When it comes to choosing new vendors and suppliers, the old method was to get in contact with the company and ask around their local neighbourhood and with their customers to see how trustworthy the vendor is (they'd rely on their reputation to sell their product).
Unfortunately, when it comes to firewalls (IDS/IPS, Load Balancers, Endpoint Protection, et al.), unless you have in-house engineers that can build and deploy what you need within your organization (ie. FIPS-level VPN tunelling to an IaaS compute setup), you're going to need to outsource the work to a contractor who knows the products and can deploy it for you.
These days, you can't directly approach a vendor to request a deployment of a load balancer worth tens of thousands of dollars; you need to temporarily hire that expertise from another company, en masse, and set up contracts to ensure a good deployment and handover process.
Hiring an independent contractor for six months to engage the procurement and deployment of a system would only work if they have extensive Service Design experience in that product, and those types of people are either ridiculously expensive to hire, or already working for a consultancy firm.
My question is: How do you audit the skills and trustworthiness of an Information Security consultancy firm without having previously dealt with said company? Because this is such a new industry, it's hard to find companies that have been "in the business" long enough to be trusted up-front.
What metrics can you use to determine the maturity of a consultancy firm and the viability of a long-term relationship with them?