Choosing a Security Consultancy

Tuesday, November 23, 2010

Javvad Malik


There are hundreds if not thousands of “Indian Restaurants” dotted around London. However, we all know that most of these places are not owned or run by Indians at all.

You have a large number of Bangladeshi or Pakistani’s owning and managing these establishments. But for convenience there’s an unspoken rule that the owners will advertise their food as “Indian cuisine” and customers will always refer to it as going out for an Indian.

By and large, it is somewhat irrelevant whether you’re eating a genuine Indian meal or not. You just look for one that will fill you up and not burn your insides.

The same traits are displayed when organizations set out to hire an infosec consultancy. There are many consultancy’s out there. Most of them aren’t even really geared towards security which results in the your organization's intestines exploding and an empty wallet.

So, to help you out, here are some things to consider when choosing an infosec consultancy:

Know what you want

First off you need to decide why you actually need an infosec consultancy. Is it because the work can’t be done in-house? Or there are confidentiality issues? Or someone at the golf course just mentioned how their infosec team can sort out all of your problems?

Is it a real infosec company?

Many accountants, auditors, builders, pen-pushers, retired policemen, bankers, dolphin trainers, sperm donors and benefit fraudsters have somehow positioned themselves as infosec experts. But scratch beneath the surface a bit. Is this really a security company? Or another company trying to make some money off the security industry?

What’s their income model

This is a touchy subject for many organizations out there. Does the company actually have an income model based around actually making your company more secure? Or do they simply want you to feel as if you’re more secure by writing huge reports designed simple to keep a regulatory body off your back?

Track record not personalities

Does the consultancy have a track record in delivering the type of security you’re specifically after? Or is it a consultancy solely built around a personality? It’s not to discredit infosec personalities in any way, shape or form. But unless that personality will be delivering the consultancy themselves, it’s highly unlikely that you’ll receive any advice close to the level you’ll be charged for.

Follow fads

Check up on their research. Is the consultancy chasing after virtualization one year and smart phones the next? Are they always looking over the horizon at the next emerging fancy threat, without having enough time to fix today’s bugs? Do their service offerings change depending upon that weeks press releases?

Keeping it simple

Does the consultancy continually publish all these papers about how to protect yourself from these super-advanced techniques and exploits that very few people can actually develop, and most hackers will NEVER USE. It’s the simple stuff that works now, and will continue to work years into the future. Security need not be complicated.

Understand the limits

You cannot outsource blame. You HAVE to take responsibility for your organization's mistakes. Whether they be IT mistakes, vendor mistakes, even mistakes made by your most trusted employees. These are all security choices. You don’t have to be an expert in security, you just have to make informed decisions to control your organization.

Cross-posted from J4VV4D

Possibly Related Articles:
Enterprise Security
Security Strategy Outsourcing Consulting Vendor Management
Post Rating I Like this!
Jamie Adams This is excellent information. I like how you get right to the point. I especially like "Or another company trying to make some money off the security industry?"

It is hard for people to discern between a real security company or a poser.

More importantly, the hiring company needs to know what they expect to get out of it besides a warm-fuzzy feeling that they simply hired "somebody".

Excellent information.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.