Outsourcing IT security is all the rage these days. It’s cheaper and more efficient, the prevailing theory goes, to farm out functions not directly related to your organization’s core competencies. If you make nickel-plated widgets, for example, your staff must be expert in manufacturing, nickel-plating, and selling widgets, not in keeping 14-year-olds out of your network.
So, frazzled managers and executives often turn to consultants, hoping they’ll swoop in, do their voodoo, and make the problem disappear. Sometimes it works out that way, but too often it doesn’t. Choosing the right consultant, especially in the realm of IT security, will be entirely hit or miss unless you match exact, proven skill sets to the job at hand.
That objective may seem obvious: You seek out people with specific skills to come in and do stuff your permanent staff can’t handle or doesn’t have time for. Consultancy, however, is an arcane beast, and an ocean of uncertainties lies just beneath the surface.
Before beginning the selection process, evaluate whether you really need outside help. Managers can slip into a comfortable pattern of bringing in outside talent for any security initiative that seems out of the ordinary, a practice that sometimes proves highly problematic. Unless you’re entering uncharted territory where your staff has neither the time nor expertise (and they acknowledge this), you’re likely to generate resentment or trepidation when broaching the subject of consultants. The ego is a fragile thing; staff members may view the move as an indictment of their competency or work ethic. Therefore, it’s vital to the success of every consulting process that you get total, voluntary buy-in from the troops who will be directly affected. Friction wears down the machinery, so be open and seek consensus from all parties involved.
As a general rule, hiring the services of a security consultant is justified when:
1. The services you seek lie outside the expertise of your in-house staff. These might be strategic, operational, or administrative in nature.
2. You have a highly technical project and a deadline that renders the project beyond the abilities of your staff to complete it on time.
3. You need an objective perspective of someone not enmeshed in your corporate politics and infrastructure.
There are other scenarios, but these are the Big Three, which can be helpful to emphasize if you encounter resistance.
You call yourself an expert?
Information security is taking on new importance, as a flood of high-profile worms, viruses, Trojan horses, and Web defacements has companies and government agencies in a tailspin. The need for security services is at its peak, and this intense market pressure is creating a lot of instant “experts” with an impressive list of certifications but little practical experience in the down-and-dirty art of securing a network.
To make realistic assessments, you must demand concrete proof of competency. Thoroughness is crucial when dealing with people who claim to be experts at computer security because snake oil abounds. As with any other field of human endeavor, there are good, reliable consultants who want to provide maximum return on your investment, and there are others who are far less conscientious.