Outsourcing IT security is all the rage these days. It’s cheaper and more efficient, the prevailing theory goes, to farm out functions not directly related to your organization’s core competencies. If you make nickel-plated widgets, for example, your staff must be expert in manufacturing, nickel-plating, and selling widgets, not in keeping 14-year-olds out of your network.
So, frazzled managers and executives often turn to consultants, hoping they’ll swoop in, do their voodoo, and make the problem disappear. Sometimes it works out that way, but too often it doesn’t. Choosing the right consultant, especially in the realm of IT security, will be entirely hit or miss unless you match exact, proven skill sets to the job at hand.
That objective may seem obvious: You seek out people with specific skills to come in and do stuff your permanent staff can’t handle or doesn’t have time for. Consultancy, however, is an arcane beast, and an ocean of uncertainties lies just beneath the surface.
Before beginning the selection process, evaluate whether you really need outside help. Managers can slip into a comfortable pattern of bringing in outside talent for any security initiative that seems out of the ordinary, a practice that sometimes proves highly problematic. Unless you’re entering uncharted territory where your staff has neither the time nor expertise (and they acknowledge this), you’re likely to generate resentment or trepidation when broaching the subject of consultants. The ego is a fragile thing; staff members may view the move as an indictment of their competency or work ethic. Therefore, it’s vital to the success of every consulting process that you get total, voluntary buy-in from the troops who will be directly affected. Friction wears down the machinery, so be open and seek consensus from all parties involved.
As a general rule, hiring the services of a security consultant is justified when:
1. The services you seek lie outside the expertise of your in-house staff. These might be strategic, operational, or administrative in nature.
2. You have a highly technical project and a deadline that renders the project beyond the abilities of your staff to complete it on time.
3. You need an objective perspective of someone not enmeshed in your corporate politics and infrastructure.
There are other scenarios, but these are the Big Three, which can be helpful to emphasize if you encounter resistance.
You call yourself an expert?
Information security is taking on new importance, as a flood of high-profile worms, viruses, Trojan horses, and Web defacements has companies and government agencies in a tailspin. The need for security services is at its peak, and this intense market pressure is creating a lot of instant “experts” with an impressive list of certifications but little practical experience in the down-and-dirty art of securing a network.
To make realistic assessments, you must demand concrete proof of competency. Thoroughness is crucial when dealing with people who claim to be experts at computer security because snake oil abounds. As with any other field of human endeavor, there are good, reliable consultants who want to provide maximum return on your investment, and there are others who are far less conscientious.
So, let’s be crystal clear on this point: Certifications do not equate to technical competency. At best, they’re indicators of a general grasp of the concepts and nomenclature of infosec. At worst they’re useless and dangerously misleading. I’ve encountered certified individuals who wouldn’t know a buffer overflow from a header file and who were being paid $200 per hour to perform code reviews merely because they were certified. I’ve also seen certified individuals hired to secure networks despite the fact that they think the *nix tool ipchains is an example of a stateful inspection firewall.
The purpose of most certifications is to produce income for the certifying body. Repeat after me: Certifications do not an expert make. On the other hand, an absence of certifications is not necessarily an indicator of incompetence. The bottom line is, Don’t allow yourself to be distracted by letters after a name. HR reps seem to like them because they make their jobs easier; if called on the carpet, they can point to the résumé and say, “But look at these certification credentials!”
What is important is the consultant’s depth of knowledge about the issues involved in your particular situation. Take, for example, the common need to secure a corporate enterprise. A competent consultant would be intimately conversant with the mechanics of security on your network as well as the psychology of those who wish to attack it. The latter is often overlooked, but any hunter can tell you that if you don’t understand your prey, you’re probably not going to stumble across any, much less come home with one strapped to the hood of your SUV. For the ill-equipped consultant, threat analysis is too esoteric to be applicable to a straightforward project such as installing a firewall or building an IDS. But throwing up defenses willy-nilly without considering the nature of potential threats is foolish and wasteful.
I recall one instance in which a security engineer installed a carefully considered IDS consisting of only a few sensors placed at critical points throughout the enterprise. Each sensor’s coverage did not overlap. The resulting data could be rapidly and efficiently analyzed, and potential threats could be identified with minimal effort. Not long after, another certified security specialist decided to justify the expense of having been hired at an artificially inflated salary by putting sensors on every single node in the network. This resulted in a flood of highly redundant data, rendering the system largely useless without a team of full-time data analysts working to sort and interpret the avalanche of false positives. Eventually the organization scrapped the entire system at considerable cost and started over, having realized too late that quality and strategic finesse are the keys to successful intrusion detection, not quantity and data overload.
Different job, different skills
If you are hiring a consultant to create or revise security policies and/or procedures, however, you must to look for an entirely different skill set. In these cases, someone with certifications might actually be a good place to start because this sort of knowledge can be assessed to a certain extent using standardized tests. Even here, however, alphabet soup does not guarantee competency. Real-world experience is the key issue — the more closely it matches your particular requirements, the better. When hiring, managers should always grill prospective consultants for specifics about their background and their work with previous clients. Click for larger view.
Another important but often overlooked consideration is scheduling. If your project has a firm deadline, be certain that the consultant agrees to meet it. Ask for a detailed work proposal and evaluate its feasibility honestly. It can be extremely frustrating — not to mention damaging to your credibility — to spend a great deal of time and effort convincing senior management that hiring a consultant is the right move only to have the project come in late.
Speaking of scheduling, if your calendar can wait for proven individuals to become available to work on your project, then put time on your side. If your peers rave about individual consultants who successfully pulled off the same initiative you have in front of you, patience is a virtue.
Bringing a consultant on board is fundamentally a matter of trust. You are opening your business assets to scrutiny by an outsider. It’s imperative to thoroughly check references before signing on the dotted line. Look for objectivity, professional demeanor, and, above all, confidentiality. There’s no point in securing your intellectual assets from electronic theft if your consultant walks away with a copy of them on removable media.
The consequences of making a poor choice can reach beyond wasted time and money. If you hired a consultant to rewrite your security policies and these turn out to be a poor fit for your organization, you may find yourself with little recourse in the event of violations if those policies are not clear about what is and is not permitted on your network. If you hire someone to design and implement your multiple-campus, enterprisewide access control system and he or she is incompetent or dishonest, you could find yourself with backdoors, logic bombs, poor password schemes, faulty or missing encryption, and other woes resulting from inadequate skills or criminal behavior.
Admittedly, these are worst-case scenarios, but forewarned is forearmed.
Robert G. Ferrell is an information security researcher and author living just outside San Antonio, Texas.