Monday, May 24, 2010

Horses for courses: On being a consultant

I know this title might sound really funny/wanky/whatever, but I have wanted to write it for awhile, from my perspective of transitioning from in-house security to being a security consultant. Most of my mates in security have been consultants almost exclusively or never worked security at a single organisation as permanent staff for sometime. Also, I don't know if anyone reading this hates the "suits" (I know I did at one point) - but I'm going to write from my own experiences and hope that people takeaway something from this. I've been a consultant now for about seven months - enough time to get a feel for it. I think there's a few things I've learned.

Wayback when I first started in I.T, part of what I liked (apart from the tech) was the fact that the techs got to pretty much work whatever hours they wanted and the dress code was pretty liberal (this was back in the late 90s btw). At one point, I made it a mission statement to see how far I could get in my career wearing tracksuit pants and I used to sneer at those who turned up wearing suits.

Anyway - fast forward to today. I wear a suit and tie every day (except for Fridays generally). I don't know if I'll ever get used to it. I get home and change back into my tracksuit gear every day. But what I have learned is that being a consultant is actually a honor. As twisted as that may sound to some, its the truth.

As security consultants, we're called in typically when there is massive pain in an organisation. Conflicker outbreaks, systems hacked, credit card breaches, impending audits, project failures, skills shortages - you name it. We get pulled into hairy situations and we're expected to solve them.

As a consultant I have a sense of professional pride to what I do. We help customers to deal with that pain, drawing upon our own experiences - what we know technically, what we've seen in the field, what we know to work (as well as what doesn't), leveraging our own skills and drawing those from our employer or those of our client as needed. Every site, every situation represents a new puzzle that needs to be solved. I tell my manager to throw me into any situation that comes up. I love that challenge and I get a kick out of helping people in these situations.

One of the things I really enjoy about consulting is that I've been in-house security for so long, that I feel I am able to empathise with the client. I've sat in their shoes, I know their pain. I know what its like to have no budget, no direct purchase authority, being understaffed or underskilled for some of the challenges, being chucked into the deep end and expected to swim. It seems like a hopeless war that can never be won (certainly not something I care to return to, that's for sure!). There is almost no situation I don't think I've haven't scene I can't help deal with. From having to champion security requirements, find sponsors, internal mentors, budget, deal with auditors - the whole bit. But no matter where I go, I know I can help.

However, what has suprised me is that not many consultants have had the same or similar experience I have - having seen something a consultant has proposed, implemented it and seen it through to completion. So I guess I have a very different perspective on things, which is why I try to take a very pragmatic view on consulting and security. 

Some people aren't suited to consultancy either. I've met some people who are technically brilliant but aren't able to reconcile that expertise with real-world scenarios. Like consultants who recommend disabling wireless on the CIO because its "not secure". Or consultants who tell clients that they're wasting their time on T&M engagements because the client isn't giving them "challenging work". This attitude sucks and its these people who gives consultants - and in fact entire companies - a bad name. You know what? The simple fact is that this work isn't for everyone and that's fine. It takes all sorts to make the world go round.

Personally speaking, I think consulting is a worthwhile experience for just about anyone, even if you come to realise quickly you hate it and you hate dealing with client's directly. Awesome, move into vulnerability research, programming, engineering - hell, move onto professional writing if that's what you want to do! Just whatever you do, move onto anything that doesn't revolve on having excessive client contact.

Personally (for now at least!) I love the work. I have had the good fortune of working very closely with some brilliant consultants and managers lately and they constantly inspire me to lift my game. It is their professionalism, attention to detail and watching them apply their skills to helping clients that has really rubbed off on me. It is they who have really drilled it into my head what it means to be a consultant, the difference between being correct and being pragmatic and what it truly means to have a sense of pride about your work.

I remain skeptical of some companies recruiting people straight out of uni into consulting or even before they graduate. I personally think you need real world experience. Granted there are exceptions (and I can think of a few) but unless the person has some serious skills, then there is something fundamentally NQR about getting a n00b to walk into an organisation and tell them how to suck eggs. I know managers that will not recruit people into consulting roles unless they have a consulting background or extensive experience in security - and that I think is a good policy to maintain (although others may disagree).

Anyway, while we all have our challenging days, consulting is one of those things where every engagement represents a new challenge, a new problem to solve, a new company that you can help. In some cases you may not be able to bring about effective change - that might be something only the client can do themselves. But at least each site offers you a new experience you can learn from. Or as someone once put it to me "you get to see all the companies you DON'T want to work for". :)

Hey, horses for courses.

I guess my point is find what it is that everyone - be they consultants or not - need to find what they enjoy and embrace it, master it and take pride in it.

- J.

PS: I promise I won't keep writing about this fluffy stuff and I will try to post something with a bit more depth soon. But this blog is about my travels through my infosec career and I think this transition is a big part of it that should be covered.


Sergicles said...

Spoton J. I agree with 99% of what you've said. Some people either don't get it or feel it's trendy to dislike us suit wearing creatures, without realising that we actually get pulled into project that nobodyelse in the organisation has managed to solve.

Anonymous said...

You nailed it mate. I share the same opinion: do not hire a consultant who hasn't worked in a corporate security role. I'll take it even a step further: do not hire a consultant who hasn't worked as security biatch in a corporation which had to have security cos of some audit!
BUT this is only half of the problem. The other half are all these managers who play golf and hire consultants based on the size of the company they work for and not their quality! :P

Drazen Drazic said...

All my guys when they start have to read the chapter in the 'Dilbert Principle" management book on; "Management Consultants". (And make sure they're never what Scott Adams ridicules). :)