Sat May 17 10:30:31 PDT 2014

Overarching: Security consultants: When are information security consultants used?


Option 1: Don't bring in an information security consultant.
Option 2: Bring in information security consultant.


There are three basic reasons that companies hire consultants of any sort; a lack of time, expertise, or perspective. While convenience is sometimes cited, this really translates into a combination of time and expertise. In some cases consultants are also hired for political reasons, such as hiring an executive's relative or a prestigious outside firm to review your books, but even this rarely flies without at least some degree of justification based on one of the three basic reasons.

Nobody knows everything there is to know about information protection, and on occasion, bad things happen that are too hard to manage with available staff, either because of time or expertise limits. It is a rare company that has no internal disputes, but some companies are good at handling these internally. Finally, almost any company can benefit from an outside opinion of their information protection posture. Otherwise, you lose perspective over time. For these reasons, option 1 is rarely a good choice except for very small companies with very little information technology dependence.

True security expertise is a rare commodity today. It usually takes at least 2 years of experience before security practitioners become reasonably well qualified at simple security tasks. For more skilled advisers, at least ten years of relevant experience seems necessary in order to gain in-depth understanding of the issues. To make good management decisions and also have outstanding technical knowledge is a true rarity. Unless your staff includes this sort of expertise in the area of interest, outside assistance may be the only way to address critical security concerns. The cost of such a consultant is on the order of $3000 per day or more. Some charge up to $8000 per day, but just charging a lot doesn't make you a real expert.

When you are short on available time and have many specific tasks to do, second tier security consultants will often be adequate, under proper guidance. Most security consulting firms have these sorts of people available to do work for costs ranging from $75 to $150 per hour. An appropriate supervisory level person to manage them will typically run anywhere from $150 per hour to $250 per hour. These are generally different people than the people brought in when expertise is the critical factor in the decision.

For objective outside opinions, it is almost always important to have true experts. In these cases, some companies make the mistake of hiring the expert for internal political purposes of validating one or another point of view. Any expert worth having will not bend to political pressures and will give a straight answer. These are the same experts that are typically used for option 2.

Calling in an executive's relative is almost universally a poor idea for at least two reasons.

No top-flight expert with a long and spotless history will enter into such an engagement with a large business without prior disclosure of the relationship and proper acceptance and management of the process by independent parties within the organization.


Security consultants are normally brought in for lack of time or expertise, or objectivity. They cost on the order of $1000-$2000 per day when they are providing primarily time, and typically cost more than $3000 a day when they are used for expertise or objectivity.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved