Dirty IT security consultant trick No. 3: Knowledge bluffing
How many times has a consultant claimed to be an expert in a particular area, only to have their bluff unmasked because they muff the correct use of technical terms?
Sometimes you don't even have to dig too deep or ask them anything technical. One of my favorite encounters with this particular practice was when a "certified novel expert" showed up to help my company with its Novell network. I kid you not. The guy claiming to be the master at a particular technology couldn't even pronounce the name correctly. It'd be funny if it weren't so embarrassing.
Dirty IT security consultant trick No. 4: Full-court sales press
Rushing decisions reeks of recommended sales tactics. How many times have we heard this: "Hey, I'll give you 20 percent off the regular pricing if you buy today, before the end of our quarter."
It doesn't bother your security consultant that it's the 13th of the month and you're thinking his company has a weird fiscal calendar. I don't know about you, but whenever I'm offered a discount to buy by a particular day, I always wait until after the day and expect the same discount.
I'm sure buying early would help make their bonus bigger -- but I don't care about their bonus. I care about my company. If they want a bigger bonus, they better make me feel like I'm am an idiot for not implementing their product today. An appeal to their own financial gain is the least of my concerns, especially if I feel they're trying to rush my thoughtful consideration.
Dirty IT security consultant trick No. 5: Eye candy
I don't mind vendors bringing beautiful people to a sales meeting, as long as they're knowledgeable about the product. But when these trophy salespeople are clueless about the offering and have little to no experience in the industry, they're wasting a seat in the conference room.
Employing models at a security conference is one thing. But when we've moved beyond handing out brochures and have begun the product demo and question-and-answer session, it's time to get serious. Sway me with knowledge and experience, not a pretty smile.
Dirty IT security consultant trick No. 6: Recommending tiny solutions to specific problems for big money
Ever have a consultant pitch you a new, whiz-bang product that's just great at detecting XYZ? "It's a complex issue that is hard to stop, but this product does it better than anything else."
Before you sign up for this expensive, targeted solution, ask yourself two questions: Has your company been exploited by XYZ before, and is your company likely to be exploited that way in the future?
If the answer is no to both of these questions, then reconsider the purchase no matter how awesome the solution.
Dirty IT security consultant trick No. 7: Travel bribes
They come in and insinuate that if you buy their product they will be able to "recommend" you as a visitor to their annual conference meeting in some exotic locale: "Buy our expensive IPS and you'll have a week in Maui coming up soon."
Or they fund an expensive "networking" trip for you before you buy the product.
I can't say I really hate this technique, even though what your consultant is suggesting is usually unethical and sometimes illegal. Who doesn't want to visit a nice vacation spot, stay in a five-star hotel, and eat in restaurants they could never otherwise afford?
Of course, it always pisses off the consultant when you decide not to buy. When I get offered something that might be mistaken for a bribe, I think it's best if I don't buy any product, just so no one gets the wrong idea. But thanks for the trip!