March 22, 2001, 10:39 PM —
Bob Toxen's new book, Real World Linux Security: Intrusion Prevention, Detection, and Recovery, appeared on store shelves late last year. Toxen, now the president and CTO of Fly-By-Day Consulting, sports a colorful professional résumé with an abundance of highlights: he's the creator of the Sunset Computer, one of the 162 recognized developers of Berkeley Unix, one of the four developers who did the initial port of Unix to the Silicon Graphics hardware, and the software architect of the Netgear ND508 and ND520, as well as of the Kennedy Space Center PC space shuttle payload document network.
We held a discussion with Toxen in ITworld.com's Interviews forum and found out some of the perks and problems of the security consulting business. You can read the complete conversation there; what follows is an abridged version.
ITworld.com: How does the security business work for you, Bob? You obviously have plenty of knowledge that organizations need, but it can still be a challenge working out contractual relations so that everyone comes out a winner. How is security consulting different from other kinds of IT administration, development, or management? Should folks who want to work in the area prefer in-house employment to free agency, or vice versa?
Bob Toxen: The security business works well for me. Certainly, for me as for any consultant, contractual issues are a problem. Even with "ordinary" consulting, I've had to refuse unreasonable contracts and have lost the occasional project because of it. One company, with its corporate attorney still "wet behind the ears", insisted that I sign a new contract for an ongoing project that required me to indemnify them against any lawsuit by any customer over any software that I wrote or modified for them. This means that I would be financially liable even for suits without merit in code that subsequently had been altered by others or that had existing bugs before I touched it. Since the code was an online banking system being sold to large banks, I told the company "no" after I saw the contract. Fortunately, one of the company's founders overruled this lawyer. This has happened a few times since. I tell clients that I do a high-quality job but I'm not an insurance company.
Security consulting is not that different from the programming and system administration consulting that I've been doing for 10 years. Half of my sysadmin customers call me in a desperate panic because their systems are dead and they don't know what to do and there's valuable data on them or they're involved in online commerce. One recent call was received at 4:30 a.m. my time from another continent. (My office phone also rings at home to cover such emergencies.)
My advice to both types of clients is: please prepare for problems in advance. I can help you recover from a rm -rf / or security breach far faster and with far less overall cost if these everyday occurrences are prepared for ahead of time.
The difference between security consulting and ordinary consulting is that for ordinary jobs, if one leaves something out or does not know something, it can be added later or looked up somewhere else. But if I fail to close a hole in a security client's system, that system gets broken into.
Regarding those interested in being security specialists: all but the biggest entities will want a sysadmin who also has good security knowledge; my book certainly is good preparation. There are some good security courses but there is a lot of hype too. The largest entities have separate security departments and these might be good for those that want full-time security work.
Being a free agent consultant is hard work. Anyone can throw $700 at an attorney to create a corporation and have business cards printed up. Finding the work and -- more importantly -- not being burned on bad deals takes business sense and experience. Consulting also requires sacrifice to do right. I was about to sit down to dinner last night when a client called about a crashed system. I didn't get home until almost midnight. My client's people also worked into the night, but they could take turns being on call. This was a hardware problem that required some reconfiguration to work around. I once interrupted a vacation when a client did the above-mentioned rm -rf / and I had to spend days recovering his data from the free list; I was able to recover about 90 percent of it. He didn't back it up despite the fact that I had urged him to do so; he even owned a tape drive.
