This is part one of a continuing series about how to use information security consultants effectively.
Before you rush off and burn that budget on a couple of weeks worth of consulting it is important to spend a little time to figure out why you need a consultant in the first place ad what exactly you want them to accomplish.
You probably do NOT want a penetration test, for reasons why you don’t check this article.
Are you getting a consultant to satisfy some third party assessment requirement? If all you need is a check box (and not quality) it might be in your best interest to go with the cheapest provider available. This way you can spend that budget someplace that will get you more bang for your buck. Of course if you are looking more than a check mark, go with the best consultant you can afford.
If you are implementing a new complex system, like a SIM, multi-sensor IDS, or Web Application Firewall, if can be very advantageous to bring in an expert in the space to get the project off on the right foot. Numerous times I have been called in to clean up messes that could have easily been avoided with a little up front planning and design. Also having a trusted expert on-call to help make product recommendations can be helpful, just be on the look out of obvious conflicts of interests, like when the IBM Global Services consultant says you need a million dollars worth of ISS scanner licenses or the Microsoft Consulting guy says all your problems will be solved with more AD servers. These suggestions might be a good idea but you have to keep the source in mind.
If you do no currently have an information security policy bringing in a consultant to jump start this process can be very helpful, especially if you have never built one before. Keep in mind they are going to be able to lay a good groundwork for you but you are going to have to mold i to fit your business. This holds true for any policy or process you have built by a consultant, you know (or should know) your business better than any third party you will bring in. It can be helpful to get an external perspective but ultimately your business has to live with the policy/process on a daily basis.
There are many things you don’t need consultants for.
Yearly assessments, unless required by regulations, are dead. If you are not assessing your network and applications on a continuos basis you are asking for big trouble. When I say assess it can be as simple as using a good quality network scanner and a <shameless plug> outsourced web assessment service </shameless plug>. If you are doing this by the time the rubber stamp regulator assessment gets started you should have 0 surprises.
Writing code. I see this happen far too frequently. A security consultant gets involved in a project and at some point it is decided that some code needs to be written. Everyone stares at the expert in the room and generally the security consultant will commit to it given a high enough price tag. The security consultant does not want to do it (hence the high price), they are not setup to do it, (there is a reason they are not coding for a living!) and are going o generally deliver some pretty crappy code. Get a developer to write code, end of story.
Consultants can provide tremendous value if they are chosen for the right projects.
- Don’t ask them to do things that are not core competencies because at the end of the day consultants will do just about anything, as long as the bill rate is high enough.
- Choose quality when needed, cost when it is not.
- Be vary of consulting arms of product companies, they are incentivized either directly or indirectly to recommend there companies products.
If you enjoyed this post, make sure you subscribe to my RSS feed!
