Undercover

How to Corral Security Consultants

Security consultants can help your business, if you give them clear ground rules before they start

By Anonymous

December 01, 2005CSO

My current boss, a CEO, defines a consultant as a person you pay to tell you what time it is from your own wristwatch.

I like that line. Having been on both sides of the game, as a consultant and a customer, my view is that definition is sometimes right on the money. While there are some very good consultants out there, and some very good customers, they don't necessarily communicate very well with each other. And that opens the door to problems (and, of course, to consultant jokes). I suppose if your intent is to gain outside confirmation of your own beliefs, hiring a consultant can be useful. But be prepared for the possibility that the consultant may return with an opposing view or advice you don't think your company would be wise to follow.

A few days after I landed my present job, post-9/11, I was told that one of my performance objectives was to track the progress of the security consultants who had been hired and launched before I got here. They were brought in to "look things over and make recommendations to improve security." Once they were through looking and we had their reports, I was to review those reports and develop plans to implement the recommendations. Sounded reasonable. Within days, however, I learned that things weren't quite that simple: There wasn't just one security consulting group on board; there were three, and all were nearly finished. Each had a slightly different approach, background and number of team members. Each had been hired by operations directors from different departments to perform a "comprehensive review of security," but those hiring managers didn't coordinate their efforts with each other or with the consultants. And, not being security professionals, the ops directors did not think themselves qualified to place any restraints on the consultants, which meant that, with no useful guidance from our end, the consultants pretty much had complete freedom.

In our case we pretty much created a monster. The ops directors who hired these experts had nothing but good intentions. But they gave the consultants too much freedom.

That may sound bad, but wait, there's more. These consultants had mostly Defense Department experience and little background with the private sector, which meant they had no sense for business planning around P&Ls. When their reports came in it was no surprise to see that they were in different formats, that they contained both different and overlapping findings, and that they made different recommendationseven in cases where the findings were the same!

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
The Surest Path to Effective and Efficient Compliance

VeriSignIn this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.

» View the webcast

Featured Sponsors
Sponsored Links

IS/IT Project Mgt. Credentials From Villanova - 100% Online

Learn how the new Quad-Core AMD Opteron™ processor improves performance

Data Protection: Challenges for the Traveling User

Key strategies for C-level executives and security staff

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

Think your data is safe? Think again. It's time to Outthink the Threat. Get eBook now

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

Configuration Assessment: Choosing the Right Solution

Revolutionizing Endpoint Security with a Single Agent

Envision Identity-Based Access Control for the Datacenter

Rolling the dice with your security? Take the Self-Assessment Test now

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

Digital Identity Protection and Data Security Get Personal

The Case for Business Software Assurance ~ Securing Your Applications

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage