Security Consultants and Lawyers: Don't Trust Them to Manage Risks

Why neither can really give you the risk management you need.

The other day, the subject of lawyers came up while I was stuck in traffic, listening to a business podcast in my car. The podcaster was discussing how lawyers only provide a certain, limited value for their business clients, considering how high their fees can be. While he spoke, it struck me that many people depend on lawyers too much for "protection from risks."

Perhaps this is one reason why lawyers get a bad reputation: They are misused. I started thinking about how this is also a problem with security consultants, and their reputations. When you make a quick tally, the number of similarities between lawyers and security consultants is almost scary:

Veteran security consultants reveal the most common problems they see in The Seven Deadly Sins of Security Policy

1) Lawyers are pretty expensive if you pay them by the hour. So are security consultants, and their clients never let them forget it.(See also: How to Corral Security Consultants) 2) If risk is a common issue in your business, it can be very worthwhile to hire lawyers as permanent employees. The same goes for security consultants. In fact, many are not really cut out to be in business for themselves at all. 3) Lawyers will usually tell you what the safest thing to do is, assuming you don't want to be exposed to any risk(See also: Five Security Missteps Made in the Name of Compliance). Security consultants have a habit of thinking the same way. Just when you think you've covered all the issues, there's John at the back of the room with his finger waving at the sky saying, "Just one more scenario that you may not have considered..."(as all the eyes start to roll back in everyone's heads.) 4) Lawyers are good at coming up with wording that will protect you in almost every conceivable way. Bulletproof is the word that comes to mind. Security consultants, left unattended, have been known to propose a Fort Knox solution, when management was thinking more of a corner store ATM budget. 5) If you pay them enough for travel and meals, most lawyers will come and visit you in your place of business. I haven't met many security consultants who wouldn't take on an engagement in any location for the right fee, or any fee, for that matter. 6) Lawyers and security consultants don't usually accept much, or any, responsibility for the failure of a business initiative that they provided advice on. They always have a disclaimer that says, essentially, "It is YOUR responsibility to accept the risks that go with your decisions." Now, in case you're thinking you can solve that problem by making them a business partner, or giving them a piece of the action, here's an interesting thing to consider. While a joint venture agreement will likely get them thinking a bit more positively, don't be surprised if your lawyer is smart enough to put an escape hatch in the JV agreement - something like this: "Despite the fact that I'm on your team, you should really get Independent Legal Advice. So, you're back to square one. Security consultants aren't that smart, however, and may be convinced to take on some of the risk in the venture. (They don't get invited to be partners very often.) 7) Both lawyers and security consultants have a pretty shallow view over a broad range of businesses; an inch deep and a mile wide, you might say. They see many examples of situations that can and do occur in real business environments. Often, they are called in at the last minute to solve a problem. But they have not been involved in the entire business process that led to that problem. They try not to make you feel too stupid when they say, "It's too bad you didn't call me in before you decided to do this. But, don't feel bad. It's a common mistake."

Despite this rather cynical look at lawyers vs. security consultants, I'm not negative on them at all. After all, I am one (or was until my colleagues read this article). But in reality, any expert advisors on risk can bring along the same pitfalls. It is good to have an objective viewpoint on the situation to give you a shot of reality. But it really is ultimately your responsibility to decide on whether your approach presents acceptable risk for your business.

Input from anyone at a point late in the process of rolling out a business initiative has to be discounted a bit, simply because they were not intimately involved in the process. It's a bit of a paradox because if you don't look for objective outside viewpoints every once in a while you risk getting trapped in something psychologists call "groupthink". This occurs when everybody in the room agrees or supports an idea for various reasons, so it becomes a foregone conclusion that the idea is, in fact, a good one, when it may not be.

The paradox is summarized in a short, but sweet quote by the late author John Gardner: "Pity the leader caught between an unloving critic and an uncritical lover."

As an example, imagine that everybody on the team of executives, managers, developers and sales people believes the market for an "Ethics-in- a-Box" software is set to take off, in light of apparently spiraling business morality trends (hypothetically speaking). But if the team had a market research analyst in the room, they might realize some more subtle undercurrent in the market is about to undermine their key assumptions - eg. perhaps the tipping point in values triggered by the hit TV series, Mad Men, is approaching. Or maybe the entire team just discounts the worst case scenario out of ignorance.

Groupthink has probably been a factor in most new product failures throughout history. Everybody seems to think it is a good idea, but some important fact or risk has not been considered. The key is in understanding the which risks from a wide range are important, and what you can do to mitigate them.

While it would be nice to be able to afford a lawyer and a security consultant in every aspect of a business initiative, it would obviously be expensive. But having experts review your situation on a regular basis - throughout the business cycle - is still feasible, as long as they are able to learn quickly and temper their critical urges to emphasize every possible risk. The project won't get far with a bunch of naysayers. You need people with a "can-do" attitude. But they have to be able to put risks in perspective and be willing to listen.

It's far more helpful for lawyers and security consultants to offer "critical success factors" than to simply shoot down ideas as being "risky". So, you would really like them to say, "I've seen that approach fail before because, traditionally, any product trying to sell ethics does poorly... But if this is something you really want to do, you could try getting an endorsement from Lee Iacocca or the Pope... and perhaps have a contingency plan in place in case the product doesn't sell, like giving it away to non-profits and take a tax deduction for the list price." (Is that ethical? Not sure.)

With this in mind, the next time you hear a lawyer or security consultant say "you will get sued if you do that" or "that's too risky", think about how intimately involved they were in your business decisions to that point, and think about how often they get called in to fix something after bad decisions have already been made.

Business people who have a "can-do" attitude and a healthy respect for risks are encouraged to share their views and experiences, and to focus on identifying the "critical success factors" for navigating the risks in any situation. In the end, no matter who you hire as an expert, the business owner still shoulders the risks. So you should do everything that's economically feasible to understand them, and your options. One of the reasons I started The Streetwise Security Zone, was to enable managers and teams to obtain a broader viewpoint on risks in business on an ongoing basis, for a relatively small investment. The cumulative value to all members will hopefully grow over time.

Scott Wright is a security consultant, writer, speaker, and podcaster based in Ottawa, Canada. He is founder of The Streetwise Security Zone web site and podcast, as well as The HoneyStick Project, and writes a blog called 'Scott Wright's Security Views."

Read more about data protection in CSOonline's Data Protection section.

This story, "Security Consultants and Lawyers: Don't Trust Them to Manage Risks" was originally published by CSO.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies