Just like the posts I have written about before concerning the issues that internal security people have to deal with on a daily basis in terms of trying to get recognition of security issues their organisations face, the role of consultants is very much overlooked at times when viewed from a similar perspective.
In most cases, the consultant is engaged on a job, does the job, creates the report, presents it and then leaves. Most good consultants will try to maintain a relationship that allows for the client to follow-up at anytime on questions regarding the work and remediation advise recommended. Most good consultants will also, as part of their work, be able to identify issues outside of the scope of the engagement…ie; you just see things that are wrong….an experienced eye will! That information is also passed onto the client. End of the day, “root cause” is evident as to why the issues exist and based upon that, it’s clear that the root cause will and does affect other areas outside of the engaged scope. (Something that the client should also be addressing).
Now, if you’re still following, how does a good consultant switch off so to speak to a client that is clearly in a bad way and is doing nothing about it?
Now, lets be honest, there’s a whole crapload of consultants out there that just don’t give a rats and their primary goal is ensuring that their billable hours are at levels to make their Manager/Partner happy – ie; promotion stream and one day dream of being that Manager/Partner and carrying on the tradition of billable hours as the primary focus.
I’m not talking about these wanks. We see the results of their “work” regularly. I’m talking about the security guys who have a passion for the industry…..those guys who can’t let go of a big problem they find at a client and care enough to pursue it, regardless of the number of non-billable time given to that client.
Back to the ethical dilemma….you’re a consultant, you know your client is in a bad way, probably owned for a while and disaster there but not discovered as yet in some cases. What do you do when they continue to not listen and want to understand the extent of the problems they have?
I’ll give you a hypothetical: lets say you were engaged a while ago on TJX (pre-announced problems) and knew the environment and the problems they had. Business ethics dictate you report what you know to the client and you cannot discuss your work and the problems they have outside of the client relationship. Get where I am coming from?
A long time ago, independent financial audits became mandatory for publicly listed companies. There was a reason for that. I won’t go into it because we all know why…..financial position and risks to that financial position.
A different type of auditor exists these days that also identifies risks to an organisation other than “accounting” practices. These risks cannot be considered lesser in terms of end of day result if exploited. Yet, there is no requirement on organisations (any?) to undertake such audits nor report the results of the audits. But these auditors/we, see things that have the same potential results for an organisation, shareholders etc etc etc!
So there’s the dilemma…what does the consultant do when the risks to an organisation stares them in the face and nothing continues to be done month after month or year after year…..but their hands are tied by “client confidentiality”?
I am sure shareholders and clients of that company would want to know, but can you be a hero before the bad event (would anyone care then if nothing has happened yet?)….only loser is the consultant who will never work for that company again and have their name tarnished and probably struggle to work for anyone else after that.
Post bad event…..you’re not going to be the hero anyway. Seems like a no-win doesn’t it. Trying to do the right thing and you lose either way at the moment.
Keen on your feedback.