Not too long ago, a $1 billion bank hired both a CPA firm and a risk management firm to conduct a security audit, performing penetration tests to determine where the weak links were in the bank's computer systems. Taking an extra step, the bank hired CPA Joel Lanz to conduct a security audit. During his assessment, Lanz noted that the bank had outsourced the storage of its clients' data and that penetration testing should have been performed at the vendor's site.
"What I showed (the bank) was rather than contracting for the penetration test at its facility, vendor management and oversight was their biggest risk," says Lanz.
IT audit and security is a booming business, benefiting from the concerns spurred by last year's Hurricanes Katrina and Rita, concerns that spurred the five-year-old sole proprietorship to $325,000 in revenue in 2005.
Advertisement
Lanz, who operates his consulting firm from Jericho, N.Y., providing IT audit, governance, security, and risk assessment services to clients in the banking community. And perhaps the less that is known about Lanz's work, the better he has done his job. He wants to prevent clients from making the news because of security breaches.
Although Lanz couldn't disclose the name of his clients, citing privacy clauses, he characterized them as community banks and super-regional institutions with assets ranging from $500 million to $30 billion.
"They're too busy running the day-to-day operations of their business," says Lanz. "They can't see the forest for the trees."
That's why they need an independent consultant, such as Lanz, who has the CITP, CISA, CISSP, CISM, and CFE certifications on top of his CPA.
The majority of his clients hire him on retainer at annual fees ranging between $20,000 up to $55,000. Fees for individual services, such as security reviews, range from $1,000 to $50,000 depending upon the size of the company and project scope. And an IT risk management project cost ranges from $12,000 to $24,000.
It is technology that enables Lanz, a one-man shop, to snare engagements with the size of clients he is able to serve. Software provides the foundation for this business. Lanz employs a vulnerability management product called Qualys, which allows him to view his clients' business environment the way a hacker would so that he can test their susceptibility to security threats.
With Qualys, Lanz is able to identify easily guessable passwords; determine if patches are up-to-date, and map the client's network.
"Without it (Qualys)," says Lanz, "it would be hard to compete with a larger firm."
Lanz say financial institutions seek him out because most mid-size firms don't offer IT security services. As a result, he regularly competes with Big Four accounting firms, large regional accounting firms, and non-CPA risk consulting firms. "I'm a former partner at Arthur Andersen," says Lanz, "so coming to me, they get a former partner, rather than the person two years out of school."
