope?

The first thing you will want to know is the scale of the assessment. Ask what systems will be assessed and how extensive it will be.

  • What systems are being assessed, including network infrastructure, applications, databases, endpoint technologies, etc.?
  • How deep does their cybersecurity evaluation go?
  • Does it cover all layers of information security or just the basics?

The cybersecurity assessment should go deep into your company’s information security. A thorough assessment includes a full review of all layers, from technical controls to physical security to user activity and data policies. The scope should be as wide-reaching as possible.

2) How was it conducted and what were the methods used?

In order to conduct a thorough cybersecurity assessment, the provider should describe how they did it. Here are some questions you will want them to answer:

  • How does the activity get flagged for further remediation?
  • What types of reports do you generate and in what format(s)?
  • How often is this report updated?
  • Will the results be provided to my employees or just management?

You will also want to know who conducted the assessment. Check with credentials, industry experience and degrees awarded.

3) What type of data, if any, was collected?  

When conducting a cybersecurity assessment, be aware that the organization you are working with may collect data about your company or employees. This could include personal information or security information that you would like to keep confidential.

Before signing any contracts make sure your company understands how much data is being accessed and what it will be used for.

4) Who was interviewed and what about them makes them qualified to assess security risks in this organization or for this industry type?

Ask the provider to list all employees who were interviewed in order to conduct the assessment. These people should be named and have credentials that you can check with your own research.

  • What are their titles?
  • For what industries or organizations have they done assessments?
  • How many years of experience do they have in that industry?
  • What degrees do they have from accredited institutions, if any?

Any employees that were interviewed should have solid experience in the industry you work in. Their titles and locations should match up with their resume information. The more years of experience that an assessor has with your industry or type of organization, the better.

Also, ask them to list the degrees that those employees have. This shows that they are well-educated and knowledgeable in their field, which will help to produce an accurate assessment.

5) Was there an independent review process?

Not all cybersecurity assessment providers work alone. There should be a team of people that review and update the information provided. Before signing any contracts, ask who those people are and what they know about your industry or organization.

  • What is their role in the company?
  • How long have they been there?
  • How much experience do they have in the industry you work in? For how long?
  • Are they certified, accredited or licensed? If so, what is their certifications and accreditations.

Anyone who worked on your cybersecurity assessment should have a degree from an accredited institution and years of experience with your industry or type of organization. These people should all be working together to produce the most accurate assessment possible.

6) Would they be willing to discuss their findings with you?

After signing any contracts, be sure to ask if the cybersecurity assessment providers are willing to discuss their results with you. This will help you understand your company’s security risks and how best to mitigate them. There are no right or wrong answers, just appropriate actions.

After Thoughts

This is a great list of questions to ask when looking for a company that will conduct a cybersecurity assessment. Always ask as many questions as possible and do not sign any contracts until you feel comfortable with all the answers you have been given.

You need to know what information will be collected about your company or employees and how it will be used, as well as who will be working on and reviewing the assessment.

If you do not feel comfortable with any part of it, then look for another company! You always want to make sure that you know what is going on and that the information being used is accurate and up-to-date.

Always keep in mind that these 6 questions are just a guide and every company is going to have a different way of doing things. As long as you get the answers you need, it does not matter who or how they do it.

Leave a Comment

Your email address will not be published.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.