A Good Cybersecurity Consultant Never Uses the Word 'Recommend'

According to the Tinterwebs, to ‘recommend’ means to; put forward (someone or something) with approval as being suitable for a particular purpose or role.

So you might argue that this is exactly why you hire a consultant in the first place. In some professions I would absolutely agree. A doctor [for example] would not just recommend that you quit smoking, they would – and should – bloody-well insist. However, everyone on the planet already knows that smoking is stupid, so they are doing so with full knowledge of the possible consequences.

In other words, smokers are fully informed of the health risks (lung cancer, heart disease etc.), and they know exactly what to do about them (don’t smoke), and have therefore made an ‘educated’ – for want of a better phrase – decision to smoke regardless.

However, this type of ‘educated awareness’ is depressingly rare in the cybersecurity arena, where the recipients of the consulting have little to no idea of either the relevant risks, or the appropriate mitigation. That’s why they have hired the consultant in the first place.

The problem is that consultants come in 4 distinct flavours:

  1. The ‘Auditors’: Auditors are extremely detail oriented, and can (and do) write massively detailed reports on exactly what you’re doing wrong;
  2. The ‘Assessors’: are still very tied to the written instructions, but are better able to read the intent of the situation. They are subsequently better able to tell you why a thing is not right, as well provide some limited guidance on how to fix it;
  3. The ‘Consultants’: are able to not only explain simply what you are doing wrong, but 1) why it’s wrong, 2) what you should be doing, and 3) provide several options on how to fix it;
  4. The ‘Teachers’: approach every gig with a single goal in mind; to never have to repeat anything they do. These rare folks are able to enormously simplify the challenge at hand, and TEACH the client to fix it themselves.

…so you’re going to get radically different output from each (accumulative up the ‘ranks’):

  1. From the Auditor you’ll get nothing except a report with a pass/fail notification;
  2. From the Assessor you may get an indication of things they have seen work for other clients, but assessors tend to be too junior to really help;
  3. From the Consultant you’ll get ‘recommendations’ based upon their experience and possibly their individual biases. They can be well placed to help you fix what’s broken, but not always;
  4. From the Teacher you’ll receive everything you need to not only determine what you need to fix your own problem, but how to keep it fixed.

…which leads to VERY different guidance. For example; A client asks which firewall is recommended:

  • Auditor – “It’s not my place to say.”;
  • Assessor – “I’ve seen the [manufacturer] [model number] work here.”;
  • Consultant – “The [manufacturer] [model number] is the best fit here and here’s guidance on how to implement it appropriately.“;
  • Teacher – “Do you have a current risk assessment and control function gap analysis that has determined a firewall is really what you need? No? Let’s start there.

Until you ask the right questions, you’ll never get the answers you need. Doing the work for our clients is doing them no favours, as we are the only real beneficiaries. While we are maintaining a nice income, we are doing so at our client’s expense. We need to be better than that.

Therefore I propose that it’s our job not to fix our clients’ problems [per se], it’s to educate. It’s to provide ‘options’ to fix the actual problem faced by our clients in the only context that makes sense; to the benefit of their business. I have never been asked for this, but it’s what I try to provide.

I’m not so naive as to think that a blog with fewer than 1,000 followers is going to make a difference in the multi-billion £/$/€ land-grab that is the cybersecurity industry, but if I can help just a few organisations do this properly I’ll consider it a success.

[If you liked this article, please share! Want more like it, subscribe!]

2 thoughts on “A Good Cybersecurity Consultant Never Uses the Word 'Recommend'

  1. Excellent analysis as usual! I think there is a place for the Auditor, Assessor, Consultant and Teacher in the overall cybersecurity program of an organisation. Each one brings different things and is needed for different situations. Relying solely on audit reports is no way to run a security risk management program for example.

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.