Re: Computer Security Risk Assessment Software?

[Frank Willoughby <frankw@in.net>]

At 05:44 PM 11/1/96 -0800, Dale Thorn <dthorn@gte.net> allegedly wrote:

>Frank Willoughby wrote:

>> The solutions to the above-mentioned problems are:
>> Shop around.  Find out which consultants are qualified and what they charge.
>> Make sure the consultant caps his cost.  You should know the maximum
price tag
>> associated with the consulting engagement BEFORE the consultant walks in
the front
>> door.  This helps to avoid having the consultant camp on your doorstep at
$XXX
>> dollars per hour for days, weeks, or months on end.
>
>The above is a nice ideal.  You should of course get a "really good"
consultant,
>and even better, get one who's "real honest".  But my guess is those guys
cost the
>most of all, or at the very least, require the most research to find.

Good point.  To help establish the honesty, it wouldn't hurt to get personal
and business references.  It also wouldn't hurt to check the BBB (Better 
Business Bureau - a consumer rights group) to see if there are any complaints 
against the company.  Ideally, the consultanting company would also be in the 
BBB's Care program which means that they will submit to binding arbitration 
in the event of a disagreement.  (BTW, the BBB also investigates all claims 
to weed out claims made by one competitor against another, etc.).


>The ideal of capping the cost is commendable as well, however, when the
consultant
>finds midway through the project that his initial estimate (made as
carefully as he
>possibly can) is way too low, he will now have an incentive to lie, cut
corners,etc.,
>*particularly* if the customer looks like one of those antsy types who
might withhold
>payments and so on.

Depends on the consulting company.  It is also a good measure which can be 
used to separate the weasels from the good guys.  The weasels will do exactly 
what you said.  The good guys won't.  Granted that once in a while, there will
be a contract which will have some surprises in it and you - won't make as 
much money as you were supposed to.  IMHO, this is a part of doing business.
Usually, you will win, but once in a while you will lose.  These things will 
happen.  Learn what went wrong and take steps to make sure it doesn't happen 
again.  Then go back to succeeding.

BTW, I think it is the customer's right to withhold payments until the job 
has been performed to the customer's satisfaction.


>My advice:  Get a consultant to find a good IT consultant.  Seriously.

If you have the money to spend, this may be a good idea.  Personally, I 
would tend to separate IT consultants from InfoSec consultants.   InfoSec 
is a highly specialized field & seasoned InfoSec Officers don't exactly 
grow on trees (as companies who don't have one and are trying desparately
to find one will testify).  Seasoned InfoSec Officers who are consulting 
for customers are even rarer, but I would rather have that to have the
security of my corporation depend on an IT consultant who has never had 
any experience working as an Information Security Officer (who has 
successfully implemented Information Security in a real business 
environment).  There is no substitute for experience, IMHO.

Food for thought.

Best Regards,


Frank
Any sufficiently advanced bug is indistinguishable from a feature.
	-- Rich Kulawiec

<standard disclaimer>
The opinions expressed above are of the author and may not 
necessarily be representative of Fortified Networks Inc.

Fortified Networks Inc. - Information Security Consulting 
http://www.fortified.com     Phone: (317) 573-0800     FAX: (317) 573-0817     
Home of the Free Internet Firewall Evaluation Checklist