Security consulting is a business that boomed beyond all expectations just before the turn of the century. The ever-increasing plague of hackers, worms, and viruses, the growing fear factor in the average organization, and a general lack of security expertise opened the market wide for information security consultants around the world. Basically, anyone who had ever touched a firewall or read about encryption could be gainfully employed in information security as a consultant. Today, just about every consulting organization has an information security practice and a plethora of security offerings for customers. Security consultants bring in a high rate, equivalent to that of high-end networking, storage area consulting, and other premium consulting services. Such rates are normally well worth the investment when dealing with an experienced security consulting team. Unfortunately, along with the great demand for security services also came an enormous push to develop security offerings within consulting organizations that were not necessarily ready for them. This has resulted in a great mix of quality among the different security services performed by consulting companies. Dispelling the Consulting MythOne of the greatest things about hiring a consultant or consulting organization to secure an environment is that we get a nice, warm, fuzzy feeling that the matter is in the hands of experts. Many organizations choose to offload their most difficult or sensitive tasks to an outside organization, believing the organization to have a higher level of expertise than the local staff. Unfortunately, this is not what they always get. Most consulting organizations, just like any other profitable entity, are run by the sales department. As such, the quality of the consulting services received can often be determined by the practices of the sales engineers. As with any organization, consulting companies have varying degrees of talent within their staff. In general, the most talented consultants will be continually busy and put on the most profitable projects, while the less talented consultants will be more readily available for newer projects. It then only makes sense for the sales engineer to provide the most available resource, commonly the less talented consultant, for the project at hand. In an ideal world, a good sales engineer will be able to tell if an individual is capable of handling a project and will make a sale based on this understanding. Sadly, the majority of sales engineers out there are not able to, or choose not to, follow such a process. It is thus up to the receiving organization to determine whether or not the consultant(s) it is hiring has the proper expertise. This creates a paradox, since assessing talent requires that you have talent with which to perform the assessment. Purchasing Consulting ServicesThe main point here is that there should be no illusions when purchasing consulting services from a consulting organization. If individual consultants are going to be brought in for specific projects, be sure to perform a personal interview and make your own assessment of each individual's abilities. This interview should be performed alone, with no other representatives from the consulting company present. Even more practical is to purchase packaged services from consulting organizations, rather than individuals. With a packaged services product, like a security assessment or a specific form of device implementation, there is a great deal of value coming from the consulting organization itself, not just the individual engineers. Organizations that perform the same services over and over tend to get extremely accurate and efficient. Thus, with these types of services, a client is more likely to get the proper engineers to fill the proper positions.
Do We Need Consultants?The real question here is, do we really need to bring in a consulting company to do a security project? If an organization is pondering whether the local staff can handle it or consultants need to be brought in, here are some common considerations:
|