How to Choose a Cybersecurity Consultant: A No-BS Buying Guide

TL;DR

Most SMBs don't need a massive cybersecurity firm. What you need is someone who understands your size, your actual risk, and your budget — and who can translate technical controls into business outcomes.
Certifications matter, but they're not everything. CISSP, CISM, and OSCP demonstrate baseline competence. But a wall of certificates with no practical SMB experience is worse than a battle-tested practitioner with fewer letters after their name.
Beware the fear merchants. Any consultant who leads with scare tactics and vague threats rather than concrete risk assessment and prioritised recommendations is selling anxiety, not security.
Get scope in writing before money changes hands. The number-one source of disputes in cybersecurity consulting is scope creep. A good consultant will give you a clearly defined scope, deliverables, timeline, and price before work begins.
The right consultant makes you more independent, not more dependent. If your consultant's business model requires you to stay helpless forever, they're not a consultant — they're a captor.

Why This Guide Exists

Hiring a cybersecurity consultant is one of the highest-stakes purchasing decisions a small business makes. Get it right, and you genuinely reduce your risk, meet compliance requirements, and sleep better. Get it wrong, and you've spent $10,000-50,000 on a PDF of generic recommendations that could have been pulled from a blog post.‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‍‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‍‌‌‌‍‌‌‌‌

The cybersecurity consulting market has exploded. There are n

ow over 3,500 cybersecurity consulting firms operating in Australia alone, ranging from one-person operations to multinational firms. The quality variance is enormous. Some are exceptional. Many are mediocre. A few are actively harmful — selling unnecessary products, overstating risks, or delivering work that doesn't survive contact with reality.

This guide is designed to help you tell the difference.‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‍‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‍‌‌‌‍‌‌‌‌

Step 1: Know What You Actually Need

Before you talk to a single consultant, get clear on what you're trying to achieve. "We need cybersecurity help" is too vague to get useful proposals. Here are the common engagement types:

Risk Assessment / Gap Analysis

What it is: A consultant evaluates your current security posture against a framework (like the Essential Eight, ISO 27001, or NIST CSF), identifies gaps, and provides prioritised recommendations.

When you need it: You don't know where you stand and need a structured view of your risks. This is the right starting point for most SMBs.

Typical cost: $3,000-15,000 depending on scope and business size.

Penetration Testing

What it is: Simulated attacks against your systems to find exploitable vulnerabilities. External testing targets your internet-facing systems. Internal testing simulates an attacker already inside your network.

When you need it: You want to validate that your defences actually work, not just that policies exist on paper. Best done after you've addressed known gaps — there's no point paying someone $15,000 to tell you your unpatched server is vulnerable.

Typical cost: $5,000-25,000 depending on scope.

Compliance / Certification Support

What it is: Help implementing a specific framework or achieving certification (ISO 27001, SOC 2, Essential Eight maturity levels, PCI DSS).

When you need it: A client, insurer, or regulator requires specific compliance, and you need expert guidance to get there efficiently.

Typical cost: $10,000-50,000+ depending on the standard and your starting point.

Incident Response

What it is: Emergency response to an active security incident — breach, ransomware, business email compromise.

When you need it: Right now, things are on fire. This is not the time to be shopping around.

Pro tip: Establish an incident response retainer before you need it. Having a pre-agreed relationship with an IR firm means faster response when something goes wrong.

Typical cost: $250-500/hour, or $5,000-20,000/year for a retainer.

Virtual CISO (vCISO)

What it is: Part-time, outsourced security leadership. A senior security professional who acts as your head of security for a set number of hours per month.

When you need it: You need ongoing security leadership but can't justify (or afford) a full-time CISO. This is increasingly popular for SMBs with 20-200 employees.

Typical cost: $2,000-8,000/month depending on hours and seniority.

Step 2: Evaluate Credentials (But Don't Worship Them)

Certifications are a signal, not a guarantee. Here's what the major certifications actually tell you:

CISSP (Certified Information Systems Security Professional): Broad, management-level security knowledge. Requires five years of experience in two or more security domains. Good baseline for consultants doing risk assessments, governance, and strategy work.

CISM (Certified Information Security Manager): Focused on security management, governance, and programme development. Strong signal for vCISO engagements and compliance work.

OSCP (Offensive Security Certified Professional): Hands-on penetration testing certification. Requires passing a gruelling 24-hour practical exam. If you're hiring for pen testing, this is the gold standard.

CEH (Certified Ethical Hacker): Entry-level offensive security certification. Multiple-choice exam. It demonstrates basic knowledge but is not sufficient evidence of practical pen testing skill on its own.

ISO 27001 Lead Auditor/Implementer: Specific to ISO 27001 implementation and auditing. Essential if you're pursuing ISO certification.

What actually matters more than certifications:

Relevant experience with businesses your size. A consultant who's spent 15 years securing banks may have a CISSP and zero idea how to help a 30-person business with a $10,000 security budget.
Industry knowledge. Healthcare, finance, legal, and education all have specific compliance requirements. A consultant with relevant industry experience will save you weeks of context-setting.
References from similar clients. Ask for them. Call them. Ask: "Did the recommendations actually get implemented? Were they practical for your size and budget?"
Communication skills. Your consultant needs to explain technical risks to non-technical stakeholders. If they can't communicate clearly in their proposal, they won't communicate clearly in their deliverables.

Step 3: Ask the Right Questions

Here are the questions that separate good consultants from the rest. Ask all of them.

About Their Approach

"How do you scope an engagement?" Good answer: they'll want to understand your environment, your business objectives, your regulatory requirements, and your risk appetite before quoting. Bad answer: a fixed-price package with no discovery.

"What framework do you assess against, and why?" Good answer: they recommend a specific framework based on your industry and requirements (Essential Eight for Australian businesses, NIST CSF for general risk management, ISO 27001 for certification). Bad answer: they use a proprietary framework that only they can assess against. This creates vendor lock-in.

"What does the deliverable look like?" Ask to see a redacted sample report. You're looking for: prioritised findings, business-context explanations (not just technical jargon), specific remediation steps, and effort/cost estimates for each recommendation. If the sample report reads like a Nessus scan dump, run.

About Their Business

"What's your client retention rate?" Good consultants have long-term client relationships. If they're constantly churning clients, ask why.

"Who will actually do the work?" In larger firms, the senior partner sells the engagement and a junior analyst delivers it. There's nothing inherently wrong with this, but you should know who you're getting and what their experience is.

"Do you sell products?" This is critical. If your consultant also sells firewalls, endpoint protection, or SIEM solutions, there's an inherent conflict of interest. They may recommend products you don't need. This doesn't automatically disqualify them, but you need to know about it and factor it into your evaluation.

About Their Experience

"What's the smallest business you've worked with in the past 12 months?" If the answer is 500 employees, they may not understand the constraints of a 20-person business with no IT department.

"Can you give me an example of a recommendation you made that a client didn't follow, and why?" This tests intellectual honesty. Good consultants recognise that not every recommendation is practical for every client. They should be able to articulate when a risk is acceptable and when it isn't.

"What's your approach when budget doesn't allow best practice?" This is the real test. Any consultant can recommend best-in-class solutions. A good consultant can also build a pragmatic, tiered plan that maximises risk reduction within real-world constraints.

Step 4: Spot the Red Flags

Years of working in this industry have taught me exactly what to avoid. Here are the red flags that should make you think twice:

The Fear Merchant

They open the conversation with horror stories, breathless statistics, and vague warnings about "sophisticated threat actors." They want you scared and buying before you've had time to think. Legitimate security professionals discuss risk calmly, in context, and with proportion.

The Black Box

They won't explain their methodology, use proprietary scoring systems that nobody else can validate, or deliver reports that are heavy on impressive graphics and light on actionable content. Security assessments should be transparent and reproducible.

The Product Pusher

Every recommendation somehow points to a product they sell or receive commission on. Their "assessment" is really a sales funnel for their reseller partnerships. Ask directly: "Do you receive commissions or referral fees from any vendors?"

The Scope Creeper

They quote low, start work, and then "discover" that the engagement needs to be significantly expanded. Legitimate scope changes happen, but they should be documented, justified, and approved before additional charges. Get a change management clause in your contract.

The Compliance Theatre Director

They focus exclusively on ticking boxes and producing documentation, with no attention to whether the controls actually work in practice. Compliance is necessary but not sufficient — a perfectly documented security programme that nobody follows is worthless.

The Forever Consultant

Their recommendations are designed to maximise your dependency on them. They build systems only they can manage, use proprietary tools only they understand, and never transfer knowledge to your team. A good consultant's ultimate goal is to make you capable of maintaining your security posture independently.

Step 5: Compare Proposals Effectively

When you have two or three proposals, here's how to compare them fairly:

Normalise the Scope

Proposals often cover different scopes, making direct price comparison meaningless. Create a simple comparison matrix:

What systems/assets are in scope?
What framework is being used?
What deliverables are included?
What's the timeline?
What's the total cost, including any assumed follow-on work?
Who specifically will perform the work?
What are the payment terms?

Evaluate the Risk Prioritisation Approach

The best indicator of a good consultant is how they prioritise. Ask each one: "If we could only do three things from your recommendations, what would they be and why?" The answer reveals whether they understand your specific risks or are just applying a generic checklist.

Check the Deliverable Quality

A useful deliverable has:

An executive summary a non-technical director can read in five minutes
Findings prioritised by actual risk to your business, not just technical severity
Specific, actionable remediation steps (not "improve your security posture")
Effort and cost estimates for each recommendation
A suggested implementation roadmap with quick wins first

Price Is Not Quality

The cheapest option is often the most expensive in the long run. A $3,000 assessment that delivers generic findings you can't act on is worse value than an $8,000 assessment with specific, prioritised, actionable recommendations that actually reduce your risk.

That said, the most expensive option isn't automatically the best either. You're paying for expertise and relevance, not prestige.

Pricing Models Explained

Understanding how consultants charge helps you budget and negotiate effectively.

Fixed Price

A set price for a defined scope. Best for well-scoped engagements like risk assessments and pen tests. Ensure the scope is clearly documented — vagueness benefits the consultant, not you.

Time and Materials (T&M)

Hourly or daily rate, billed for actual time spent. Common for ongoing advisory work and vCISO engagements. Ask for a budget estimate and a cap, and require approval before exceeding it.

Retainer

A fixed monthly fee for a set number of hours or defined services. Common for vCISO, managed security, and incident response readiness. Good for predictable budgeting. Ensure unused hours don't disappear — some retainers roll over, some don't.

Value-Based

The consultant prices based on the value delivered rather than time spent. Rare in cybersecurity but growing. Can be excellent if the scope and success criteria are well-defined. Can be problematic if "value" is subjective.

What to Budget

As a rough guide for Australian SMBs in 2026:

Engagement Type	Budget Range
Risk assessment (10-50 staff)	$3,000-15,000
Penetration test (external + internal)	$8,000-25,000
ISO 27001 implementation support	$15,000-50,000
Essential Eight gap assessment	$3,000-10,000
vCISO (part-time, ongoing)	$2,000-8,000/month
Incident response retainer	$5,000-20,000/year

The Engagement Lifecycle

A well-run consulting engagement follows a predictable pattern:

1. Discovery and Scoping

The consultant learns about your business, your environment, your requirements, and your concerns. This should happen before any quote is provided. If a consultant quotes you without understanding your environment, they're guessing.

2. Proposal and Agreement

A written proposal covering scope, methodology, deliverables, timeline, pricing, and terms. Review it carefully. Ask questions. Negotiate if needed.

3. Kick-off

A meeting to align expectations, confirm access requirements, establish communication channels, and agree on points of contact.

4. Execution

The actual work. Expect regular status updates (weekly at minimum for engagements longer than two weeks). Good consultants flag emerging issues early rather than saving surprises for the final report.

5. Deliverables and Presentation

The report (or other deliverables) followed by a presentation to stakeholders. This is where the consultant's communication skills matter most. They should be able to explain findings to both technical staff and business leaders.

6. Follow-up

Questions will arise after you start implementing recommendations. A good consultant includes a defined follow-up period (typically 30 days) for questions and clarification at no additional cost.

Questions Your Consultant Should Ask You

Pay attention to what the consultant asks during the discovery phase. It reveals their depth of understanding. Good consultants ask:

What's your core business and what data is most critical to your operations?
What compliance or regulatory requirements do you face?
Have you experienced any security incidents in the past 2-3 years?
What does your current IT environment look like (cloud vs. on-premises, key platforms)?
Who handles IT currently (internal, MSP, or nobody)?
What's driving this engagement now (incident, compliance requirement, insurance, client request)?
What's your realistic budget for both the assessment and remediation?
Who are the decision-makers for implementing recommendations?

If a consultant doesn't ask most of these questions before quoting, they're not doing proper discovery.

FAQ

How do I know if I need a cybersecurity consultant or just a better MSP?

If your primary need is day-to-day IT management with basic security (antivirus, patching, backup), a competent managed service provider (MSP) with security capabilities may be sufficient. You need a cybersecurity consultant when you have specific compliance requirements, need an independent assessment of your security posture, are responding to an incident, or need strategic security guidance that goes beyond operational IT. Many SMBs benefit from both — an MSP for operations and a consultant for periodic assessments and strategy.

Should I hire a local consultant or does remote work fine?

For most engagements, remote works perfectly well. Risk assessments, policy development, and pen testing can all be done remotely. The exceptions are: physical security assessments (obviously), engagements where you want someone to interview staff in person, and incident response where on-site presence may be needed. If you're in a regional area, don't limit yourself to local options — you'll get better quality and more competitive pricing by considering remote consultants with relevant experience.

What should I expect in a cybersecurity assessment report?

A quality report includes: an executive summary (1-2 pages, non-technical), a methodology section explaining how the assessment was conducted, findings prioritised by risk (typically using a Critical/High/Medium/Low rating), specific remediation steps for each finding, effort and cost estimates, a suggested implementation timeline, and appendices with technical detail. If you receive a report that's mostly automated scan output with minimal analysis, you haven't received a genuine assessment.

How often should I engage a cybersecurity consultant?

At minimum, annually for a risk assessment or Essential Eight reassessment. Penetration testing should also be annual, or after significant infrastructure changes. Beyond scheduled engagements, consider engaging a consultant when: you experience a security incident, you're adopting new technology (cloud migration, new SaaS platforms), you're entering a new market with different compliance requirements, or a major vendor or client imposes new security requirements.

Can I negotiate cybersecurity consulting fees?

Yes, and you should. Approaches that work: bundle multiple engagements (assessment + pen test + follow-up), commit to a multi-year relationship, be flexible on timing (consultants often have quieter periods where they'll discount), and ask about payment terms (some offer discounts for upfront payment). What doesn't work: trying to cut scope to reduce price — this usually results in a less useful deliverable. It's better to phase the work over time than to do a superficial assessment all at once.

The Bottom Line

Choosing a cybersecurity consultant is a trust decision. You're trusting someone to honestly assess your vulnerabilities, give you practical advice, and not exploit your lack of technical knowledge. The best consultants are the ones who tell you what you need to hear, not what makes you most likely to sign a bigger contract.

Do your due diligence. Ask hard questions. Check references. Get scope in writing. And remember: the goal isn't to buy security theatre — it's to actually reduce your risk.

If you're looking for a no-nonsense cybersecurity consultation for your business, let's talk.