Security Consultants and Lawyers: Don't Trust Them to Manage Risks

Security consultant Scott Wright breaks down the similarities between attorneys and consultants -- and explains why neither can really give you the risk management you need

. What's this?

By Scott Wright

April 05, 2010CSO

The other day, the subject of lawyers came up while I was stuck in traffic, listening to a business podcast in my car. The podcaster was discussing how lawyers only provide a certain, limited value for their business clients, considering how high their fees can be. While he spoke, it struck me that many people depend on lawyers too much for "protection from risks."

Perhaps this is one reason why lawyers get a bad reputation: They are misused. I started thinking about how this is also a problem with security consultants, and their reputations. When you make a quick tally, the number of similarities between lawyers and security consultants is almost scary:

Veteran security consultants reveal the most common problems they see in The Seven Deadly Sins of Security Policy

1) Lawyers are pretty expensive if you pay them by the hour. So are security consultants, and their clients never let them forget it.(See also: How to Corral Security Consultants)
2) If risk is a common issue in your business, it can be very worthwhile to hire lawyers as permanent employees. The same goes for security consultants. In fact, many are not really cut out to be in business for themselves at all.
3) Lawyers will usually tell you what the safest thing to do is, assuming you don't want to be exposed to any risk (See Five Security Missteps Made in the Name of Compliance). Security consultants have a habit of thinking the same way. Just when you think you've covered all the issues, there's John at the back of the room with his finger waving at the sky saying, "Just one more scenario that you may not have considered..."(as all the eyes start to roll back in everyone's heads.)
4) Lawyers are good at coming up with wording that will protect you in almost every conceivable way. Bulletproof is the word that comes to mind. Security consultants, left unattended, have been known to propose a Fort Knox solution, when management was thinking more of a corner store ATM budget.
5) If you pay them enough for travel and meals, most lawyers will come and visit you in your place of business. I haven't met many security consultants who wouldn't take on an engagement in any location for the right fee, or any fee, for that matter.
6) Lawyers and security consultants don't usually accept much, or any, responsibility for the failure of a business initiative that they provided advice on. They always have a disclaimer that says, essentially, "It is YOUR responsibility to accept the risks that go with your decisions." Now, in case you're thinking you can solve that problem by making them a business partner, or giving them a piece of the action, here's an interesting thing to consider. While a joint venture agreement will likely get them thinking a bit more positively, don't be surprised if your lawyer is smart enough to put an escape hatch in the JV agreement - something like this: "Despite the fact that I'm on your team, you should really get Independent Legal Advice. So, you're back to square one. Security consultants aren't that smart, however, and may be convinced to take on some of the risk in the venture. (They don't get invited to be partners very often.)

Also see an indepth look at legal hold software

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER