7 Essential Questions to Ask When Hiring an IT Security Consultant
Note: This post was written in 2014. We’ve written more content with new research since then, including Your IT Organizational Structure: Should You Centralize or Decentralize?
The increasing skill and audacity of cyber criminals poses a threat to all business owners. Massive breaches at huge firms such as Target may score all the headlines, but if you think hackers are only interested in big business, think again. According to a 2013 Symantec report, 31 percent of targeted attacks were aimed at businesses with fewer than 250 employees—three times the amount in 2012. Meanwhile, the cost of a breach can rapidly reach hundreds of thousands, if not millions, of dollars.
All business owners should take IT security seriously, but very few organizations can afford their own in-house security teams, and your own IT guy is probably not an expert in the bewildering array of security products and services out there. If you’re not confident in your systems’ defenses, it might be time to bring in a security consultant to advise you on how to best protect your business.
However, there’s a slew of IT security consultants out there—many of which speak their own baffling tech language. So how do you know if you’re choosing someone who is truly qualified?
We spoke to three IT security experts with years of experience negotiating between business needs and cybersecurity to find out the key questions you should ask when hiring an IT security consultant.
Our panel consisted of:
Jeff Williams, Co-founder and CTO of application security consultancy Aspect Security. Williams is one of the world’s leading experts in the field of application security.
Rick Doten, chief information security officer at DMI, and previously chief scientist at the Lockheed Martin Center for Cyber Security Innovation.
1. What relevant IT security experience do you have?
While many IT consultants arrive wielding resumes laden with impressive-looking credentials, this doesn’t mean they have any practical experience, our experts warn. (We’ll talk more about certifications later in this article.) In order to determine if they’re actually qualified for the job, Cutler recommends asking for “war stories”—what a consultant has done in the past for clients, rather than what they would do in a hypothetical situation.
When the consultant explains his experience, “ask him to make analogies,” Cutler says. “If I show you an iPad and say, ‘It’s got four giga of space on it,’ you’re not going to understand that. But if I explain that this space can hold enough songs to travel to the moon and back, then you understand that’s a lot of storage. The ability to articulate in plain language is important.”
Williams agrees that clarity of expression is essential, but says this is just one aspect. You must also be alert to how the consultant frames their experience, as what they emphasize will reveal their approach to uncovering the security dangers a business faces. “Listen very carefully to make sure they can articulate security risk at a business level,” he says.
For example, Williams cautions against consultants who are “really quantitative in their analysis,” or too heavily focused on using algorithms and mathematics to prioritize risks. Instead, the consultant should speak in layman’s terms to explain how they’ve been able to figure out which attacks pose the greatest risk to clients, and what steps they took to prevent them from occurring.
Doten also points out that while war stories are important, they’re better off coming from the consultant’s previous customers, whose contact details you should ask for. “[The consultant] is going to talk up his skills, but many haven’t actually done this work for clients yet,” he explains.
2. What is my organization’s biggest security risk?
Doten says many consultants are too focused on technology, and have a habit of recommending one-size-fits all solutions to security risks. “If a consultant says, ‘You need to buy this suite of tools and that will fix everything for you,’ that’s the wrong way,” he says. “You need somebody who understands that security is a risk-based approach and who develops policies to enforce a support procedure.”
Williams agrees that it’s crucial to make security decisions based on risk analysis, and says a consultant should be able to immediately identify what he calls “the business killer,” or the type of breach that would land your company on the pages of The Wall Street Journal.
“Typically it’s leaking credit card information, the site being down for extended periods or loss of intellectual property,” he says. “But so many companies don’t really have a handle on their core risks, which is why they make bad decisions about where to spend their limited security resources.”
According to Doten, you ideally shouldn’t even have to ask a consultant what your biggest risk is—the consultant should ask if you’ve had a risk assessment performed, and if not, when you will. The goal of this assessment is to ensure that the consultant develops a security solution customized to suit your unique business needs.
3. Who’s going to perform the actual work?
According to Williams, a common source of frustration with highly qualified IT consultants is that, once hired, they typically send a junior associate in their place to do the work.
“A lot of consulting organizations, particularly the big ones, will have the principal come out and talk to you—he’ll work out the scope of engagement and the deliverables, and you’ll think you’re in really good hands,” he says. “Then, when the job starts, they send a guy who’s right out of college.”
Doten says this can have disastrous effects, as these junior associates often lack practical experience. “We used to call them IROCs: Idiots Right Out of College,” he says. “The big firms would hire young, smart people and send them on jobs. And so many times, back when I was a consultant and I lost a job to somebody else, I’d get a call six months later saying, ‘I should have gone with you. These guys came in, they were a bunch of idiots and the report is ridiculous. Can you help clean this up?’”
Cutler also suggests conducting an online background check on the consultant, e.g. Googling their name to see what results come up and checking out their social media pages to make sure there are no obvious indiscretions or red flags.
4. How will you communicate with me about the work you do?
Our experts caution that many IT security consultants have a habit of shrouding their work in secrecy. Doten recalls one group of security experts he did business with who shut themselves away in a conference room and never communicated what they were doing, only unveiling their work at the end.
Williams has had similar experiences, and says that in cases where there is no communication, you will invariably be disappointed with the results. After all, he says, “How will you know at the end of the day that you’ve actually improved?”
To avoid this, Williams says it’s essential to ask the consultant to explain the work he will do, the policies and processes he will be recommending and what deliverables you will receive during each stage of the process. You should also clarify at the start where your organization plans to be at the end of the consultation, and how you’re going to measure progress toward that goal.
“[As a business owner] I’d want to know if breaches were occurring, if we were passing our security test cases and what percentage we were cutting our vulnerabilities by,” Williams says. “I’d also want to hear the consultant articulate things that are going to improve over time—things that we can measure at the beginning and the end.”
5. What will you need from my company to get the job done?
When it comes to determining how communicative an IT security consultant will be, there’s more to it than simply charting progress and measuring results. It’s also critical to determine what level of support the consultant will require from you and your workforce.
“If the consultant does his job right, he’s going to need a lot from the company he’s working for,” Williams explains. “He’s going to need to work with legal, IT, management, and other divisions within the organization. It might cost you $1 million just to do the things the consultant is going to want you to do.”
Getting all this information from the consultant upfront will help will help you decide whether to proceed with the consultancy or not. As Williams explains,“If you tell me it’s going to cost $5,000 to secure my house, that’s one thing, but if it’s $5,000 and my family has to move out and I need to eat all the food in the house, I might not want to do it—or I may decide to do it myself.”
6. Are you going to provide training for my employees?
All three experts agree this question is critical. As Williams puts it: “The consultant’s role is to teach the client to fish. Catch a fish, feed him for a day, but teach him to fish and you feed him for a lifetime. By the time the consultant is done, the company should be self-sufficient.”
Some consultants, however, may not want to educate their clients on how to uphold security measures once their work is done. “They want what they do to be perceived as magic so they get hired again,” Williams explains. “But that’s not the consultant I want to hire.”
Doten agrees. “What you want is to be able to ask, ‘Will you let me sit with you during the ethical hack?’ (An ethical hack is a method of testing computer and network security by attacking a computer system with its owner’s permission.) And you want the consultant to say, ‘Yes, we’ll let you sit with us, we’ll show you the tools and are happy to educate you.’”
You also want your employees to be trained on how to uphold and enforce security measures. However, security awareness training for employees can cost extra, and companies often cut corners by not spending the money.
This is big mistake, Cutler says. “End users are what hackers are going after—they want the low-hanging fruit. After all, why should a hacker spend a week hacking into your system when they can simply send your employees an email and get in under two hours?”
7. Have you ever taken down a network during testing?
Taking down a network means rendering your business network unavailable, or one of your servers unresponsive. Of course this is something a good consultant should never do, and is, according to Doten “the result of poor planning, incomplete information, or laziness.”
Nobody is perfect however and Doten says “it happens to even the best of us.” Of course, when this happens it can be a huge blow to a company, particularly one that relies on its website for all business transactions.
While consultants obviously don’t want to admit to having done this with previous clients, Doten says this is precisely what makes it a great question: it’s a test of the consultant’s honesty. There are many ways things can go wrong during testing and he adds: “I guarantee you they’ve done it before; it’s unavoidable.”
On the same note, Doten also recommends digging deeper into the consultant’s experience to learn about the challenges they’ve faced with past clients.
“Don’t tell me about the times you did an excellent job,” he says. “Tell me about the times you failed, and how you recovered from it. It’s like what they say about CEOs: do I want to hire a CEO who’s never faced adversity, or do I want to hire a CEO that’s been through three failing companies?”
IT Security Certifications: Do They Matter?
Many companies looking to hire a consultant expect to see IT security certifications on their résumé. However, our experts were split on whether these certifications have any real value.
For Doten, the quality of a consultant can be gauged by one thing alone: practical experience. “I see a lot of certifications and think, this guy is trying to prove that he knows what he’s talking about—but he hasn’t been doing the work,” he says. “What’s he been doing in training classes all this time?”
Williams agrees that experience trumps all. “There isn’t really a good way to measure whether people are good at security,” he says. “I’ve talked about security DNA for a long time and I feel there’s a small percentage of the population, maybe 1 percent, born with a different set of skills that allows them to do security work. There are a lot of people who can pass the tests and get a certification, but couldn’t find a vulnerability if their life depended on it.
Cutler has a slightly different perspective. He agrees that naive faith in certifications is a mistake, but argues that advanced qualifications do have value. “If you’re hiring a consultant for penetration testing, for example, then you want to find somebody who’s got an OSCP (Offensive Security Certified Professional), which is extremely hard to get. Once you pass that test, you really know what you’re doing.”