Information Security Needs Teachers, Not Consultants

This blog could just as easily be titled “Information Security Needs Teachers, Not Technology”, but I’ll pick on technology vendors some other time. Then again, it could also be teachers vs. anything-else-you-care-you-mention, because there is nothing in security that cannot be made easier, better, cheaper, more sustainable etc by someone who passes on their skills to those who need them the most.

Their customer.

Teachers are rarely recent graduates of X University, or theoretical researchers at Y organisation (Gartner, Forester et al), and especially not a lot of PCI QSAs I’ve come across, teachers are the people who sit in front of their clients day in and day out trying to make themselves redundant. I use the phrase; “If you can’t do what I do at the end of this contract, I’ve failed.”

Even in 2016, information security expertise is a depressingly rare commodity, with few organisations able to afford the full, or even part-time retention of SMEs in-house. Instead, the vast majority of organisations hire consultants to help them through their security and/or compliance challenges. In and of itself this makes perfect sense, I have no issue with it, and have in fact made a career out of providing these services.

My issue is with those consultants who don’t teach their clients to do what the consultant was hired to do, perhaps with the assumption that the client will have no further need for the consultant’s input once the job is done. The fact is, if the client doesn’t renew the contract, it’s because either 1) they don’t care enough to accept the guidance given; 2) the consultant drained their available budget, or; c) the consultant didn’t know what the Hell s/he was doing.

In a previous blog (The 4 Consultant Types: Know Which You Are, Know Which to Ask For) I detailed the 4 consultant types:

  1. The ‘Auditor’: Extremely detail oriented, and can (and do) write massively detailed reports on exactly what you’re doing wrong. And that’s it.
  2. The ‘Assessor: Still very tied to the written instructions, but are better able to read the intent of the situation, and are subsequently better able to tell you why a things is not right. And that’s it.
  3. The ‘Consultant’: I reserve this title for people who are able to not only explain simply what you are doing wrong and why it’s wrong, but what you should be doing AND provide several options on how to fix it. That’s it for them too.
  4. The ‘Teacher’: These rare folks are able to enormously simplify the challenge at hand, and teach the client to fix it themselves. And not just once, whatever the solution was, the Teacher will show the client how to maintain the fix, and how to implement a cycle of continual improvement in line with business goals.

The silly thing is that a good security teacher will never be out of work, no matter how hard they try to pass on their skill-set. Whatever s/he was hired to do for the first contract is invariably just scratching the surface of the work that needs to be done. A consultant may be asked to come back to repeat a task, but a teacher will be invited to help the entire business move forward.

Every security teacher aspires to be invited to take part in an organisation’s Governance committee, where the IT side and the business side have real conversations. Some call this a Trusted Advisor, but frankly I’ve never seen one who was not a teacher first.

The 4 Consultant Types: Know Which You Are, Know Which to Ask For

Q: What do you do?

A: I’m a consultant.

9 times out of ten the asker of the question enquires no deeper, because they were either just making polite conversation, or they just don’t care. Or both.

The title of ‘consultant’ can hide all manner of sins, as it can be used to enhance the reputation of the unworthy, leading others to believe that their level of expertise goes as deep as the up-front appearances. It is, however, far preferable to ‘expert’, which is bandied around far too often and usually by the very people least equipped to do so.

The old cliche; “An expert is someone who knows 1% more than those around him.” is as true now as it’s always been. And if I’m honest with myself, so is “An expert is just somebody from out of town with slides.”, but that’s a little too close to the mark.

Luckily, you don’t need to be an expert in anything to be a great consultant, you just need to know people who are experts, and when to apply them. For example, there are thousands of people who do every individual thing that I do, and do it many time better, but few can apply their overall knowledge, experience, and skill-set to a client’s maximum long-term benefit.

Terribly sorry, I’m British, so I should be more humble.

So what are the 4 consultant types?

  1. The ‘Auditor’: Auditors are extremely detail oriented, and can (and do) write massively detailed reports on exactly what you’re doing wrong. While this can be very useful in some scenarios, if you were looking for someone to tell you anything other than what is broken you have the wrong person.There will be no out-of-the-box thinking with an auditor, if you aren’t doing exactly what is written, you will fail the test. You will also receive very little in the way of of help actually fixing the problems, so will likely end up paying someone else to finish the piece of work.
  2. The ‘Assessor: Assessors are still very tied to the written instructions, but are better able to read the intent of the situation, and are subsequently better able to tell you why a things is not right, as well provide some limited guidance on how to fix it. As with the Auditor, you will likely require additional help to reach your goals, but if you are looking for a sanity check or [cringe] tick-in-the-box compliance with a standard like PCI, then Assessors are a reasonable choice. Mostly because they are cheaper.
  3. The ‘Consultant’: I reserve this title for people who are able to not only explain simply what you are doing wrong, but why it’s wrong, what you should be doing, and provide several options on how to fix what’s wrong. The Consultant’s experience will be such that they have seen close to your specific scenario many times, and can provide all the guidance you need to choose the right solution(s) as well as implement them appropriately. You might be thinking this is the ultimate, but it isn’t, there is a critical aspect missing from the Consultants’ portfolio, which is filled by;
  4. The ‘Teacher’: Teachers approach every gig with a single goal in mind; to never have to repeat anything they do. These rare folks are able to enormously simplify the challenge at hand, and TEACH the client to fix it themselves. And not just once, whatever the solution was, the Teacher will show the client how to maintain the fix, and how to implement a cycle of continual improvement in line with business goals. Above all, the Teacher will help you to always ask the right questions, which is half the battle.

In the PCI space for example, I can count the number of Teachers I have seen on one hand, and even Consultants are thin on the ground. I don’t blame the consulting companies for this, it’s the clients who are continually bitching about price and settling for the lowest bidders.

In consulting, more than in almost any other profession, you get what you pay for, and Consultants/Teachers are invariably cheaper in the long run.

Also, you will eventually get the type of consultant equivalent to the level of effort you put in finding one. If you end up with an idiot, it’s because you’re lazy.

Don’t know where to start? Ask.

Want to Save Money On PCI Compliance? Don’t Cheap Out On Your QSA.

Analogy: A family member needs surgery, and you have two doctors in a side-by-side bake-off. One is respected, enormously experienced, and expensive. The other is fresh out of residency, inexperienced, and cheap.

Whom do you go for?

Unless you’re a sociopath, you pay for the one with the greatest expectation for success. So by a similar (though far less life threatening) extension, why would you cheap out on your choice of QSA? Or any consultant that matter?

Not only that, you probably expect the same results from every QSA, right? They all went through the standard training, so they should all be the same, right?

Are all doctors the same?

Like any profession, you have a MINIMUM standard to achieve before you start. For QSAs it’s 5 years in security (no-one lies on CV’s/resumes, right?), OR a CISA/CISM/CISSP (anyone can read a book and pass a multiple choice test), AND pass the QSA test. I can, quite literally, take ANY person and get them to a point they can pass that test in one week.

Instead of focusing the QSA test on their domain knowledge (networking, encryption, policy formation etc.) it focuses on merchant / service provider levels and a bunch of other stuff that does not test the consultant’s security or auditing skills in any fashion that makes sense to me. Can they read a firewall ruleset to determine if they have met the intent of requirements 1.X? Can they look at a netstat and see if their OS configuration standards are being followed per requirements 2.x?

The answer to those questions is; not necessarily, and while I cannot think of one security consultant who is an expert on all 12 DSS sections (I suck at encryption and anything to do with coding for example), you need someone with real-world experience to measure your compliance against not only the standard, but its intent. And if that intent does not align with the goals of the business in question, the process falls apart.

When it comes to PCI, you’re paying for experience / guidance / been-there-done-that, otherwise you’re better served doing it yourself. At least you know the business better than the QSA ever will.

I wrote something resembling a white paper on Selecting The Right QSA For Your Business a few months ago, and will be building on this process over the next few months. Anything is simple if you know how to do it, but that’s the point; YOU probably don’t know how to do PCI, nor would you then know the right questions to ask to find someone who does.

This may sound like I’m trying to push you into hiring only the expensive guys, but that’s not it, it’s never just about the money, it’s about VALUE for, and appropriate USE of, money. The issue most often is that businesses choose their QSA based on price. They didn’t want to do PCI compliance in the first place (believe me, no-one WANTS to do PCI), and therefore settled for the lowest bidder.

In my fairly significant experience, the cheapest QSA up front rarely ends up being the cheapest in the end. These are the top 5 things to watch out for, and reflect the SOPs of some of the less scrupulous vendors;

  1. Scope Creep – A proposal written in such a way that you THINK you’re buying what you need, but you end up having to buy additional services from them to finish the job;
    o
  2. Cheap Labour – You get what you pay for, and if you pay pennies, you’ll get the least experienced QSA at their disposal (this one serves you right by the way);
    o
  3. Pushing Other Services or Products – Some of the larger QSAs have entire suites of products and services they try and push your way. They will sell the QSA for cheap hoping to massively up-sell/cross-sell the more profitable managed services / products etc. This is permissible under the SSC regs., but hardly best practice, and in some cases even ethical, especially when the products don’t even support your compliance;
    o
  4. Lack of Appropriate Guidance – Achieving PCI compliance the first time is a project, staying complaint is a process. At no time during the assessment should there be roadblocks that are a direct results of the QSA’s inexperience. Projects that should take months often take years, and the additional costs can be significant;
    o
  5. The True Cost of Compliance – Usually the most significant cost of a PCI project is the labour cost of internal resources. Performed correctly, PCI can have significant benefits in terms of improved security posture, but unless the resources are used efficiently, the cost to the business can be very significant, especially in terms of availability for initiatives related to transformation or innovation.

In the end, you will get what you pay for, and if you have not chosen your QSA based on best-fit, you deserve what you get. Choosing a QSA / consultant is relatively simple, and I believe that It Takes A Consultant, To Hire A Consultant.

If you need help, do your homework, then ask the opinion of someone with zero vested interest.

[If you liked this article, please share! Want more like it, subscribe!]

It Takes a Consultant, to Hire a Consultant


While this is most likely true in every industry, it is VERY true in cybersecurity.

Most organisations above the ‘corner store’ size have some form of ‘in-house’ IT support, even if it’s just the CEO’s brother-in-law, but only the larger organisation will have dedicated in-house security expertise. It’s simply too expensive.

However, most organisations need security expertise – usually when it’s too late unfortunately – so it’s crucial that they are able to define their specific needs in such a way as to attract the right suppliers of those services. Unfortunately, and all too often, the wrong questions lead to the wrong suppliers who provide the wrong services. If they gave you what you asked for, whose fault is it?

Instead, it makes sense to outsource the choice of your security services to someone best placed to judge; a security expert unhindered by organisational or employment commitments. i.e. they are not employed by a security company and are 100% ‘vendor neutral’ in terms of service or product ‘recommendations’.

Of course, you still have the problem of where to find this person, and ensure that they are the right person to make these choices on your behalf, and the responsibility for this due diligence must begin with the person most accountable. Whether this is the CEO, COO, or IT Manager or whatever, the individual who understands the business goals of the organisation needs to be the one asking the questions.

Many large organisations make the curious choice of allowing their purchasing departments to run the vendor selection process, often without specialist security input beyond the most basic of initial requirement definitions. This leads to an RFP that not only asks all the wrong questions, but also to reviews of the responses by people who don’t understand the answers. The choice is then often based on price and not capability turning the whole thing in a debacle.

You don’t allow your dentist to choose which law firm you use to represent you, why would you have anyone other than a security expert define your security solutions?

Even your in-house security team is under certain limitations, and cannot be truly objective with regard their choices. Whether it be pressure from above, fear of making a mistake, or vendor preference / bias, the choices are rarely the optimal result for the organisation. Nothing nefarious, just human nature.

The development of an overarching security program has many moving parts, and every step must be with a view to the end goals, the current needs (risk priorities), and the bit that’s often neglected; how each piece integrates with the next. The purchase of security services, and especial products/technology must be based on not only cost, but of how it will be installed, maintained, managed, monitored, and measured.

This can only be performed by a Governance function that has access to, and guidance from, a true security expert.

I can’t say that I’ve come across a service like this, perhaps I’ll start my own…

[If you liked this article, please share! Want more like it, subscribe!]