Who would have known that the title of one of the late, great Kenny Roger’s most successful hits would be applicable to the world of professional services, particularly HITRUST? As a ten-year veteran in the cyber, risk management and compliance consulting world, I have built HITRUST sales, marketing, and delivery strategies from the ground up. With more than 300 assessments under my belt, I may have overseen more HITRUST assessments than most other people on the planet. I’ve also served on the HITRUST Assessor, Marketing, and Quality councils, most since their inception, and have over a 10-year relationship with HITRUST as an organization. I’ve worked closely with small customers, up to the largest hyper-scale cloud service providers in the world and witnessed their experiences first hand as they navigated their way through their HITRUST journeys.
I write this not to speak of myself, but rather to build your confidence in the fact that I know the HITRUST marketplace as well as anyone in the professional services arena. With that in mind, my objective for this white paper is to educate you on one of the most important decisions you’ll face when starting, or even continuing, your HITRUST journey: choosing your External Assessor. From this point forward, I’ll walk you through a series of factors to consider when choosing your Assessor.
Methodology & Experience. Though all Assessor firms undergo the same HITRUST training and qualification process, this certainly does not mean they all are created equally. Look for an assessor firm with an experienced team and a proven process for performing your assessment. As the organization being assessed, it’s imperative that you understand your Assessor’s proposed approach. Be wary of Assessors pushing workloads to your organization as a way to compete better on price. Also, be aware of vague proposals that prevent you from comparing apples to apples, understanding the responsibilities associated with the engagement, and the specific deliverables to be expected. Your chosen partner should be able to speak confidently about the process and interject proof points that speak to their credibility and experience. Don’t make the mistake of choosing one price and a pretty slide deck.
Be cautious about working with a firm that is simply trying to “check the box” without discussing the development of your cybersecurity initiatives or the overall health of your information security and privacy posture.
Assessor Quality. Not all Assessor firms, even those with extensive experience, have delivered consistent quality. A good question to ask when determining the level of quality delivered by the HITRUST Assessor is dependent on whether the firm is on the HITRUST Quality Council. Firms that represent the HITRUST Quality Council have been selected for a reason, they’ve demonstrated quality in their assessment work and are committed to the continued quality of the Assessor Program.
Though it may be difficult to find the answer, you should be asking if your partner has been subject to a HITRUST quality investigation? Do they have strong client satisfaction scores? How do they monitor client satisfaction? These are critical questions to ask.
Quality is not something that comes during the last minute of an engagement; rather, it’s embedded throughout an engagement. This attention to quality only comes with experience.
For additional information on selecting an Assessor that focuses on quality, see what Jeremy Huval, Chief Compliance Officer at HITRUST, has to say on this topic.
Understand Pricing Strategies. Many assessment firms use blended bill rates as opposed to rate cards on fixed-price engagements. Under this pricing model, it’s very possible for a junior consultant to be billed at a much higher “blended rate”. This increases your cost on an engagement, while simultaneously padding the margins of your assessor. Practically speaking, you wouldn’t pay a paralegal the same fee as an attorney, so why pay a junior assessor the same fees as a manager? The short answer is you shouldn’t, but you probably are, unless your Assessor is transparent with their pricing model.
Another tactic I’ve been seeing lately is Assessor firms trying to convince their prospective customers to increase the number of regulatory factors as a way to increase scope and fees. Be careful and select only what you need.
Comparing Apples to Apples. The bidding process may sound simple, but it’s incredibly difficult when comparing multiple proposals, each with varying levels of ambiguity and subjectivity. For example, what the marketplace has defined as a “Facilitated Self-Assessment” or a “Readiness Assessment” differs dramatically from one Assessor to another. Some will go the full distance of reviewing and documenting all requirements and performing full testing, others will perform more of a gap assessment, while other Assessor firms will only assess at the control objective level. These may all appear to be the same services in a proposal, when, in fact, they each require drastically different levels of effort and run the gamut of being highly beneficial to providing very limited value. More importantly, an approach that is budget-friendly and lacks depth may actually create a false sense of being “certification ready”. Each approach has a time, place, and use case, but being an informed buyer can significantly impact your budget and contribute to the overall success in achieving HITRUST CSF certification.
Bait and Switch. The bait and switch approach doesn’t just apply in retail, It also applies when selecting an Assessor. As a buyer, you’ve seen it before. The savvy salesperson, the eloquent slide deck, the colorful proposal, and of course, the highly experienced assessment team. Is what you are seeing pre-sale truly what you’ll experience post-sale? Maybe not. In my experience, it is best to require your Assessor to include the names of the Assessor team in the proposal. If they can’t commit named resources to you, why should you commit dollars to them? This will solve the bait and switch problem.
It is incredibly important for you to work with an experienced assessment team with a proven track record. Flaunting a CCSFP certification is nowhere near enough and selecting based on an organization’s name could be a big mistake. Unlike the AICPA world, the name of your assessor isn’t displayed in your HITRUST report, so there’s no need to spend more on a name. Succinctly put, experience and reputation are far more valuable. The team you are partnering with should be dedicated to HITRUST assessments and be well qualified, particularly since you’ll be partnering with them for several months and making a significant investment.
Combined Service Offerings at a Premium. Have you ever bought a combo meal from your favorite fast-food joint? Of course, you have. The combo provides us with our three basic needs: a sandwich, fries, and a drink. You probably also noticed that buying the ever-so-easy combo meal is less expensive than buying each item individually, right? So why would using an Assessor firm to deliver multiple engagements (say SOC, HIPAA, and HITRUST) incur a premium?! There are only so many controls in the universe aimed at threat-thwarting, vulnerability mitigation, and cyber maturity. And a good chunk of them are found in the regulations, standards, and frameworks that we, as information security and privacy professionals, live and breathe every day. The fact is, when you are undergoing an identically scoped assessment with multiple reporting outcomes, you absolutely deserve a price reduction!
HITRUST as a Result of a SOC? Again, I’ve seen it dozens of times, organizations being led to believe that it makes perfectly good sense to start with a System and Organization Controls (SOC) examination, then leverage that effort downstream for HITRUST. When the scope is identical, this logic is severely flawed (by the way, the same principle applies with HIPAA, FedRAMP, ISO, PCI…essentially everything when combined with HITRUST).
Here’s the reason. HITRUST is undoubtedly the most prescriptive framework in existence, and that’s a good thing. No other framework or regulation has the number of requirements or assessment points. The average assessment is north of 400 requirements. Those 400 requirements translate to roughly 1,500 pieces of evidence, 2,000 points of assessment, countless interviews and emails. My point is, you should start with the most prescriptive framework and extrapolate that effort back to every other assessment (i.e., ISO, SOC, HIPAA, PCI), not the other way around.
Sales Strategies. Here’s my personal opinion regarding sales representatives amidst a HITRUST sales lifecycle…this middleman typically has limited knowledge of HITRUST or the assessment process, is often disassociated from the actual assessment team, is commissioned on making a sale, and ultimately adds cost (and potential complexity) to your assessment. Rather than work with a middleman, you should be working directly with the Partner, VP, or Director who can answer your questions and will be immersed in your assessment journey.
Change Orders. Change orders are an Assessors’ saving grace. While change orders serve an important role to account for scope and service level changes, they’ve become a tool for Assessor firms presenting unrealistically low fees as a way to right-size an opportunity – at a time when you’re most vulnerable. Let’s face it, folks, a successful HITRUST validated assessment CANNOT cost less than $40,000. Considering the level of effort times the average industry rate of a cybersecurity professional, it’s impossible to add up to anything less. So, if you’ve stumbled across the deal that’s too good to be true, you’ve probably found an Assessor that is advertising below-industry rates or using change orders as a tool to make up the difference.
Attrition. HITRUST assessments take significant time and resources, both from the Assessor and the organization being assessed. The assessment requires personnel with extensive knowledge and long-term commitment across the assessment team. A firm with a high turnover rate is more likely to have turnover during your assessment, requiring more work from your internal team throughout the process to compensate for knowledge loss. Ask questions about their retention rate before engaging a firm for the first time.
Assessment Turnover. This sounds similar to the attrition and bait and switch topics, but it’s very different and with equally concerning outcomes. Have you ever been through an assessment where the list of assigned Assessors changes like the weather? If you have, you know firsthand the amount of dysfunction, frustration, and disruption this causes. My recommendation here, again, is to have your selected partner put in writing the concessions they will make when they invoke changes that impact your assessment.
Timeliness. The road to certification is undoubtedly long and complex. The last thing you want is to have that journey lengthened, or worse, end with a validated report without the highly coveted certification. Many of the discussion points in this white paper can significantly impact the duration and outcome of your assessment. It’s critical that you establish an agreed-upon timeline with your chosen partner. Understand their approach and strategy for delivering results in a timely manner and consider including financial penalties for missed deadlines.
Outsource Functions. Outsourcing is a common approach that Assessor organizations consider as a way to scale and minimize bench time. While this strategy is great for the Assessor, it could introduce significant risk to your organization. The information collected throughout a HITRUST engagement is proprietary to your organization and is highly confidential. When Assessors outsource, they potentially subject your data (e.g., network diagrams, IP addresses, pen test reports) to unknown systems that may be highly vulnerable to data compromise. Even worse, these Service Delivery Centers (SDCs) may be in foreign countries where data privacy and security safeguards aren’t mature. And while you may save $10,000 in fees during your assessment, the cost of a data breach or a failed HITRUST certification attempt will far exceed that amount. Ask your Assessor if they outsource (even domestically), and if they do, either walk away or start asking additional questions.
Assessment Fees. Again, I’ve overseen hundreds of HITRUST engagements. The reality is, the average validated assessment with a basic scope should fall in the $45k-$70k range. If you are paying more, you are likely paying too much. Conversely, if you are paying less, you should be on the lookout for some of the conditions mentioned above.
For those of you who are HITRUST veterans (meaning your organization has been previously certified), there are certain conditions that should result in a price REDUCTION. Yes, I said it! The reality is, your first HITRUST validated assessment will undoubtedly be your biggest hurdle as it sets the foundation for your information security program. From that point forward – assuming minimal CSF versioning changes, potential control inheritance, continuous monitoring efforts, minimal organizational and system change, and little change to system scope – your organization should be asking why you are being charged MORE for your subsequent assessments.
That’s the scoop from one of the most experienced HITRUST Assessors in the business. There are many tactics in play as you consider whether your Assessor is a keeper or not. Don’t forget, nothing prevents you from making a change at any point in time. Before you launch your next assessment, apply Kenny Rogers’ savvy advice to your Assessor – know when to hold ‘em and when to fold ‘em.
About the Author Andrew Hicks is the National HITRUST Practice Leader and Vice President of Risk Assurance for Frazier & Deeter. He specializes in working with organizations to adopt, implement and manage information security programs, specifically in regards to HITRUST, HIPAA regulatory compliance, risk management and SOC examination procedures. A frequent speaker at HITRUST events, Andrew has managed more than 500 HITRUST engagements and has been repeatedly appointed to HITRUST Assessor, Quality and Marketing councils.
Find more information about Frazier & Deeter’s HITRUST services here.