The Ten Big No-No’s of Security Consulting
I originally published this article back in 2015. Unfortunately, as I am often reminded of it through bad consulting practices that I keep witnessing and hearing about, I decided it might be the time to republish it. Although this article addresses security consulting, the same principles are applicable to almost any type of consulting.
Many security consultants nosedive, not because of the lack of knowledge and technical expertise but because they completely fail when it comes to understanding the culture of the organizations they are consulting for. We know that every company is unique. Even similar companies that are identical in terms of product or service, location, and size, differ when it comes to the level or risk they are willing to take, how they run their business, and what type of relationships they build with their employees, partners, and service providers. Attempting to change these parameters will undoubtedly lead to failure.
Consultants often forget who they are consulting for. While it might be the CEO of the company who invited you over and signed your contract, it is still the company, and not one person that you are working for. Many security consultants concentrate on “buying” the CEO while forgetting to build good working relations with other players, both minor and senior. Building a network and encouraging good communication is certainly crucial from the professional aspect. Moreover, you might need friends who will put in a good word for you when the going gets tough. Although the CEO might want you to believe that the project is just between the two of you, S/he will undoubtedly ask others about your performance and build his/her opinion upon it. Making people understand that the project is important for the company and for them personally and showing them that you are doing a good job running it, is a must. Good communication should be your right hand while, closing yourself walled off in an office and playing hard to get will not take you far.
Charging too Much
In security jargon, efficiency implies achieving an objective regardless of the financial cost, while for business, in order for a process to be efficient it must be cost-effective as well. Advisers who fail to realize that their true role is not security consultancy but business consultancy with a twist of security, and suggest pricey solutions with unrealistic return on investment, have completely missed the point.
We often want to prove to the client that choosing us for the project was the right thing to do by displaying our expertise through complex and pricey solutions. However, many times, issues can be solved with minor adjustments that are free, quick, and simple to implement. Instead of just concentrating on providing complicated solutions, suggesting to the client easy and inexpensive ways of solving gaps, that they can typically do by themselves, will do wonders for your reputation.
“Divide and Conquer” principle has no application in consultancy. Trying to convince the CEO that the situation in the company is a total disaster, that all his/her associates, employees, and partners on all levels are frauds, and that you are the only person who can solve the problem by turning the company inside-out, will most certainly backfire.
Creating a Fortress
Some security consultants suffer from a combination of severe megalomania and a chronic case of Fort Knox Syndrome. The mindset of completely preventing all risks is indeed an obstacle to business that actually must take risks to stay ahead of competition and survive. There is certainly an association between risk and profit. In consultancy, overdoing is as bad as under-performing.
One of the most common mistakes that security consultants make is coming to the client with answers instead of coming with questions. Assuming solutions before thoroughly assessing problems directly contradicts everything consulting is about.
Instead of being completely devoted to finding solutions that will benefit the client, some consultants tend to be devoted only to their personal agendas, such as adjusting reports and recommendations so that they would fit a particular vendor or service provider. This is not only completely unethical but also easily perceptible. As this is one of your client’s primary concerns, he will certainly pay attention to it.
Disregarding everything that existed in the security department until your arrival, without even assessing it first, and building everything from scratch, will not only insult the client but increase the costs of the project. Moreover, there is a big chance that some of the old concepts you decided to throw away would have been better and more usable than new ones, or at least as good.
I was quite surprised when I realised that many security consultants produce faulty reports. Even more surprisingly, the feature that is often left out is the actual conclusion. Giving a list of identified issues and a list of improvement actions will not do anything unless they are linked to a wider business concept and properly explained, well-argumented and justified. Security is not a concept that can exist without a context – “security of…” and “protection from…”. Writing a textual conclusion is the key feature of every good report.