The IT security world is full of charlatans and wannabes. And all of us have been "advised" by at least one of them.
All you want in an IT security consultant is expertise, unbiased advice, and experienced recommendations at a reasonable price. But with some, you get much more than you bargained for.
[ Verse yourself in 9 popular IT security practices that just don't work and 10 crazy security tricks that do. | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's PDF guide. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]
For example: Big-ticket items that solve tiny problems you don't have. Surprises about the feature set after you've already signed the dotted line. Disregard for your deadlines or what happens to your systems once the work is done.
It's often challenging to see the shady practices coming. After all, those who employ them sometimes work for the most prestigious firms, have the friendliest handshakes, express compassion for your security woes. Some aren't even malicious; they just don't know how to efficiently solve your problems.
Here are 14 dirty IT security tricks to be aware of before you bring in that outside consultant or vendor. If you have experienced one of these or have another to offer, share it in the comments (add a comment).
A funny TV commercial once depicted a couple of tech consultants getting nervous when asked to help deploy the solution they just designed. "Hey, we're only consultants!" they retort.
Like most "Dilbert" cartoons, there's more than a little bit of truth at work here: Many consultants have never deployed the solutions they are selling.
We've all encountered this ploy, either in the form of an outright lie about hands-on experience or just an IT consultant who is less forthcoming than they should be about how often they roll up their sleeves and get work done.
If you want to avoid consultants who employ this trick, just ask, "How many times have you implemented the specific solution you are recommending right now?" Then follow it up: "Can I have references?"
Some IT security consultants are all too ready to describe their solution as the one solution you've been waiting for to solve all (or most) of your IT security problems.
Not that they take the time to even listen to your problems. Their eyes glaze over anytime they aren't actively speaking. They can't wait to interrupt you to start in again about this wonderful solution they've brought to you in the nick of time.
There's just one problem: None of the consultant's past customers has solved all their security problems.
When you ask a consultant employing this tactic whether prior customers solved their security issues, he'll say yes. When you ask for customer references, he'll look surprised, give you caveats, and push you not to call them. If you do call and find out the truth, wait to hear the consultant claim the installation failed because the customer didn't implement the solution the way he told them to, customized it too much, or simply didn't listen to him.
Don't be fooled by claims of incompetence when it comes to previous customers.