Just like the posts I have written about before concerning the issues that internal security people have to deal with on a daily basis in terms of trying to get recognition of security issues their organisations face, the role of consultants is very much overlooked at times when viewed from a similar perspective.

In most cases, the consultant is engaged on a job, does the job, creates the report, presents it and then leaves. Most good consultants will try to maintain a relationship that allows for the client to follow-up at anytime on questions regarding the work and remediation advise recommended. Most good consultants will also, as part of their work, be able to identify issues outside of the scope of the engagement…ie; you just see things that are wrong….an experienced eye will! That information is also passed onto the client. End of the day, “root cause” is evident as to why the issues exist and based upon that, it’s clear that the root cause will and does affect other areas outside of the engaged scope. (Something that the client should also be addressing).

Now, if you’re still following, how does a good consultant switch off so to speak to a client that is clearly in a bad way and is doing nothing about it?

Now, lets be honest, there’s a whole crapload of consultants out there that just don’t give a rats and their primary goal is ensuring that their billable hours are at levels to make their Manager/Partner happy – ie; promotion stream and one day dream of being that Manager/Partner and carrying on the tradition of billable hours as the primary focus.

I’m not talking about these wanks. We see the results of their “work” regularly. I’m talking about the security guys who have a passion for the industry…..those guys who can’t let go of a big problem they find at a client and care enough to pursue it, regardless of the number of non-billable time given to that client.

Back to the ethical dilemma….you’re a consultant, you know your client is in a bad way, probably owned for a while and disaster there but not discovered as yet in some cases. What do you do when they continue to not listen and want to understand the extent of the problems they have?

I’ll give you a hypothetical: lets say you were engaged a while ago on TJX (pre-announced problems) and knew the environment and the problems they had. Business ethics dictate you report what you know to the client and you cannot discuss your work and the problems they have outside of the client relationship. Get where I am coming from?

A long time ago, independent financial audits became mandatory for publicly listed companies. There was a reason for that. I won’t go into it because we all know why…..financial position and risks to that financial position.

A different type of auditor exists these days that also identifies risks to an organisation other than “accounting” practices. These risks cannot be considered lesser in terms of end of day result if exploited. Yet, there is no requirement on organisations (any?) to undertake such audits nor report the results of the audits. But these auditors/we, see things that have the same potential results for an organisation, shareholders etc etc etc!

So there’s the dilemma…what does the consultant do when the risks to an organisation stares them in the face and nothing continues to be done month after month or year after year…..but their hands are tied by “client confidentiality”?

I am sure shareholders and clients of that company would want to know, but can you be a hero before the bad event (would anyone care then if nothing has happened yet?)….only loser is the consultant who will never work for that company again and have their name tarnished and probably struggle to work for anyone else after that.

Post bad event…..you’re not going to be the hero anyway. Seems like a no-win doesn’t it. Trying to do the right thing and you lose either way at the moment.

Keen on your feedback.



  1. Declan Ingram says:

    This one is easy.

    Make very sure you understand the full implications (technically, and to the business) of what you have found. You tell the right people. You are mindful of politics, you write your reports, you make your recommendations but most importantly you get used to being ignored.

    Then you wait.

    And when the smelly stuff hits the rotating blades you calmly present your recommendations (that now have a budget to be actioned).

    I say it’s easy because it is so well practiced. Luckily this hasn’t happened to me for a while, but this is the normal day to day occurrence for many many people.

    It’s a shame that the good ones are seldom told because we are all up to our necks in NDAs.

  2. Declan Ingram says:

    Clarification:

    “Present your recommendations” should read “RE-present your recommendations..” Of course you made sure that the organisation was fully aware of what they had to do to mitigate the risk.

    Interestingly enough, Full scale (technical) organisational penetration tests will nicely demonstrate the risk of technical flaws to senior management without the nasty after taste of a full scale compromise. It’s nice to really believe in what you do for a living :)

  3. Yeah says:

    Is it no wonder that anyone in a Big 4 worth their weight and credibility in the industry is no longer there? We are embarrassing but clients don’t know that. We have good people but they leave for the same reasons you explain. I am about to leave and I will be honest, I need to leave to learn from the likes of you guys. Many of us in the professional services firms here look up to SA and now Securus as the leaders in our field.

  4. You have little man syndrome says:

    I was passed the link to this stupid blog the other day and it is stupid. It has only taken me 2 years as a consultant for the supposed bad guys in a Big 4 as you allude too to know that you are full of shit. Everything reeks of jealousy. There is a reason why we are called the Big 4! Dream on to being part of us!

  5. or maybe your afraid he's right and he just burst your bubble says:

    @Dec, waiting for the smelly stuff is so backwards. Even the dodgy guys will present something, which will be ignored. And when the smell hits, the company comes running, now with big $, the dodgy guys lap it up, bringing in their whole teams, and suites of products, wedging themselves into the business/technology. Justification, is of course, you need us, look what happens without us.

    The good and bad guys need to stand out before a point of reaction IMO.

    BoW

  6. Yhlms, I assume you are trolling, otherwise you’re suffering some bad paranoia issues. “Yeah” is the only one who mentioned Big 4. Nice to have you posting anyway.

  7. BoW, so right. Where are the ethics in someone doing that? ie; product based security as the lead approach. We see it all the time. Big bucks spent to block a bit of traffic (as one example) with no context behind it when the basics of good security practice, (ie; those practices that don’t require an investment in technology but rather process and knowledge) are ignored.

  8. Dave says:

    @ you have little man syndrome

    From my experience it doesnt really require much skill and talent to be part of the so called “Big 4″ so there is probably no need to dream too much.

    Let me clarify.

    Recently the organisation I work for had a security review conducted on the exact same web application by both Securus (at the time Security-Assessment.com) and also one of the so called ‘Big 4′. The difference in findings between the two final reports was unbelievably huge. There were many Securus findings that the “Big 4″ company did not find and some were so basic that anyone who has any application security expertise should easily find. Now I dont know which Big 4 you work for and it may not be the same one, however I have alot of friends and associates in the industry and there seems to be a reacurring theme present including in other areas such as compliance reviews. Many express concerns of having to hire the little guys to come in and clean up after the big guys. So excuse me if i like the smaller guys better.

    I have no doubt that there are good security consultants in the ‘Big 4′ companies, but being so huge also means there is room for many not so good consultants to be lerking around.

    Two things to think about

    1.Contrary to popular belief in some cases size does not allows matter
    2. Its quality not quantity.

    Ah funny thing was reading the last three sentences of your post I thinking to myself you would probably fit in quite well with my children and the games they play ;)

  9. Thanks Dave….cool of you to give us a good wrap! Send me an email to my Securus account. Keen to always know who our good clients are posting here. A Beast or Buddha tee-shirt is on its way to you! :-)

    I don’t know where Little Man is from but here in our region, all us Security dudes know each other. I remember having a few beers with Matt Jonkman and he was blown away that I was sitting there having a long long lunch with the CEOs of our main competitors….openly talking about business and the industry. (within the bounds of client confidentiality agreements).

    It is a close knit industry here. We all know who is good and who is not so good. We know it….some clients know it….many do not. Let me be blunt here….hey, benefits of it being my blog….If I was a client (working as a CSO, CIO or CEO) knowing what I know, I would only work with the following dudes in Australia, NZ, AP:

    - Securus Global (formally Security-Assessment.com Australia/Asia Pacific) Obviously….it’s our business.
    - Security-Assessment.com NZ (Unless Datacraft stuffs them up….no better bunch of guys in the region or world)
    - Insomnia NZ (Brett Moore’s new business – gees, he built SA NZ up so you can’t go too wrong)
    - SIFT (Nick’s mob is awesome)
    - Pure Hacking (Rob has built a great team!)
    - Sense of Security (Don’t know much about them but they seem to be good in VoIP and have some good guys)
    - Stratsec (sound ok)

    I’m probably going to get a lot of emails (like I always do when I post something like this) from dudes who will remind me of how good they are….so I will be happy to post an update if I have missed one of my good partners. Now to be a nasty bastard, if I was in one of those roles I mentioned, I would never hire any of the big corporate “giants” of our industry. We have seen the results of their work too many times……and yes, it is true…there are good guys there but the passionate ones for the industry leave and join the likes of the orgs I mentioned above. If Little man wants to argue the point, it will be like shooting fish in a barrel! If he is what he says he is, he’ll probably make Partner and live a comfortable life….maybe he will wake up to himself…who knows…..I know many “Partners” working in our industry that seem so far away from reality that you just worry about all those clients they have…..BTW, who was the TJX Auditor? :-)

  10. Bullseye says:

    Congratulations Drazen.

    This post (and related comments) is further evidence that Beast or Buddha is in a class of its own.

    Great to see people with the balls to tell it how it is. Keep them coming!

  11. SiClone says:

    Going to jump back to the original post before paranoia hit in with delusional accounting firm people.

    This is a dilemma using DD’s words that has not been talked about before. It seems so obvious but for some reason it has never made it to a level for it to be talked about in the press. It is something that just hits you in the face and is so obvious if you have a business focus on your consulting but what next? I know I know things that shareholders would never know. Is that insider trading? Sounds stupid but as DD alluded to, what is the difference? It will onlt get worse before it gets better. Hmmm…At least we’ll look back at these posts and say we told you so.

  12. BKone says:

    This is an interesting subject and with the way things have been heading, it will be one to follow. I cannot imagine it not being a big topic in 2008 and onwards.

    Declan states current practice. It’s wrong and we all know it but it is how is it. BoW also is correct with the vultures circling in to make a quick buck with little sincere care factor about the client in the majority of cases. Where is the accountability around why some purchases are made that really don’t address the root cause of the problems?

    DD, I like the stuff on knowing your industry there in Australia. I think we’re all like that no matter where we are based. You know who is good. If only our clients had that information. But then we’d have no one to talk nasty about. :-)

    Little man, you are one funny guy!

  13. Big Galoot says:

    Dear Mr “You have little man Syndrome” (posting earlier).

    Many of us here at the house of b or b, including yours truly, have at some point in time – also worked for a “Big 4″.

    Its nothing to get excited about.

    You say you’ve been a high-flying “consultant” at at “Big 4″ for 2 years.

    “Big Whoopee”. No-one gives a rats, mate.

    When you’ve grown out of your training nappies there after another 4 or 5 years, and worked in a few other places, perhaps then you might have a modicum of credibility.

    Until then, I suggest you get back to work. That is, working hard at billing your clients for every 6.5 minutes of your slick, high-flying “Big 4″ life, you turkey.

  14. D2 says:

    Note: Certain principles overlap regarding vul research and disclosure. Excluding NDA’s, perhaps a body that is certified to do security audits that is obliged to report to the public domain after a certain period of time the overall IT risk profile of the business. EXCEPT:

    Problems:
    a) standards in an ever changing landscape, moving goalposts
    b) Security Metrics…. definitions, measurement, deltas + see (a)
    c) Confidentiality, thus anonymization is required for meaningful metrics but defeats the purpose for naming and shaming
    d) budget and market cap, to define who/what/where/when
    e) apples and apples, one entity/enterprise/organisation/IT organism may have the same issues/vuls as someone else but may have mitigating circumstances unless actually probed and followed through to exploit see(f)
    f) service levels, see (e) :) and the fact that it is not enforced upon orgs to have models of their environments for testing and change management… see (d)

    RFP has some new interesting policies in the works.

    Until regulatory bodies, tied with taxes and penalties kick in… we are working on hearsay, with the old guard/paradigms, and have to contend with market forces.

    Guys and gals, the market will decide and the proletariat + gen y have only short-term caches installed in their noggins!

  15. Anonymous says:

    @or maybe your afraid he’s right and he just burst your bubble

    I think you have misread me. Of course you present your report .. as I said :

    “You tell the right people. You are mindful of politics, you write your reports, you make your recommendations”

    Just don’t expect people to jump into action. IMHO very few organisation do Risk Management, they only fix something once it becomes a problem.

    Also, “You are mindful of politics” because most people only want to do things that other people will notice. Putting out fires in a triumphant wave of power and making sweeping reactionary changes post event will get a lot more back patting than doign things right in the first place, not ever having the problem, and most people being none-the-wiser..

  16. Ron says:

    Culture needs to change and adapt

    For my two cents worth —-After doing security assessments for a while, I have come to the conclusion a change of culture, by clients , is needed so audits are no longer general run-of-the-mill, but incorporate more, like threat modelling applied to the actual technical environment.

    As in the initial post
    .”.. A different type of auditor exists these days”

    this is so true, but my reflections of tasks I have performed make me thing many of these new auditors have the culture of the old ways of auditing.

    From my observation, the current auditing process and the execution is not effective enough to identify all real infoSec threats today, leaving the client’s management with a false sense of security in making decisions of acceptable risk and prioritising actions on the basis of incomplete or general information.

    I see this is many assessments, either from performing and presenting the assessment and getting blank looks or reviewing the previous assessment.

    What are the major background of many auditors
    Accounting practices
    Traditional risk management

    What are these Auditors’ technical understanding levels
    Calculates the threats based on the confidence assumptions that a specific vulnerability has been identified and announced

    Note the wording confidence!

    Are confidence and assurance cultures identical?

    Confidence is related to the belief in the assurance

    Assurance is related to the deliverable’s ability to perform (satisfy) its security objectives

    Confidence is subjective to the perception of the security requirements and knowledge gained in audit processes that the deliverable will perform in the way expected or claimed
    Assurance is determined from the evidence produced by the assessment process on the deliverable – lacking in most TRAs
    Many audits do not provide a very good coverage of the threats related to technology

    Why ? Shortage and levels of technical skills and knowledge
    Unlike attackers, normal auditing approaches are behind the times “technically”

    How many of your audit report the same types of threats – over and over again

    So what are the solutions or you can do is keep trying to educt the client….

  17. Sam Hill says:

    You’ve posed a mighty fine, and relevant, question there DD.

    The fact that many organizations cop the same findings review after review [without taking action] only demonstrates a ‘lightning strike’ mentality: no one really expects to get hit, or at least have an incident materialize into a significant loss. Now I don’t really know the answer to this question, but how many companies have had their share holder value impacted by a security incident? Even if, for example, a bank’s internet banking site gets taken down for a day, how many of their customers would really bother to jump ship? (there’s always phone banking :-)

    Let’s face it; the majority of findings that get reported in a typical security audit will never be exploited. If anything, many of the bigger reported security incidents come out of left field, and the exposure probably wasn’t even included on last year’s security audit report (particularly a Big 4 report). So, unfortunately, the dreaded ‘apathy’ sets in, and people are de-sensitized to what may happen. I think that the security industry also suffers a little from Y2K syndrome – warnings of cataclysmic events….

    At the end of the day, if security exposures of a significant nature are not being escalated in an appropriate manner, then the company’s operational risk framework is floored, and perhaps the first finding on your next report should read “We observed, during the course of the review, that your operational risk framework is rooted, and we don’t believe you’ve set aside adequate capital to cover this gaping chasm.”

    They won’t be expecting that one!

  18. Declan Ingram says:

    @Sam Hill

    “Let’s face it; the majority of findings that get reported in a typical security audit will never be exploited. ”

    Without an incident response capability, no one will ever know if it gets exploited or not.

    From my experience, out of the hundreds of penetration tests that I have done, only once have the security team noticed the attack (while it was happening) and done something about it.

    No one is looking for exploited systems. Few have the knowledge to find them anyway.