Tuesday, May 29, 2007

Clueless Consultants

I'm seeing a common "business of security" theme today, following my post The Peril of Speaker-Sponsors. Ira Winkler writes in If You Have to Ask, You Shouldn't Be Asking:

[S]omeone once attended a presentation that I gave on penetration testing, and then contacted me a year later with an e-mail that basically said, “I finally talked a client into letting me perform a pen test. I don’t know what to do, how to do it, what to charge, or any special legal language that should be in the contract.” My response was basically, “You shouldn’t do the work...”

In today’s message, a consultant from a very large integration firm sent out a message saying that one of their clients wants to scope out integration of a NOC/SOC. He gave a very wide variety of requirements for the facility, and then wanted feedback from a wide variety of people not associated with his company. While I am normally all for helping out a colleague, this person should have either sought this info inside his own organization, which has access to such experts, or just told the client he doesn’t have a clue and to go elsewhere.

I see this problem all the time, in two forms. First, I am frequently asked to perform a variety of tasks for which I do not consider myself an expert. Blog visitors, book readers, and students sometimes expect me to be an expert in another area of security after seeing my work in network security monitoring, network forensics, incident response, and related subjects. When asked to work outside those areas, I always refer the work to colleagues whom I consider to be experts in the task in question. In return, my colleages pass me work they would prefer me to do.

Second, I know many service/consulting companies who will take any job, period. They are managed by people who only care about making "bodies chargeable," preferably over 100% for the week. (That means billing over 40 hours of work to a client, per consultant, per week.) The consultants (1) suffer silently, for fear of losing their jobs; (2) think they can become experts in anything in "10 minutes" (I hear that often); or (3) don't realize that they are clueless, and probably never will. The end result is the service delivered to the client is sub-par at best, or a disaster at worst.

I agree with Ira' last statement:

[T]he mark of a good consultant is one who knows when to turn away work.

In light of that wisdom, consider asking the following question when shopping for a consultant:

What work would you not want to do?

If the answer is "nothing," then walk away.


Anonymous said...

This post reminds me of a quote from my favorite college professor. He said there are three types of people in this world;

Those who know they know and they are OK.

Those who know they don't know and they are OK as well.

Those who don't know they don't know and these are the ones to watch out for.

Kai Roer said...

Hi Richard,
I could not agree more!
It is very important to know your areas of expertise and build a network of resources to shift the projects you are not able to deliver yourself.
A client of mine once said that he was so darn tired of hot shot consultants that had to Google for the answers. He could do that himself! And of course he could! He needed experts to take care of problems quickly and with high quality, not to do the job he knew perfectly well himself.
I think there are two sides of the problem - one is the billing-side - 100% billing rate, the other is consultants not realizing they are making a fool of themselves (and of course the company not realizing the same).
But - I must say that when people ask you for help, them may not allways expect you to do the job yourself, they may be more than happy if you can point them to someone who can.
I wish you all a perfect day!


John Ward said...

Maybe the old saying should be changed to "Those who don't know consult"...

In regards to the above posters comments, depending on the field, no everything can be memorized in your head. Would your client have preferred if the consultant referenced a book instead of Google? If you have a body of knowledge at your disposal, shouldn't you use it? Thats a bit elitist. If he was tired of hot shot consultants, maybe he should stop hiring them.

Chris Buechler said...

I've been thinking for years about how I need to write up a stock reply to people who post to the pen-test mailing list with stupid questions. If they need to ask that question, they need not be doing the work. Period.

At least once or twice a month somebody pops in with almost the exact same pen test question as quoted above, it wrenches my gut every time and still irks me though I've seen it for years...

oleDB said...

I think your dead on with your assessment. I place most of the blame on the companies that hire these twits. They apply the infamous "Checkbox" mentality to security, combined with the desire to save a buck. This results in a false sense of security and generally leads to disaster and more consultants. I don't see anyway to fix it though, along as companies continue to be lazy and uneducated about their security and continue to "go cheap", there will be a market for security charlatans.

http://www.architectsban.webs.com said...
This comment has been removed by a blog administrator.