Security consulting not for the faint of heart
Bob Toxen's new book, Real World Linux Security: Intrusion Prevention, Detection, and Recovery, appeared on store shelves late last year. Toxen, now the president and CTO of Fly-By-Day Consulting, sports a colorful professional résumé with an abundance of highlights: he's the creator of the Sunset Computer, one of the 162 recognized developers of Berkeley Unix, one of the four developers who did the initial port of Unix to the Silicon Graphics hardware, and the software architect of the Netgear ND508 and ND520, as well as of the Kennedy Space Center PC space shuttle payload document network.
We held a discussion with Toxen in ITworld.com's Interviews forum and found out some of the perks and problems of the security consulting business. You can read the complete conversation there; what follows is an abridged version.
ITworld.com: How does the security business work for you, Bob? You obviously have plenty of knowledge that organizations need, but it can still be a challenge working out contractual relations so that everyone comes out a winner. How is security consulting different from other kinds of IT administration, development, or management? Should folks who want to work in the area prefer in-house employment to free agency, or vice versa?
Bob Toxen: The security business works well for me. Certainly, for me as for any consultant, contractual issues are a problem. Even with "ordinary" consulting, I've had to refuse unreasonable contracts and have lost the occasional project because of it. One company, with its corporate attorney still "wet behind the ears", insisted that I sign a new contract for an ongoing project that required me to indemnify them against any lawsuit by any customer over any software that I wrote or modified for them. This means that I would be financially liable even for suits without merit in code that subsequently had been altered by others or that had existing bugs before I touched it. Since the code was an online banking system being sold to large banks, I told the company "no" after I saw the contract. Fortunately, one of the company's founders overruled this lawyer. This has happened a few times since. I tell clients that I do a high-quality job but I'm not an insurance company.
Security consulting is not that different from the programming and system administration consulting that I've been doing for 10 years. Half of my sysadmin customers call me in a desperate panic because their systems are dead and they don't know what to do and there's valuable data on them or they're involved in online commerce. One recent call was received at 4:30 a.m. my time from another continent. (My office phone also rings at home to cover such emergencies.)
My advice to both types of clients is: please prepare for problems in advance. I can help you recover from a rm -rf / or security breach far faster and with far less overall cost if
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
