Sooner or later, most small businesses need outside help with cybersecurity. Maybe it’s for an assessment, incident response, or implementing controls you can’t manage yourself.

The challenge: you’re hiring someone to do something you don’t fully understand. How do you know if they’re good? How do you avoid getting ripped off?

Here’s what I’ve learned from both sides of that relationship.

When Do You Actually Need a Consultant?

Good reasons to hire help:

• You’ve had (or suspect) a security incident
• Compliance requirements demand it (Essential Eight assessment, ISO 27001)
• You’re starting from scratch and need a roadmap
• You have specific technical needs beyond your team’s capability
• A client or insurer is requiring a security assessment

Reasons that might not justify the cost:

• “We should probably do something about security” (start with free resources first)
• You want someone to check a box without actually improving security
• You think a consultant will magically fix cultural or process issues

What Types of Consultants Exist?

Generalist IT/MSP with security services: Your existing IT provider might offer security assessments and implementation. Pros: they know your environment. Cons: they might not have deep security expertise, and there’s a conflict of interest if they’re assessing their own work.

Specialised cybersecurity consultants: Dedicated security firms with expertise in assessment, architecture, and strategy. More expensive but deeper expertise.

Penetration testing specialists: Focused specifically on finding vulnerabilities through simulated attacks. You need basics in place first - no point paying someone to tell you that MFA isn’t enabled.

Virtual CISO services: Ongoing strategic security leadership without hiring full-time. Good for businesses that need guidance but not hands-on implementation.

Incident response specialists: Called when something’s gone wrong. Often available through cyber insurance panels.

How to Find Good Consultants

Ask your network. Other business owners who’ve used security consultants. What was their experience? Would they use them again?

Check qualifications. Look for:

• CREST certification (for penetration testing)
• CISSP, CISM, or similar credentials
• Industry experience relevant to your business
• ASD/ACSC certifications for government work

Credentials aren’t everything, but they indicate baseline competence.

Request references. Any reputable consultant should be able to provide references from similar clients. Call them. Ask specific questions about value delivered.

Verify insurance. Professional indemnity insurance protects you if they make a mistake. Ask for evidence.

Red Flags to Watch For

They recommend expensive solutions without understanding your business. A good consultant asks questions before making recommendations. If they’re pushing specific products in the first meeting, be wary.

They can’t explain things in plain English. Security can be technical, but a consultant who can’t communicate to non-technical leadership isn’t useful for you.

No clear scope or deliverables. “We’ll assess your security and provide recommendations” is vague. What specifically will they look at? What will you receive?

They guarantee outcomes. Nobody can guarantee you won’t be breached. Anyone who promises that is lying or doesn’t understand security.

Pricing is way out of market. Security consulting in Australia typically runs $150-400/hour depending on seniority and specialisation. Much lower might indicate inexperience; much higher needs justification.

They try to create fear. Yes, cyber threats are real. But a consultant who’s primarily selling fear rather than practical solutions isn’t serving your interests.

Setting Up for Success

Be clear about your objectives. What do you want to achieve? Compliance with a specific standard? A prioritised list of improvements? Understanding of your current risk posture?

Define the scope in writing. Which systems, locations, and people are included? What specifically will they assess or implement? What’s the timeline?

Agree on deliverables. What will you receive at the end? A written report? A presentation to leadership? Implementation of specific controls? Ongoing support?

Clarify communication expectations. How often will you hear from them? Who’s your point of contact? How quickly will they respond to questions?

Establish pricing and billing. Fixed price vs. hourly? What triggers additional charges? How are expenses handled?

Working With Your Consultant

Provide access and information. They can only assess what they can see. Delays in providing access cost money (yours) and slow progress.

Be honest about your current state. Don’t hide problems or exaggerate capabilities. They’re there to help, and they’ve seen worse than whatever you’re dealing with.

Involve the right people. If they need to interview staff, access systems, or understand processes, make those people available.

Ask questions. If you don’t understand something, ask. A good consultant will explain. A bad consultant will obfuscate.

Push back when needed. Consultants should adapt recommendations to your reality. If a recommendation doesn’t make sense for your business, discuss it.

Getting Value From Deliverables

A security assessment report is only valuable if you act on it.

Don’t expect perfection. The report will identify issues. That’s the point. A report that finds nothing is either dishonest or the assessment was too shallow.

Prioritise realistically. You probably can’t fix everything at once. Work with the consultant to identify what matters most and what can wait.

Build a roadmap. Turn recommendations into a plan with timelines, responsibilities, and budgets.

Schedule follow-up. Three to six months after the assessment, revisit. What’s been implemented? What’s still outstanding? Do you need another assessment?

After the Engagement

Document what was done. Keep records of assessments, findings, and actions taken. This matters for insurance, compliance, and future planning.

Maintain the relationship. If the consultant was good, keep them on your radar for future needs. Security is ongoing, not a one-time project.

Evaluate the value. Did you get what you paid for? Would you use them again? Your assessment helps refine future hiring decisions.

The Cost Question

Security consulting isn’t cheap, but consider it against:

• The cost of an incident you could have prevented
• The cost of trying to figure it out yourself and getting it wrong
• The cost of losing a contract because you couldn’t demonstrate security maturity

For many businesses, a few thousand dollars on a good assessment prevents far larger losses.

That said, be strategic. You don’t need the most expensive consultant or the most comprehensive assessment. You need the right level of help for your current needs.

Start with the basics. As you mature, you can invest in deeper assessments and more sophisticated help.

The goal is finding partners who genuinely help you improve security, not just generate impressive-sounding reports that gather dust.

Good consultants exist. With the right approach, you’ll find them.