Surprising advice on picking a good security consultant
During the ITEC MasterMinds Security Panel in Philadelphia, an attendee asked
a great question. "Since I give these people the keys to my entire business,
how do I pick a good security consultant?"
Luckily, David Troup of MailFoundry (.com) and Jesper Jurcenoks of NetVigilance
(.com) were on the panel and gave excellent advice. Some details I expected,
but one caught me by surprise.
* Certifications from applicable vendors, mainly Cisco, lead the conversation.
If your primary vendor offers certifications, you'd look for those first, but
few vendors offer specialized security training. Hence, Cisco becomes the ticket
of choice.
* Referrals came second on the list for choosing a consultant. Don't just look
at the referral list; call the companies listed. Then ask if the security company
would be hired again. If not, keep looking for another consultant.
* Interestingly, Department of Defense accreditation was mentioned. That makes
sense, because the DoD knows a fair bit about security. If a security firm can
pass the DoD screening process, and keep their authorization after working for
a few DoD projects, they must be pretty good. They won't be cheap, but they
should be good.
* Also, I say don't trust "friends" of a high-ranking executive.
Since security consultants do access everything on your network, they can hide
as much as they reveal. If one of your idiot vice presidents became a criminal
vice president, that person would certainly recommend a "friendly"
security consultant. The referral would be an individual consultant, not one
of a group from a firm, to better hide what's really going on. Taking that one
step further, I don't trust individual consultants on large jobs because no
one watches the watchers.
* Taking paranoia one more step, I suggest never leaving the security consultants
alone for any length of time. Second, never let them brief only one executive.
Representatives from management, IT, Human Resources, and Legal should be in
every report meeting. Anyone trying to limit access should be examined even
more carefully.
* Finally, find a way to include executive desktops, laptops, and mobile devices
in every phase of the security examination. Not only do executives ignore security
procedures, they have access to more privileged information than anyone else.
Even idiot vice presidents can get clever when stealing company information
and money, so don't assume idiot means honest.
ITworld.com
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
VMware ESX Server in the Enterprise
By Edward L. Haletky
Published Dec 29, 2007 by Prentice Hall.
Enter now! | Official rules | Sample chapter
Green IT
By Toby Velte, Anthony Velte, Robert C. Elsenpeter
To be published Oct. 10, 2008 by McGraw Hill Professional
Enter now! | Official rules | About the book
