Bringing in Security Consultants

Security consulting is a business that boomed beyond all expectations just before the turn of the century. The ever-increasing plague of hackers, worms, and viruses, the growing fear factor in the average organization, and a general lack of security expertise opened the market wide for information security consultants around the world. Basically, anyone who had ever touched a firewall or read about encryption could be gainfully employed in information security as a consultant.

Today, just about every consulting organization has an information security practice and a plethora of security offerings for customers. Security consultants bring in a high rate, equivalent to that of high-end networking, storage area consulting, and other premium consulting services. Such rates are normally well worth the investment when dealing with an experienced security consulting team. Unfortunately, along with the great demand for security services also came an enormous push to develop security offerings within consulting organizations that were not necessarily ready for them. This has resulted in a great mix of quality among the different security services performed by consulting companies.

Dispelling the Consulting Myth

One of the greatest things about hiring a consultant or consulting organization to secure an environment is that we get a nice, warm, fuzzy feeling that the matter is in the hands of experts. Many organizations choose to offload their most difficult or sensitive tasks to an outside organization, believing the organization to have a higher level of expertise than the local staff. Unfortunately, this is not what they always get.

Most consulting organizations, just like any other profitable entity, are run by the sales department. As such, the quality of the consulting services received can often be determined by the practices of the sales engineers. As with any organization, consulting companies have varying degrees of talent within their staff. In general, the most talented consultants will be continually busy and put on the most profitable projects, while the less talented consultants will be more readily available for newer projects. It then only makes sense for the sales engineer to provide the most available resource, commonly the less talented consultant, for the project at hand. In an ideal world, a good sales engineer will be able to tell if an individual is capable of handling a project and will make a sale based on this understanding. Sadly, the majority of sales engineers out there are not able to, or choose not to, follow such a process. It is thus up to the receiving organization to determine whether or not the consultant(s) it is hiring has the proper expertise. This creates a paradox, since assessing talent requires that you have talent with which to perform the assessment.

Purchasing Consulting Services

The main point here is that there should be no illusions when purchasing consulting services from a consulting organization. If individual consultants are going to be brought in for specific projects, be sure to perform a personal interview and make your own assessment of each individual's abilities. This interview should be performed alone, with no other representatives from the consulting company present.

Even more practical is to purchase packaged services from consulting organizations, rather than individuals. With a packaged services product, like a security assessment or a specific form of device implementation, there is a great deal of value coming from the consulting organization itself, not just the individual engineers. Organizations that perform the same services over and over tend to get extremely accurate and efficient. Thus, with these types of services, a client is more likely to get the proper engineers to fill the proper positions.

Do We Need Consultants?

The real question here is, do we really need to bring in a consulting company to do a security project? If an organization is pondering whether the local staff can handle it or consultants need to be brought in, here are some common considerations:

• Does the local staff have experience in this area? Most security projects should be performed by someone with experience in the area of security. We have already discussed many ways in which good security practices differ from good technology practices, and someone who can technically install a firewall is not always the best choice for implementing perimeter security.

• Does the organization trust the local staff to perform the project? There are a variety of reasons not to trust local staff to perform some security operations. Most organizations, for example, should use external entities to perform security audits. The idea here is that a local administrator may not be quite so honest when reporting security issues with his or her own workstation, servers, and networks, or those of his friendly coworkers. Similarly, we may not trust local staff to implement security measures that will affect their own activities, such as restricting access to Web sites or increasing the monitoring of employee activities.

• Can the service desired be purchased in a package? Packaged service offerings performed by a consulting organization can often be of benefit to us. A consulting company that centers its practices around a handful of packaged services will have already gone through the process of discovering errors, tuning procedures, and otherwise perfecting the service. This usually means that the consulting organization can perform the process much faster, more efficiently, and at a lower cost than if you were to staff the project locally.