November 28, 2007, 11:43 AM — During the ITEC MasterMinds Security Panel in Philadelphia, an attendee asked
a great question. "Since I give these people the keys to my entire business,
how do I pick a good security consultant?"
Luckily, David Troup of MailFoundry (.com) and Jesper Jurcenoks of NetVigilance
(.com) were on the panel and gave excellent advice. Some details I expected,
but one caught me by surprise.
* Certifications from applicable vendors, mainly Cisco, lead the conversation.
If your primary vendor offers certifications, you'd look for those first, but
few vendors offer specialized security training. Hence, Cisco becomes the ticket
of choice.
* Referrals came second on the list for choosing a consultant. Don't just look
at the referral list; call the companies listed. Then ask if the security company
would be hired again. If not, keep looking for another consultant.
* Interestingly, Department of Defense accreditation was mentioned. That makes
sense, because the DoD knows a fair bit about security. If a security firm can
pass the DoD screening process, and keep their authorization after working for
a few DoD projects, they must be pretty good. They won't be cheap, but they
should be good.
* Also, I say don't trust "friends" of a high-ranking executive.
Since security consultants do access everything on your network, they can hide
as much as they reveal. If one of your idiot vice presidents became a criminal
vice president, that person would certainly recommend a "friendly"
security consultant. The referral would be an individual consultant, not one
of a group from a firm, to better hide what's really going on. Taking that one
step further, I don't trust individual consultants on large jobs because no
one watches the watchers.
* Taking paranoia one more step, I suggest never leaving the security consultants
alone for any length of time. Second, never let them brief only one executive.
Representatives from management, IT, Human Resources, and Legal should be in
every report meeting. Anyone trying to limit access should be examined even
more carefully.
* Finally, find a way to include executive desktops, laptops, and mobile devices
in every phase of the security examination. Not only do executives ignore security
procedures, they have access to more privileged information than anyone else.
Even idiot vice presidents can get clever when stealing company information
and money, so don't assume idiot means honest.
