11

What should I ask a security consultant to see if they are legitimate or not?

I'm looking to hire someone to perform an assessment, but I'd like to make sure that someone is reputable first.

AviD
  • 72,138
  • 22
  • 136
  • 218
SLY
  • 387
  • 2
  • 8
  • 3
    Perhaps you should ask if he/she saw this question & answers :) – Eugen Constantin Dinca Feb 11 '11 at 22:00
  • 2
    I think this depends on what kind of consulting you're talking about. Application security, business continuity, network infrastructure, policy consulting, etc. These are vastly different, and warrant different kinds of questions. – Justin Morgan Feb 12 '11 at 22:12

4 Answers4

9

Invent a scenario similar to the one you want them to work on, and get them to walk you through how they would tackle it. You'd want to assess their ability to understand the needs of your business as well as their technical understanding. The key factor would be whether they ask the right questions and give you the right answers.

For example, you might want someone to assess your e-commerce infrastructure, so your scenario might start with the question:

  1. "We want to put a new website up - how should we secure it?"

A good candidate would immediately start asking about the data involved, and the level of risk you're willing to tolerate. A bad candidate would get immediately proscriptive.

If they answer that to your satisfaction, or draw the information out of you, you can expand it to:

  1. The website will contain a shopping cart. How should we secure that?

... etc. Ideally, in this scenario, you'd have a candidate who looks at wider issues than just IT - policies, procedures, staff training, backups and backup security all play a part as well as firewalls and IPS.

John
  • 91
  • 1
  • This I like, and in fact have had a client do exactly this. It was hard work for them as well as us though, as they had to then validate our work through logfiles etc., so budget for some time/resource. Alternatively, a CREST approved tester has already done this by passing an industry approved exam and assault course, thus demonstrating a high skillset. – Rory Alsop Feb 17 '11 at 13:43
7

If you don’t have anyone available to challenge his or her technical expertise then I would say go the client references route. Ask for references - preferably from clients where they performed similar work.

Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
  • If the vendor is unwilling to provide references, that's a big red flag. Also do a few quick searches on the references as well. You want to make sure you're talking to a real company, and not the consultant's next door neighbor or drinking buddy. – Scott Pack Feb 12 '11 at 01:54
  • 1
    Although be aware that many clients disallow the use of security engagements as references, so try to understand a refusal of references. – Rory Alsop Feb 12 '11 at 02:15
  • @Rory Fair enough, in that case I suppose you would need to be watch for *how* they refused. Though, in my experience a sufficiently large company will have clients that are allowed their use. – Scott Pack Feb 12 '11 at 14:37
  • @packs, yes, but what about the excellent, small companies (and freelancers)? Usually, they do better work than "sufficiently large companies"... – AviD Feb 13 '11 at 09:40
5

Asking for references is a reasonable start.

Another crude indicator is their visibility and track record at well-regarded conferences. If they are a speaker at Blackhat, RSA Security conference, WOOT, etc., that's often a good sign. (But lack of this kind of visibility does not necessarily mean they are unqualified. This is a very crude indicator, at best.)

You could also look at their track record of disclosed vulnerability reports, white papers, etc.

I would not pay too much attention to certifications. If their primary or only credential is a CISSP or similar certification, odds are that you are getting a low-level person. The value of a certification will depend upon the particular certification and the kind of work you are looking for the consultant to do.

For more details on what to read into certifications and their reputation, see the following threads: Professional certifications for IT Security; Web Security Certifications; International pentester certification; What are the basic certification course for beginners?; How useful is CISSP to a recent graduate?; CEH or GIAC - Which one should I pursue?; would preparing for CCNA add “significantly” to my knowledge as a penetration tester?.

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 2
    I agree that speaking at wellknown confs, and released papers, are good signs - but it's important to note that the *absence* of these should not at all be taken as a *bad* sign. Many consultants just get on with the work, and don't try to get lots of visibility. Admittedly, it's likely that he won't be *brilliant* (if he was, he'd probably get that visibility regardless...), but he might be able to do the regular 98% of the work just as well. – AviD Feb 13 '11 at 09:39
  • 2
    I disagree. A certification means the individual took the time to pass a, sometimes rigorous, examination (and sometimes experience requirements) in order to attain such. To smirk at their certifications in general is a joke. Some of the largest, most successful companies require, or look highly upon certified individuals, so why wouldn't you? Also, to base their ability to do the job, and do it well solely on their conference participation, and white papers published is absurd. That said, If certifications are the ONLY thing they can show for technical competence then and only then, I agree. – Purge Feb 14 '11 at 21:08
  • @Alex - some certs are of high value in this space, see the CREST or SANS GIAC type of thing which require significant skill/experience. As @D.W. said CISSP, CEH etc are a much lower level and in my experience, most people only rely on certs like that to get into a particular industry. The experience part of the CV/resume is much more valuable. – Rory Alsop Feb 17 '11 at 13:39
  • @Rory - I agree wholly. The editted answer is significantly better than the previous version. What I DON'T agree with, is the notion that a CISSP is to be smirked at. I do not have a CISSP, so it's not a personal thing here, but if I was looking at two individuals with the same qualifications, and one had the CISSP, I would hire the CISSP. Why? Because they have taken the time to work towards getting the credentials. They are nothing to be gawked at, and even though they may be "low level" certs, the notion that they are worthless, or even substandard is absurd. – Purge Feb 17 '11 at 21:25
  • @Alex, good points. I've edited to remove the smirking; agreed. – D.W. Feb 18 '11 at 04:56
  • 1
    The problem is not that CISSP is worse than nothing, but rather than less skilled people may try to get that certification since it's easier and can go a long way for getting jobs, where more skilled individuals simply don't care about certificates, and let their reputation (or simply their expertise) get them by. – guest Nov 19 '17 at 03:12
4

References, references, and more references. From companies that are close to your size. You should call the reference and ask how the consultant did. Ask if they read your existing policies and procedures and made suggestions for improvements. As if they suggested industry best practices. The consultant having a speaking role at a conference doesn't factor at all into whether they can do the job. If they have presented at conferences or written books you should always ask for their book or slides or a recording of the talk and review that to see if they reference previous customers. Last thing you want is for them to be talking about your company (even anonymously) at the next conference.

OhBrian
  • 59
  • 1