I have been performing security assessments for more than 16 years and have always wondered why organizations feel the need to switch their security assessment firms.
The essence of what I have heard over the years includes: to get a second “set of eyes” on the security posture; management requires “us” to switch vendors; and it's a best practice.
Instead of asking why organizations rotate assessment firms, perhaps we should be asking if it is worth the cost of constantly switching security assessment companies.
The consulting industry as a whole – not just security – has a low monetary cost associated with switching providers. However, there are other considerations security managers need to take when switching assessment companies.
First, not developing a partnership or “trusted adviser,” since the firm you are using is only engaged for a short period of time, and typically will see only a small portion of the environment. Next, loss of knowledge or understanding of the environment from switching security vendors. And finally, trending analysis from year over year is nonexistent.
Let's compare switching security assessment companies every year to the finance industry. If this practice was truly valuable, wouldn't the American Institute of CPAs require that all SEC-filed companies switch the accounting firms they use annually? Of course they don't. In most instances, these accounting firms attest the financials of the organization for years, even decades. This is because, unlike the security industry, the business community places a premium on building relationships and trust.
If you switch security assessment companies regularly, you may be actually losing more than you're gaining, like the value of building a relationship with a trusted adviser.