Advisory  ·  DataNudge Perspectives

The vendor-independence test: six questions to ask any security advisor

DataNudge Advisory  ·  April 2026  ·  6 min read

Before you act on any security recommendation, you need to understand whether the advisor giving it has a commercial stake in your decision.

The cybersecurity advisory market contains three types of advisors, and they are not equally objective. The first is the technology vendor, whose advisory services exist to create pathways to product sales. The second is the large consulting firm, whose assessments frequently create opportunities for implementation engagements. The third is the independent advisory firm, which earns its revenue from advice alone and has no commercial interest in what you decide to buy or build.

Distinguishing between them is not always easy. Vendors have built sophisticated advisory practices that resemble genuine consulting. Large firms have security practices that market themselves as objective. The language of independence has become so common that it is almost meaningless without verification.

These six questions will surface the conflicts that matter before you act on advice that may have been shaped by them.

01. Do you earn revenue from technology vendors in any form?

This includes referral fees, reseller margins, co-selling arrangements, certification revenues, sponsored research, and speaking fees from vendor events. Any of these creates an incentive, however subtle, to recommend the vendor’s products or validate their positioning. A genuinely independent advisor earns nothing from any technology sale that follows from their advice.

02. If your assessment finds we do not need new technology, what happens to your revenue?

This is the single most revealing question you can ask. A vendor-affiliated advisor or a firm that earns implementation revenue has a structural incentive to find that new technology is required. An independent advisor’s revenue does not change based on whether the answer is buy more tools or optimize what you already have. Ask the question directly and watch whether the answer is clean.

03. Who will implement the recommendations you make?

If the answer is the same firm conducting the assessment, that is a conflict. Assessment scope, findings, and remediation prioritization will all be shaped, even unconsciously, by what the firm is capable of and interested in implementing. An independent advisor has no implementation practice. Their interest is in giving you the most accurate possible view of what needs to change, not in being hired to change it.

04. Have you advised organizations that decided not to buy anything?

Ask for examples. An independent advisor will have engagements that concluded the existing control set was adequate for the current risk profile, with targeted process improvements rather than technology investment. If every engagement the advisor describes ends with a technology recommendation, that is a pattern worth examining.

05. What certifications do your advisors hold, and who paid for them?

Vendor-sponsored certifications are not inherently disqualifying, but they indicate a relationship. An advisor who holds a portfolio of certifications sponsored by the vendors they recommend in assessments has a different incentive structure than one who holds framework-based certifications from standards bodies. The question is not whether certifications exist, but who benefits from them being maintained.

06. If we disagree with your recommendation, what happens?

An independent advisor will walk you through their reasoning, acknowledge what the disagreement implies for your risk posture, and respect your decision. An advisor with a commercial interest in your conclusion will push back with an intensity that is disproportionate to the intellectual stakes. The answer to this question tells you whether you are dealing with a genuine advisor or a salesperson with a methodology.

None of these questions are adversarial. Any advisor who cannot answer them comfortably has already told you something important about the nature of their advice.