[ISN] How to hire an IT security consultant

InfoSec News isn at c4i.org
Tue Apr 5 01:04:22 EDT 2005


By Robert G. Ferrell 
March 28, 2005 

Outsourcing IT security is all the rage these days. It's cheaper and 
more efficient, the prevailing theory goes, to farm out functions not 
directly related to your organization's core competencies. If you make 
nickel-plated widgets, for example, your staff must be expert in 
manufacturing, nickel-plating, and selling widgets, not in keeping 
14-year-olds out of your network. 

So, frazzled managers and executives often turn to consultants, hoping 
they'll swoop in, do their voodoo, and make the problem disappear. 
Sometimes it works out that way, but too often it doesn't. Choosing 
the right consultant, especially in the realm of IT security, will be 
entirely hit or miss unless you match exact, proven skill sets to the 
job at hand. 

That objective may seem obvious: You seek out people with specific 
skills to come in and do stuff your permanent staff can't handle or 
doesn't have time for. Consultancy, however, is an arcane beast, and 
an ocean of uncertainties lies just beneath the surface. 

Before beginning the selection process, evaluate whether you really 
need outside help. Managers can slip into a comfortable pattern of 
bringing in outside talent for any security initiative that seems out 
of the ordinary, a practice that sometimes proves highly problematic. 
Unless you're entering uncharted territory where your staff has 
neither the time nor expertise (and they acknowledge this), you're 
likely to generate resentment or trepidation when broaching the 
subject of consultants. The ego is a fragile thing; staff members may 
view the move as an indictment of their competency or work ethic. 
Therefore, it's vital to the success of every consulting process that 
you get total, voluntary buy-in from the troops who will be directly 
affected. Friction wears down the machinery, so be open and seek 
consensus from all parties involved. 

As a general rule, hiring the services of a security consultant is 
justified when:

1. The services you seek lie outside the expertise of your in-house 
staff. These might be strategic, operational, or administrative in 

2. You have a highly technical project and a deadline that renders the 
project beyond the abilities of your staff to complete it on time. 

3. You need an objective perspective of someone not enmeshed in your 
corporate politics and infrastructure.

There are other scenarios, but these are the Big Three, which can be 
helpful to emphasize if you encounter resistance.

You call yourself an expert? 

Information security is taking on new importance, as a flood of 
high-profile worms, viruses, Trojan horses, and Web defacements has 
companies and government agencies in a tailspin. The need for security 
services is at its peak, and this intense market pressure is creating 
a lot of instant "experts" with an impressive list of certifications 
but little practical experience in the down-and-dirty art of securing 
a network. 

To make realistic assessments, you must demand concrete proof of 
competency. Thoroughness is crucial when dealing with people who claim 
to be experts at computer security because snake oil abounds. As with 
any other field of human endeavor, there are good, reliable 
consultants who want to provide maximum return on your investment, and 
there are others who are far less conscientious. 


More information about the ISN mailing list