Undercover
How to Corral Security Consultants
Security consultants can help your business, if you give them clear ground rules before they start
By Anonymous
When one of the ops managers said, "What do you mean you aren't going to follow their recommendation to install HEPA filters in our public building HVAC systems?" I had to explain exactly what a HEPA filter is (and its impact on standard HVAC design and our operating budget) before he stopped sniveling and listened. He had allocated a large slice of his discretionary budget to pay the consultant, so he expected us to follow their advice. All of it. But I pointed out that in a public building a bad guy can simply walk in and spread bad things around that circumvent the filters. And since the best defense is to turn off the HVAC system to keep bad things from spreading, the filters are once again largely irrelevant. Not to mention state building codes on the replacement of air in public buildings make HEPA filters impractical in an existing HVAC system.
Even with my (I thought) lucid arguments, we unfortunately ended up hiring an engineering consultancy to study the impact and cost of installing respirator filters in a building HVAC system. The resulting study showed conclusively that it didn't make any sense. The consultants may as well have recommended we put canary cages in the food court to warn us when we are under chemical attack! In the end we paid the engineering consultant a lot of money to tell us that the security consultants had made a silly recommendation that we were right to ignore.
Guide Events or Be Guided by Them
So, OK, what is the lesson here? Never hire a consultant? No, of course not. There are times when you will want to do this, no matter how good you are yourself. But before you go that route, make sure it is a deliberate decision and that you have a big hand in shaping the course of events.
First, it's important to understand the difference between a security professional and a security practitioner. A security professional may be certified by a recognized security association and have many years of experience in security but not be currently responsible for the security of any enterprise. A security practitioner is someone who is responsible for all or part of the security of an enterprise, whether or not he has any expertise in security at all. The best case is when the practitioner is also a professional, and the professional has been a practitioner.
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
