14 dirty IT tricks, security pros edition
The IT security world is full of charlatans and wannabes. And all of us have been "advised" by at least one of them.
All you want in an IT security consultant is expertise, unbiased advice, and experienced recommendations at a reasonable price. But with some, you get much more than you bargained for.
For example: Big-ticket items that solve tiny problems you don't have. Surprises about the feature set after you've already signed the dotted line. Disregard for your deadlines or what happens to your systems once the work is done.
It's often challenging to see the shady practices coming. After all, those who employ them sometimes work for the most prestigious firms, have the friendliest handshakes, express compassion for your security woes. Some aren't even malicious; they just don't know how to efficiently solve your problems.
Here are 14 dirty IT security tricks to be aware of before you bring in that outside consultant or vendor. If you have experienced one of these or have another to offer, share it in the comments.
Dirty IT security consultant trick No. 1: Feigning practical experience
A funny TV commercial once depicted a couple of tech consultants getting nervous when asked to help deploy the solution they just designed. "Hey, we're only consultants!" they retort.
Like most "Dilbert" cartoons, there's more than a little bit of truth at work here: Many consultants have never deployed the solutions they are selling.
We've all encountered this ploy, either in the form of an outright lie about hands-on experience or just an IT consultant who is less forthcoming than they should be about how often they roll up their sleeves and get work done.
If you want to avoid consultants who employ this trick, just ask, "How many times have you implemented the specific solution you are recommending right now?" Then follow it up: "Can I have references?"
Dirty IT security consultant trick No. 2: Proposing one solution for all
Some IT security consultants are all too ready to describe their solution as the one solution you've been waiting for to solve all (or most) of your IT security problems.
Not that they take the time to even listen to your problems. Their eyes glaze over anytime they aren't actively speaking. They can't wait to interrupt you to start in again about this wonderful solution they've brought to you in the nick of time.
There's just one problem: None of the consultant's past customers has solved all their security problems.
When you ask a consultant employing this tactic whether prior customers solved their security issues, he'll say yes. When you ask for customer references, he'll look surprised, give you caveats, and push you not to call them. If you do call and find out the truth, wait to hear the consultant claim the installation failed because the customer didn't implement the solution the way he told them to, customized it too much, or simply didn't listen to him.
Don't be fooled by claims of incompetence when it comes to previous customers.
Dirty IT security consultant trick No. 3: Knowledge bluffing
How many times has a consultant claimed to be an expert in a particular area, only to have their bluff unmasked because they muff the correct use of technical terms?
Sometimes you don't even have to dig too deep or ask them anything technical. One of my favorite encounters with this particular practice was when a "certified novel expert" showed up to help my company with its Novell network. I kid you not. The guy claiming to be the master at a particular technology couldn't even pronounce the name correctly. It'd be funny if it weren't so embarrassing.
Dirty IT security consultant trick No. 4: Full-court sales press
Rushing decisions reeks of recommended sales tactics. How many times have we heard this: "Hey, I'll give you 20% off the regular pricing if you buy today, before the end of our quarter."
It doesn't bother your security consultant that it's the 13th of the month and you're thinking his company has a weird fiscal calendar. I don't know about you, but whenever I'm offered a discount to buy by a particular day, I always wait until after the day and expect the same discount.
I'm sure buying early would help make their bonus bigger -- but I don't care about their bonus. I care about my company. If they want a bigger bonus, they better make me feel like I'm am an idiot for not implementing their product today. An appeal to their own financial gain is the least of my concerns, especially if I feel they're trying to rush my thoughtful consideration.
Dirty IT security consultant trick No. 5: Eye candy
I don't mind vendors bringing beautiful people to a sales meeting, as long as they're knowledgeable about the product. But when these trophy salespeople are clueless about the offering and have little to no experience in the industry, they're wasting a seat in the conference room.
Employing models at a security conference is one thing. But when we've moved beyond handing out brochures and have begun the product demo and question-and-answer session, it's time to get serious. Sway me with knowledge and experience, not a pretty smile.
Dirty IT security consultant trick No. 6: Recommending tiny solutions to specific problems for big money
Ever have a consultant pitch you a new, whiz-bang product that's just great at detecting XYZ? "It's a complex issue that is hard to stop, but this product does it better than anything else."
Before you sign up for this expensive, targeted solution, ask yourself two questions: Has your company been exploited by XYZ before, and is your company likely to be exploited that way in the future?
If the answer is no to both of these questions, then reconsider the purchase no matter how awesome the solution.
Dirty IT security consultant trick No. 7: Travel bribes
They come in and insinuate that if you buy their product they will be able to "recommend" you as a visitor to their annual conference meeting in some exotic locale: "Buy our expensive IPS and you'll have a week in Maui coming up soon."
Or they fund an expensive "networking" trip for you before you buy the product.
I can't say I really hate this technique, even though what your consultant is suggesting is usually unethical and sometimes illegal. Who doesn't want to visit a nice vacation spot, stay in a five-star hotel, and eat in restaurants they could never otherwise afford?
Of course, it always pisses off the consultant when you decide not to buy. When I get offered something that might be mistaken for a bribe, I think it's best if I don't buy any product, just so no one gets the wrong idea. But thanks for the trip!
Dirty IT security consultant trick No. 8: "One last thing"
I hate this trick most of all. The consultant brags and brags about a particular solution, even demos its awesomeness. It is awesome. You'll take 10 of them. Then after you've convinced management to allocate the money to buy it, the consultant tells you a tiny fact that crushes all the advantages.
I've been told after signing a contract that the data storage I was shown in the demo, which I thought was part of the product, is extra. After signing a contact, I've been told the solution has a few bugs. Those bugs, it turns out, invalidated the product. I've been told, after the fact, that the solution doesn't work as well on my wider enterprise, though the consultant was very familiar with my environment. I've had consultants leave out annual service costs, mandated upgrades, and all sorts of details that tipped what I thought was a good decision to become a bad decision.
And they tell you the new information with a smile.
Dirty IT security consultant trick No. 9: Ignoring your deadline
From the outset, you tell the consultant or vendor your drop-dead date for finishing a particular implementation or project. They work with you, gain your trust, and their solution seems perfect for your company. You place your order, and all of a sudden they don't have a product, installers, or trainers that can fit your schedule. It's hurry up and wait.
You wonder how they didn't hear you repeatedly at the beginning when you asked if they could make the date expectations you were directed to meet. Their changing date forces you to make another purchase decision, eat into another budget, or reschedule a major vacation. It's never fun.
Dirty IT security consultant trick No. 10: Promoting product -- and getting kickbacks
We expect consultants to be impartial and to recommend the best solutions for our companies. Lots of consultants make extra money from their "partners" to push particular solutions. We get that. But pushing a product without telling you about the possible conflict of interest goes beyond the pale.
I remember one consultant, many years ago, who advised me on what networking equipment to buy. He didn't tell me that he was getting a vendor kickback, and after we became "friends," or so I thought, he tricked me into buying more network equipment than I could ever have used. It was enough network ports for three times the number of Ethernet runs I needed.
To this day I have memories of all that equipment, hundreds of thousands of dollars' worth, sitting unused in a backroom storage area. It was my mistake. The consultant? He bought a brand-new boat that year.
Dirty IT security consultant trick No. 11: Knowingly recommending products that will be discontinued
Twice recently I've encountered customers who were lured into buying solutions just months before their end of life.
In one case, it was high-speed networking equipment. The other was a network access control solution. Each spent megadollars to deploy what ended up being a discontinued product. In one instance, the consultant later let it slip that he was suspicious the solution was going to be discontinued because he had heard all the developers were let go last year.
Isn't that a tidbit you might want to know before making a buying decision?
Dirty IT security consultant trick No. 12: Saying one thing, signing another
One thing consultants are very good at is translating your needs into a vendor's purchasing nomenclature. This is especially important when customizing or purchasing a partial solution. You want X of this and Y of that, and the consultant ensures these needs are met, cutting through any possible miscommunication.
Except when they don't.
No matter how many times you're told what you're going to get, make sure it's part of the contract. Too often, the product arrives, the project is supposed to begin, and something is missing -- something expensive. The customer goes back to the vendor and finds out the consultant didn't include a particular item on the contract.
The consultant will retort that they were clear about what was and wasn't on the contract, even if you are dead sure what they said verbally was different. Then you have to come up with the additional budget to get what you want or otherwise scratch the entire project.
Dirty IT security consultant trick No. 13: Shortchanging accountability
Doctors take an oath to do no greater harm to their patients than when they first arrived. I wish consultants had a similar oath.
Too often consultants implement projects poorly, leaving their customers to endure service outages in their wake. Knowing that the only thing that changed in your environment was what the consultant just installed is of no consequence. That just moves the consultant to openly wonder whether something unrelated is causing the outage on the very system they messed with.
Insist on a contract that makes your consultant accountable for unexpected service outages due to no fault of your own.
Dirty IT security consultant trick No. 14: Consultants who make big changes before leaving
Lastly, my favorite consultant trick is the one where they make a major change just before they get on a plane home for the weekend or take an extended vacation. Sure, the resulting outage isn't always their fault, but if you're going to make big changes to an IT network, do it a few days before you skip town. Nothing is worse than having to leave multiple, unanswered emails and phone calls to a consultant while your user base is experiencing downtime.