The Australian cyber security industry has grown significantly in response to rising demand. Hundreds of providers — from large consulting firms to boutique specialists — now offer services under the cyber security banner. Quality varies enormously, and it is difficult to evaluate without relevant expertise.
Start With Outcomes, Not Products
Proposals heavy on product names and light on processes are a warning sign. Security is not delivered by tools — it is delivered by skilled people using tools well. A provider who leads with what they deploy rather than what they achieve and how they work is likely more focused on product reselling than delivering security.
Questions Worth Asking
Who will actually manage our account — the person who won the business or someone more junior? How do you handle incidents — specifically, what is the after-hours response process? Can I see a sample monthly report? How do your team members stay current with the threat landscape?
Qualifications That Matter
For individual practitioners: OSCP, CREST, CISSP, or relevant Microsoft security certifications. For organisations: CREST accreditation for penetration testing engagements, ASD partnership recognition, or ISO 27001 certification. Government procurement panel inclusion (DTA cyber security panels) provides some baseline quality assurance.
Red Flags
Guaranteed outcomes — "no breaches" or "complete protection" — that no credible security professional would offer. Unwillingness to provide references from comparable clients. A proposal that does not reflect genuine understanding of your environment. Pressure to sign quickly before you have had time to evaluate alternatives.
Should we use our existing IT provider for cyber security?
Many IT providers offer security services, and integration has operational advantages. Evaluate their security capability specifically — it is a distinct discipline from general IT management. Be aware of the inherent conflict of interest in asking your IT provider to assess the security of the environment they manage.
