Overarching: Security consultants: When are information security consultants used?
Options:Option 1: Never.
Option 2: When they have specialized expertise beyond internal capabilities.
Option 3: When internal capacity is inadequate to short-term needs.
Option 4: When an objective outside opinion is desired.
Option 5: To make protection decisions for the enterprise.
Decision:IF the enterprise has adequate internal expertise, time, and diversity of opinion in information protection, THEN Never bring in a consultant.
OTHERWISE bring in an information security consultant to fill the gaps in expertise, time, and diversity of opinion.
ALSO NEVER bring in a consultant to make decisions for the enterprise.
There are three basic reasons that companies hire consultants of any sort; a lack of time, expertise, or perspective. While convenience is sometimes cited, this really translates into a combination of time and expertise. In some cases consultants are also hired for political reasons, such as hiring an executive's relative or a prestigious outside firm to review your books, but even this rarely flies without at least some degree of justification based on one of the three basic reasons.
Nobody knows everything there is to know about information protection, and on occasion, bad things happen that are too hard to manage with available staff, either because of time or expertise limits. It is a rare company that has no internal disputes, but some companies are good at handling these internally. Finally, almost any company can benefit from an outside opinion of their information protection posture. Otherwise, you lose perspective over time.
True security expertise is a rare commodity today. It usually takes at least 2 years of experience before security practitioners become reasonably well qualified at simple security tasks. For more skilled advisers, at least ten years of relevant experience seems necessary in order to gain in-depth understanding of the issues. To make good management decisions and also have outstanding technical knowledge is a true rarity. Unless your staff includes this sort of expertise in the area of interest, outside assistance may be the only way to address critical security concerns.
When you are short on available time and have many specific tasks to do, second tier security consultants will often be adequate, under proper guidance. Most security consulting firms have these sorts of people available to do work. An appropriate supervisor is usually required to manage them as well. These are generally different people than the people brought in when expertise is the critical factor in the decision.
For objective outside opinions, it is almost always important to have true experts. In these cases, some companies make the mistake of hiring the expert for internal political purposes of validating one or another point of view. Any expert worth having will not bend to political pressures and will give a straight answer. These are the same experts that are typically used for option 2.
Using consultants for making enterprise decisions is never a sound approach. While executive management may reasonably rely on outside opinions in making their decisions, they cannot cede the responsibility for the decisions to others. If they allow others to make those decisions for them, they are not acting in a reasonable and prudent fashion in fulfilling their fiduciary role for the enterprise. This is true at every level.