Surprising advice on picking a good security consultant
During the ITEC MasterMinds Security Panel in Philadelphia, an attendee asked
a great question. "Since I give these people the keys to my entire business,
how do I pick a good security consultant?"
Luckily, David Troup of MailFoundry (.com) and Jesper Jurcenoks of NetVigilance
(.com) were on the panel and gave excellent advice. Some details I expected,
but one caught me by surprise.
* Certifications from applicable vendors, mainly Cisco, lead the conversation.
If your primary vendor offers certifications, you'd look for those first, but
few vendors offer specialized security training. Hence, Cisco becomes the ticket
of choice.
* Referrals came second on the list for choosing a consultant. Don't just look
at the referral list; call the companies listed. Then ask if the security company
would be hired again. If not, keep looking for another consultant.
* Interestingly, Department of Defense accreditation was mentioned. That makes
sense, because the DoD knows a fair bit about security. If a security firm can
pass the DoD screening process, and keep their authorization after working for
a few DoD projects, they must be pretty good. They won't be cheap, but they
should be good.
* Also, I say don't trust "friends" of a high-ranking executive.
Since security consultants do access everything on your network, they can hide
as much as they reveal. If one of your idiot vice presidents became a criminal
vice president, that person would certainly recommend a "friendly"
security consultant. The referral would be an individual consultant, not one
of a group from a firm, to better hide what's really going on. Taking that one
step further, I don't trust individual consultants on large jobs because no
one watches the watchers.
* Taking paranoia one more step, I suggest never leaving the security consultants
alone for any length of time. Second, never let them brief only one executive.
Representatives from management, IT, Human Resources, and Legal should be in
every report meeting. Anyone trying to limit access should be examined even
more carefully.
* Finally, find a way to include executive desktops, laptops, and mobile devices
in every phase of the security examination. Not only do executives ignore security
procedures, they have access to more privileged information than anyone else.
Even idiot vice presidents can get clever when stealing company information
and money, so don't assume idiot means honest.
ITworld.com
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
