Information Security Needs Teachers, Not Consultants

This blog could just as easily be titled “Information Security Needs Teachers, Not Technology”, but I’ll pick on technology vendors some other time. Then again, it could also be teachers vs. anything-else-you-care-you-mention, because there is nothing in security that cannot be made easier, better, cheaper, more sustainable etc by someone who passes on their skills to those who need them the most.

Their customer.

Teachers are rarely recent graduates of X University, or theoretical researchers at Y organisation (Gartner, Forester et al), and especially not a lot of PCI QSAs I’ve come across, teachers are the people who sit in front of their clients day in and day out trying to make themselves redundant. I use the phrase; “If you can’t do what I do at the end of this contract, I’ve failed.”

Even in 2016, information security expertise is a depressingly rare commodity, with few organisations able to afford the full, or even part-time retention of SMEs in-house. Instead, the vast majority of organisations hire consultants to help them through their security and/or compliance challenges. In and of itself this makes perfect sense, I have no issue with it, and have in fact made a career out of providing these services.

My issue is with those consultants who don’t teach their clients to do what the consultant was hired to do, perhaps with the assumption that the client will have no further need for the consultant’s input once the job is done. The fact is, if the client doesn’t renew the contract, it’s because either 1) they don’t care enough to accept the guidance given; 2) the consultant drained their available budget, or; c) the consultant didn’t know what the Hell s/he was doing.

In a previous blog (The 4 Consultant Types: Know Which You Are, Know Which to Ask For) I detailed the 4 consultant types:

  1. The ‘Auditor’: Extremely detail oriented, and can (and do) write massively detailed reports on exactly what you’re doing wrong. And that’s it.
  2. The ‘Assessor: Still very tied to the written instructions, but are better able to read the intent of the situation, and are subsequently better able to tell you why a things is not right. And that’s it.
  3. The ‘Consultant’: I reserve this title for people who are able to not only explain simply what you are doing wrong and why it’s wrong, but what you should be doing AND provide several options on how to fix it. That’s it for them too.
  4. The ‘Teacher’: These rare folks are able to enormously simplify the challenge at hand, and teach the client to fix it themselves. And not just once, whatever the solution was, the Teacher will show the client how to maintain the fix, and how to implement a cycle of continual improvement in line with business goals.

The silly thing is that a good security teacher will never be out of work, no matter how hard they try to pass on their skill-set. Whatever s/he was hired to do for the first contract is invariably just scratching the surface of the work that needs to be done. A consultant may be asked to come back to repeat a task, but a teacher will be invited to help the entire business move forward.

Every security teacher aspires to be invited to take part in an organisation’s Governance committee, where the IT side and the business side have real conversations. Some call this a Trusted Advisor, but frankly I’ve never seen one who was not a teacher first.

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.