An organization has a large technology department with skilled personnel to manage many current operations. The CIO $($Chief Information Officer$)$ has been tasked with assuring the organization is secured. The information technology department has never done an internal assessment of risks or vulnerabilities. You have been given several key factors that you must take into consideration: $1)$ Internal staff have not performed security audits in the past, $2)$ the security assessment is considered a critical need, and $3)$ internal personnel would need some extensive training. What would be the best option to pursue?