There are two situations that constantly leave me a bit awestruck in the world of information security consulting. And after reading this, especially as a “customer”, I’m betting you will agree.
But before I jump right into what those two are, let’s quickly define what a true IT security consultant does.
So what does this consultant do, exactly? Improve the client’s condition or situation. That’s really it. That’s the true root cause of the mission. And very, very little even comes close.
Signs of a Bad IT Security Consultant:
- They are clearly looking for how many hours they can bill you. This improves the consultant’s position first and foremost, with you a distant second, or third…if there’s perhaps another “partner” in the mix. They will say things like “our estimate is 100 hours…could be more, could be less”. Tip: It will be at least 100 hours in this situation!
- They were lobbed in by a contracting firm. As before, these guys will always bill hourly. The contracting firms almost alway require it to be that way. They will likely put a minimum time span on the contract (weeks, months…) and bleed you for all they can. Most contracting firms do NOT focus on helping you get the most value from your IT security program. They put butts in the seats. And often with someone who is not able to market themselves as valuable in any other way. There are exceptions and you will surely know them when you see them, but they are rare.
- They are introduced by a sales person. The reputation of a great consultant generally precedes them. And word of mouth from satisfied security practitioners and executives alike is where they find their absolutely best new customers from, not from a sales person who has to go in specifically on their behalf. These are rare of course, but they do happen. And, not surprisingly, never seem to last, generally because they are working for someone else and will soon enough find a better deal elsewhere.
- They take too many steps. I’m not talking about the stride of their walk. I’m referring to how many steps they take to do whatever it is they say they are going to do. Statements like “we have a 10 step process for getting situations such as yours quickly resolved” or “we will provide you daily/weekly status reports so that you know what we are doing each and every step of the way” is often just a smoke screen. It’s a cover for doing in 10 steps what could possibly be done in 2, filling your inbox with useless reports, and generally adding no real value for much of the day.
- They have many products to sell you. Most major security vendors have “consulting engineers” in one form or another. Why? Well to sell you on their products, of course. I mean, they sure aren’t going to sell you on someone else’s products. And then we have the Value Added Resellers (VARs) for all these security vendors, where they sell perhaps hundreds of “solutions”. Here, too, they will have “consulting engineers” and even folks from “The Office of the CISO” to help steer you to whatever it is they have to sell. The true high value consultant, like ZecurityAscent, may have a few as well, but is never willing to compromise on improving the client’s condition over a few points of margin on 3rd party offering. The consultant you want is the one willing to let you get that widget elsewhere if it helps to do so, knowing that he/she is still adding immense value and will merely seek equitable compensation for that added value.
- They want your job…or at least a job in your company. On more than a few occasions I have seen someone come in as a contractor/consultant saying that is the lifestyle they are after. And when it’s true, it’s generally a wonderful thing. Unfortunately, many start making it clear as soon as they are in the seat that they might like to make the arrangement more permanent if that just so happens to work out. If this is their approach going in, I don’t look for them to get any better after being hired full time.
Shock and Awe:
Back to our opening thought now. Here are the two all-too-common situations, as actual real life situations that I have run into:
- The Outsourced CISO: Ummm…No! Not a CISO. I actually sat down with a new CISO for a pretty large energy company who told me this incredible story of an “outsourced CISO” experiment that his company ran just before he arrived. They had a gap between the old and the new, so the large VAR sales guy put this “CISO” in the seat. In a matter of a few months, this “CISO” managed to spend pretty much the entire budget on every security widget the VAR had to sell. So when the real CISO arrived — the one who would have to answer to the board — much of the gear was still in boxes and he had no budget left for a team to manage it all. Now who could have seen this coming (I did! I did!)? Sadly, this it all-too-common out there.
- Business Objective Oblivion: The hourly rate security consultant will most likely not have a clue (or care) what the business objectives are. And this is a huge problem, because they are lying to themselves and you about the value they provide. Business objectives drive metrics of success and are almost always accompanied by personal objectives. By not possessing the skill set to extract the true business value, pretty much everything else is superficial. It’s just commodity value. But again, this is the majority of the commodity information security consultants out there, so a very common deficiency.
Getting it right – the Security Consultant You Want
So here are my quick tips on getting the most out of the consulting space. And you will do well to find those special resources who can come in and help drive extraordinary results.
- Recognize that the right consultants bring immense value. They are not competitive with you or your team(s) as they are not looking for a full time job. They need to bring their best game so that it leads to ever-better and more rewarding opportunities. Remember, improving your security situation is their mission.
- Treat leading VARs as purely transactional – You have widgets to sell, give me the best price and I will get them from you. This should not insult them in the slightest, as this is what they built themselves to do as their primary business model.
- Only use a consulting engineer to help implement something you are about to buy — or just bought. Nothing wrong with that. Fast knowledge transfer and accelerated success is expected.
- When faced with a choice to go with a value-based consulting firm (like ZecurityAscent) or an hourly-based consulting/contracting firm (like pretty much every VAR our contract agency out there), consider the value-based individual as the leading opportunity. This is the individual that will:
- Sprint and finish first
- Redefine value on business terms
- Bring the wolf pack (affiliates that are of equal or greater value in highly focused areas, such as HIPAA or PCI)