If you are hiring a consultant to create or revise security policies and/or procedures, however, you must to look for an entirely different skill set. In these cases, someone with certifications might actually be a good place to start because this sort of knowledge can be assessed to a certain extent using standardized tests. Even here, however, alphabet soup does not guarantee competency. Real-world experience is the key issue — the more closely it matches your particular requirements, the better. When hiring, managers should always grill prospective consultants for specifics about their background and their work with previous clients.
Click for larger view.
Another important but often overlooked consideration is scheduling. If your project has a firm deadline, be certain that the consultant agrees to meet it. Ask for a detailed work proposal and evaluate its feasibility honestly. It can be extremely frustrating — not to mention damaging to your credibility — to spend a great deal of time and effort convincing senior management that hiring a consultant is the right move only to have the project come in late.
Speaking of scheduling, if your calendar can wait for proven individuals to become available to work on your project, then put time on your side. If your peers rave about individual consultants who successfully pulled off the same initiative you have in front of you, patience is a virtue.
Bringing a consultant on board is fundamentally a matter of trust. You are opening your business assets to scrutiny by an outsider. It’s imperative to thoroughly check references before signing on the dotted line. Look for objectivity, professional demeanor, and, above all, confidentiality. There’s no point in securing your intellectual assets from electronic theft if your consultant walks away with a copy of them on removable media.
The consequences of making a poor choice can reach beyond wasted time and money. If you hired a consultant to rewrite your security policies and these turn out to be a poor fit for your organization, you may find yourself with little recourse in the event of violations if those policies are not clear about what is and is not permitted on your network. If you hire someone to design and implement your multiple-campus, enterprisewide access control system and he or she is incompetent or dishonest, you could find yourself with backdoors, logic bombs, poor password schemes, faulty or missing encryption, and other woes resulting from inadequate skills or criminal behavior.
Admittedly, these are worst-case scenarios, but forewarned is forearmed.
Robert G. Ferrell is an information security researcher and author living just outside San Antonio, Texas.