Undercover

How to Corral Security Consultants

Security consultants can help your business, if you give them clear ground rules before they start

By Anonymous

December 01, 2005CSO

My current boss, a CEO, defines a consultant as a person you pay to tell you what time it is from your own wristwatch.

I like that line. Having been on both sides of the game, as a consultant and a customer, my view is that definition is sometimes right on the money. While there are some very good consultants out there, and some very good customers, they don't necessarily communicate very well with each other. And that opens the door to problems (and, of course, to consultant jokes). I suppose if your intent is to gain outside confirmation of your own beliefs, hiring a consultant can be useful. But be prepared for the possibility that the consultant may return with an opposing view or advice you don't think your company would be wise to follow.

A few days after I landed my present job, post-9/11, I was told that one of my performance objectives was to track the progress of the security consultants who had been hired and launched before I got here. They were brought in to "look things over and make recommendations to improve security." Once they were through looking and we had their reports, I was to review those reports and develop plans to implement the recommendations. Sounded reasonable. Within days, however, I learned that things weren't quite that simple: There wasn't just one security consulting group on board; there were three, and all were nearly finished. Each had a slightly different approach, background and number of team members. Each had been hired by operations directors from different departments to perform a "comprehensive review of security," but those hiring managers didn't coordinate their efforts with each other or with the consultants. And, not being security professionals, the ops directors did not think themselves qualified to place any restraints on the consultants, which meant that, with no useful guidance from our end, the consultants pretty much had complete freedom.

In our case we pretty much created a monster. The ops directors who hired these experts had nothing but good intentions. But they gave the consultants too much freedom.

That may sound bad, but wait, there's more. These consultants had mostly Defense Department experience and little background with the private sector, which meant they had no sense for business planning around P&Ls. When their reports came in it was no surprise to see that they were in different formats, that they contained both different and overlapping findings, and that they made different recommendationseven in cases where the findings were the same!

RESOURCE CENTER
Loading...
WEBCAST
Gartner Video: Best Practices for Web Application Security and Compliance

Cenzic Faced with the growing threat of hacker attacks, how do you protect your data and your corporate reputation while increasing revenue?

» View this Webcast

WHITE PAPER
Email Continuity: Don't Know What You've Got Till it's Gone

MessageLabs Today, more email is being sent and attachment sizes are becoming larger. This means that security, archiving, and continuity systems must be able to scale easily. Learn to manage your email better…

» View this White Paper

Featured Sponsors