Undercover

How to Corral Security Consultants

Security consultants can help your business, if you give them clear ground rules before they start

By Anonymous

December 01, 2005CSO

My current boss, a CEO, defines a consultant as a person you pay to tell you what time it is from your own wristwatch.

I like that line. Having been on both sides of the game, as a consultant and a customer, my view is that definition is sometimes right on the money. While there are some very good consultants out there, and some very good customers, they don't necessarily communicate very well with each other. And that opens the door to problems (and, of course, to consultant jokes). I suppose if your intent is to gain outside confirmation of your own beliefs, hiring a consultant can be useful. But be prepared for the possibility that the consultant may return with an opposing view or advice you don't think your company would be wise to follow.

A few days after I landed my present job, post-9/11, I was told that one of my performance objectives was to track the progress of the security consultants who had been hired and launched before I got here. They were brought in to "look things over and make recommendations to improve security." Once they were through looking and we had their reports, I was to review those reports and develop plans to implement the recommendations. Sounded reasonable. Within days, however, I learned that things weren't quite that simple: There wasn't just one security consulting group on board; there were three, and all were nearly finished. Each had a slightly different approach, background and number of team members. Each had been hired by operations directors from different departments to perform a "comprehensive review of security," but those hiring managers didn't coordinate their efforts with each other or with the consultants. And, not being security professionals, the ops directors did not think themselves qualified to place any restraints on the consultants, which meant that, with no useful guidance from our end, the consultants pretty much had complete freedom.

In our case we pretty much created a monster. The ops directors who hired these experts had nothing but good intentions. But they gave the consultants too much freedom.

That may sound bad, but wait, there's more. These consultants had mostly Defense Department experience and little background with the private sector, which meant they had no sense for business planning around P&Ls. When their reports came in it was no surprise to see that they were in different formats, that they contained both different and overlapping findings, and that they made different recommendationseven in cases where the findings were the same!

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors