Do It Yourself Security: Cutting Our Umbilical Dependence on the Consultant Community

A long while ago I had a business card identity that branded me as a Security Export Consultant.

I had given my card to a friend, who promptly asked me, "What's a consultant do exactly?" and therein lies the eternal question...

Recently, I was reading a fantastic article about the collective disdain for blind dependence on consultants. Successful CIOs and CSOs are squaring off against vagaries and ambiguity, and demanding demonstrable expertise and ROI. These heretofore untouchable management types are getting down and dirty with the best of their IT staff in an effort to stem financial squander. Quite frankly, I like this approach very much.

In small increments and in specific circumstances, consultants are absolutely essential to the success of complex projects. Sometimes a company doesn't have the technical expertise to launch a network-wide overhaul. Sometimes a company does have the expertise, but those folks are overtaxed (which is often the case) by staggering workloads and unrealistic demands. Efficiency and technological overhaul are two of the areas in which consultants inhabit a remarkable space. Never mind that efficiency and technological overhaul are in direct contrast to one another. Hiring the right consultant can make all the difference in project completion. The wrong one can also destroy you.

I cannot place the blame entirely on those crafty consultants that over-inflate their billable hours, time to completion and expertise. It's a conundrum. I feel sympathy for the corporations that have been taken in, but I also feel that in any properly run project, there are status reports to be had. In my humble opinion, if I were to see that one month into my three-month project I was running two months over budget, it would catch my eye. I attribute this type of flagrant oversight to the blind faith we have had in those consultants, and in their unique ability to have exploited our trust. The corporations can tear their garments over the millions they've lost on unworthy consultants, but how does that happen exactly and just who signs the check?

To be fair, there are multitudes of extremely educated, honest and technically competent consultants in the security industry. I know several of them quite well, and I'd let them tear down my infrastructure any day! They are personable, provide excellent follow through, and can provide workable solutions to the most vexing of problems. What bothers me are the people posing as consultants. People that proffer their "expertise" in areas which they clearly know little about. You know who I'm talking about, and it's my guess you've spoken to a few yourself. Those under-experienced consultants that get themselves speaking engagements, long-term contracts and fat wallets at the expense of the company. They're being 'found out' and it's a nice thing to see.

I'm witness to an exciting trend brewing among some of the well-known consultant/analyst groups. They are systematically doing away with the overzealous blowhards. Customer satisfaction is key to survival in this and any industry, but having to sell knowledge as a commodity and not actually having any, is deadly. Among the reputable set, they are making a great effort to weed out those pseudo-consultants, robots on fire, in favor of providing real value-added expertise to their clients.

Today's companies often have excellent IT staff and a wealth of collective technical experience. The biggest downfall has always been the human bandwidth available to do the rollouts and upgrades. There is the matter of monitoring new systems, evaluating processes, determining proper methodologies, going live with all new databases... it's overwhelming, and easy to turn to the consultants for help and a comfortable shoulder to cry on. Unfortunately, providing those shoulders has cost corporations millions in unexpected budget hits and missed project deadlines. It's the combination of false expertise and poor corporate project management that creates a losing scenario.

CIOs and CSOs are moving toward setting goals and milestones that no longer include an outside firm. Better yet, they are assisting their teams in meeting those goals. Disappearing are the days of backordered mystery equipment and magical contractor overtime. The land was rife with consultants promising to psychoanalyze your network, positing solutions for every critical issue they encountered. It's a wonder corporations haven't burst into flames what with all the consulting that's apparently needed.

Hiring a bad consultant to run your project is akin to unleashing a miasma of doom. It's critical to have checked out their references, access to cutting edge technology, and their vision, juxtaposed against your corporation's own goals. Companies can no longer afford to blindly trust consultants. Some of them have well-founded reasons, and some have been run through the mill and burned in the trust process. It's refreshing to see participation from the higher ups. It's a wondrous thing when the CIO combs over an invoice with incredulity. Better still that he should not approve the hours billed for the sole purpose of standing in the server room and admiring all the pretty wires.

For years, the IT department has been engaged in a tremendous cycle of love-hate with consultants. On the one hand, they can prove to be incredibly valuable. They can draft complex network architecture, plan and implement near flawless rollouts, and take up the slack for network monitoring and intrusion detection. When in doubt, they can provide endless insight with vendor and product selection. On the other hand, they can alienate the team of people they were hired to assist. They can often forget to include the IT department in their decision making process, funneling dollars into glorious projects that they alone believe in. The muffled cries of the IT administrators echo off the walls of the empty test lab long after the consultants have mysteriously gone away.

It's a good thing to see technologists reclaiming their territory. Well, not so much reclaiming, but trying to work it themselves in the first place. It's an alien landscape of Gannt charts, milestones, and the dreaded (but so necessary!) budgets. I salute these IT pioneers. They go bravely forward, willing to fight the battle without their consultants. Trudging onward with little hope, installation after installation... and what better reward at the end of the day, than to have the entire company using Windows 2000... all at the same time...

Melisa LaBancz is a San Francisco area security journalist, well known for her umbilical dependence on nonsense.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.