Undercover

How to Corral Security Consultants

Security consultants can help your business, if you give them clear ground rules before they start

By Anonymous

Page 2

Too Much Advice Can Be a Bad Thing

I had expected some duplication. But I was not prepared for the labor-intensive development of a matrix, first to identify the more than 600 findings and recommendations, and then to decide which were different, which were duplicates and which were contradictory. The net of all this was assimilating a little more than 100 separate findings and recommendations that may have made sense to the military, but did not translate very well to the private sector.

And here is the most irksome issue when hiring security consultants. They will walk away when finished. You, however, have to live with what they leave behind. In the best of all worlds, you took the time to properly orient them to your business, your culture, your standards and your needs for their help. Then, of course, you made it clear where you are on the risk management scale. If your business is risk averse, like the Department of Defense, you may not bat an eye when you get the recommendation for a high-efficiency particulate air (HEPA) filter. But if your business is more accepting of risk, more in the mode of managing various risks, then you will want to see some more practical approaches to things like air quality assurance.

If you haven't managed the consultant's goals and objectives and have not placed any constraints on them, you will find, as I did, that you are caught between the proverbial rock (the consultants' professional opinion) and a hard place (your reality). The key, therefore, to a successful relationship with security consultants is to clearly define what you want to achieve through their service, when you think it is reasonable for them to finish, what constraints your company imposes on any business proposal, and finally, what format their final report should be in. You'll also be ahead of the game if you request that, for each recommendation the consultants make, they engineer the solution, cost it out and draft the budget justifications (in terms of ROI). That way you'll be prepared when it comes time to fight for the money. Also, have them provide an estimate on the impact to the annual operating budget of maintaining all the systems and gadgets they recommend you buy.

In our case we pretty much created a monster. The ops directors who hired these experts had nothing but good intentions. But they gave the consultants too much freedom. This led to some equally well-intentioned recommendations that created a number of "round peg/square hole" problems for us. While 90 percent of their work was common sense and not controversial, we were quickly reminded that the final 10 percent of performance accounts for 90 percent of the cost. So when I decided to ignore some of their more outrageous suggestions I had to do a lot of homeworksome of it with the help of even more consultantsto prove that doing it their way was either silly or, in my view, flat-out wrong. Remember the old proverb that says the more you pay for something, the more credibility it has? Exactly the case here.

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors