[ISN] How to hire an IT security consultant
isn at c4i.org
Tue Apr 5 01:04:22 EDT 2005
By Robert G. Ferrell
March 28, 2005
Outsourcing IT security is all the rage these days. It's cheaper and
more efficient, the prevailing theory goes, to farm out functions not
directly related to your organization's core competencies. If you make
nickel-plated widgets, for example, your staff must be expert in
manufacturing, nickel-plating, and selling widgets, not in keeping
14-year-olds out of your network.
So, frazzled managers and executives often turn to consultants, hoping
they'll swoop in, do their voodoo, and make the problem disappear.
Sometimes it works out that way, but too often it doesn't. Choosing
the right consultant, especially in the realm of IT security, will be
entirely hit or miss unless you match exact, proven skill sets to the
job at hand.
That objective may seem obvious: You seek out people with specific
skills to come in and do stuff your permanent staff can't handle or
doesn't have time for. Consultancy, however, is an arcane beast, and
an ocean of uncertainties lies just beneath the surface.
Before beginning the selection process, evaluate whether you really
need outside help. Managers can slip into a comfortable pattern of
bringing in outside talent for any security initiative that seems out
of the ordinary, a practice that sometimes proves highly problematic.
Unless you're entering uncharted territory where your staff has
neither the time nor expertise (and they acknowledge this), you're
likely to generate resentment or trepidation when broaching the
subject of consultants. The ego is a fragile thing; staff members may
view the move as an indictment of their competency or work ethic.
Therefore, it's vital to the success of every consulting process that
you get total, voluntary buy-in from the troops who will be directly
affected. Friction wears down the machinery, so be open and seek
consensus from all parties involved.
As a general rule, hiring the services of a security consultant is
1. The services you seek lie outside the expertise of your in-house
staff. These might be strategic, operational, or administrative in
2. You have a highly technical project and a deadline that renders the
project beyond the abilities of your staff to complete it on time.
3. You need an objective perspective of someone not enmeshed in your
corporate politics and infrastructure.
There are other scenarios, but these are the Big Three, which can be
helpful to emphasize if you encounter resistance.
You call yourself an expert?
Information security is taking on new importance, as a flood of
high-profile worms, viruses, Trojan horses, and Web defacements has
companies and government agencies in a tailspin. The need for security
services is at its peak, and this intense market pressure is creating
a lot of instant "experts" with an impressive list of certifications
but little practical experience in the down-and-dirty art of securing
To make realistic assessments, you must demand concrete proof of
competency. Thoroughness is crucial when dealing with people who claim
to be experts at computer security because snake oil abounds. As with
any other field of human endeavor, there are good, reliable
consultants who want to provide maximum return on your investment, and
there are others who are far less conscientious.
More information about the ISN