Welcome!

Agile Computing Authors: Liz McMillan, Elizabeth White, Karyn Jeffery, Tim Hinds, Jeev Trika

Blog Feed Post

Five Ways to Hire an InfoSec Consultant

Five Ways to Hire an InfoSec Consultant
By: Bill Mathews

This is not a nice post. This is not a post about posing great interview questions or how to tell if someone can actually do the job. No, this is a post about how to watch out for people you want to hire to help your company. You know the ones – the con-sultants, the slick ones, the rockstars, the ones you should fear. Some of these guys can be worse than the actual bad guys and here are five things to look for when you’re trying to spot them.

1) Shortcuts?

Are they promising you the world? One thing about information security that you should know upfront: there are absolutely no magic bullets. Anyone promising you one from a product or a particular process is lying to you. It requires a blend of products and a blend of methods, no shortcuts will help you – period.

2) Rock Out with Your NOC Out

Are they rockstars? So-called rockstars happen in every industry, it is just human nature and cannot be helped. The problem I’ve seen with most rockstars (almost universally in infosec) is that they are not the least bit interested in your problems. They are interested in getting paid and increasing their already big, and in most cases, undeserved reputations. You really have to be careful with these folks – a lot of them are just naturally talented public speakers so they get it on at various conferences and accumulate massive Twitter followings, making them think that those alone qualify them to dispense advice on applications and networks. In most cases, and sadly I’m not overgeneralizing here, they’ve never had any operational roles so they don’t really know what works and what doesn’t. So if it isn’t in the buzzword dictionary sitting in their blazer pocket, it just isn’t valid in their world. You’ll know these people by their insistence that whatever you’re currently doing is wrong – you should be using the method they developed or their tool they wrote because that is the only way to solve your problem. They won’t really listen to you, usually just nodding along with whatever you say until you hit the keyword they need in order to tell you how cool they are. Of course there are some “good” rockstars, so if you’re set on hiring an allstar look for one who has had operational roles in the past and actually appears to listen. Chance are though if they do that then they are very bad rockstars.

3) Lazy Web

Watch the website. Does it ever change? Chances are if they don’t have time to devote to their own website they’ll never get time to devote to protecting yours. Avoid the companies that never update their website or only list their products and services. Try to find one that offers practical advice and is active in the security community. When you’re looking for an outside company to help with your information security, try to find one that has something of their own to protect – a web service or their own network, many do not. This is a really self-serving one because, well, this is how our website is set up and we have a fairly sophisticated network of our own that we protect.

4) Agree to Disagree

Are they really just that agreeable? Good security people are contrarians, they just are. It is either the industry that attracts them or it creates them, either way few people in it are described as agreeable. If you’re in a pre-sales meeting and the sales person or consultant is constantly agreeing with everything you say, ask them what you need to hire them for if everything you’re doing is so right. I use this technique on a lot of our vendors because they are constantly nodding along and agreeing with everything we’re doing. They’re usually taken aback by that question but it really tells you who you’re dealing with. You need to know, upfront, what they are going to really be able to help you with. It is dangerous to have a security person agreeing with you all the time. Conversely, they shouldn’t be disagreeable for the sake of being disagreeable, you have to strike a balance. This is a tough one because, as I said, the industry is filled with both contrarians and slick-haired salespeople. You need the former but should forego the latter. Someone can be a skeptic or a contrarian without being completely disagreeable or being a miserable person to be around.

5) Auditors in Disguse

Beware the auditor in a security person’s clothing. There are literally thousands of information security consulting companies out there. There are probably as many ways to categorize them as there are letters in the alphabet but let’s take a look at just two. The technical group and the auditor group. Now let me say upfront that I’m not denigrating real auditors here, the people that really do the audit job, I’m denigrating the pretenders here. You will find this very prevalent with companies that do penetration testing or vulnerability assessments. For a proper penetration test you really need a good technical person that can communicate both the technical risks and the business issues associated with that risk or exploit. You’ll be hard pressed to find this in just one person, so you want to hire someone with a penetration testing team as opposed to just some solo testers acting as a team. You’ll have a rough time finding the right team and you’re bound to make a few mistakes, but you really do need the best of both worlds.

Now penetration testing service companies come in two flavors – again the very technical and the not-so-technical auditing tester. Penetration testing is difficult and is very technical, so you cannot rely on a person just checking boxes to call your network well tested. You need someone who is doing more than just running a scanner and calling it done, you need a person who can actually exploit the vulnerabilities found. This is a skill that requires some sophistication and usually doesn’t lend itself well to “normal” people. You never want an auditor performing a penetration test and, vice versa, you would never want a penetration tester performing an audit. Why these two things are fused together so much is beyond me. If you’re hiring for a penetration testing company then hire for that, if you just need some audit work then hire for that – but do not hire one set of people and think you’re done, they are entirely different skills.

Of course, there is no 100% guarantee when it comes to the hiring process – you almost never see their true colors until it’s just too late. Be sure to keep sharp and use a little common sense when following these guidelines. If there’s anything else you think you should look out for, leave it in the comments!

Read the original blog entry...

More Stories By Hurricane Labs

Christina O’Neill has been working in the information security field for 3 years. She is a board member for the Northern Ohio InfraGard Members Alliance and a committee member for the Information Security Summit, a conference held once a year for information security and physical security professionals.

@ThingsExpo Stories
SYS-CON Events announced today that EastBanc Technologies will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. EastBanc Technologies has been working at the frontier of technology since 1999. Today, the firm provides full-lifecycle software development delivering flexible technology solutions that seamlessly integrate with existing systems – whether on premise or cloud. EastBanc Technologies partners with p...
SYS-CON Events announced today that BMC Software has been named "Siver Sponsor" of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2015 at the Javits Center in New York, New York. BMC is a global leader in innovative software solutions that help businesses transform into digital enterprises for the ultimate competitive advantage. BMC Digital Enterprise Management is a set of innovative IT solutions designed to make digital business fast, seamless, and optimized from mainframe to mo...
SYS-CON Events announced today that Tintri Inc., a leading producer of VM-aware storage (VAS) for virtualization and cloud environments, will exhibit at the 18th International CloudExpo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, New York, and the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that MangoApps will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. MangoApps provides modern company intranets and team collaboration software, allowing workers to stay connected and productive from anywhere in the world and from any device. For more information, please visit https://www.mangoapps.com/.
The IoTs will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform. In his session at @ThingsExpo, Craig Sproule, CEO of Metavine, will demonstrate how to move beyond today's coding paradigm and share the must-have mindsets for removing complexity from the development proc...
The IoT is changing the way enterprises conduct business. In his session at @ThingsExpo, Eric Hoffman, Vice President at EastBanc Technologies, discuss how businesses can gain an edge over competitors by empowering consumers to take control through IoT. We'll cite examples such as a Washington, D.C.-based sports club that leveraged IoT and the cloud to develop a comprehensive booking system. He'll also highlight how IoT can revitalize and restore outdated business models, making them profitable...
In his session at 18th Cloud Expo, Bruce Swann, Senior Product Marketing Manager at Adobe, will discuss how the Adobe Marketing Cloud can help marketers embrace opportunities for personalized, relevant and real-time customer engagement across offline (direct mail, point of sale, call center) and digital (email, website, SMS, mobile apps, social networks, connected objects). Bruce Swann has more than 15 years of experience working with digital marketing disciplines like web analytics, social med...
SYS-CON Events announced today that Commvault, a global leader in enterprise data protection and information management, has been named “Bronze Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY, and the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Commvault is a leading provider of data protection and information management...
Companies can harness IoT and predictive analytics to sustain business continuity; predict and manage site performance during emergencies; minimize expensive reactive maintenance; and forecast equipment and maintenance budgets and expenditures. Providing cost-effective, uninterrupted service is challenging, particularly for organizations with geographically dispersed operations.
Customer experience has become a competitive differentiator for companies, and it’s imperative that brands seamlessly connect the customer journey across all platforms. With the continued explosion of IoT, join us for a look at how to build a winning digital foundation in the connected era – today and in the future. In his session at @ThingsExpo, Chris Nguyen, Group Product Marketing Manager at Adobe, will discuss how to successfully leverage mobile, rapidly deploy content, capture real-time d...
SoftLayer operates a global cloud infrastructure platform built for Internet scale. With a global footprint of data centers and network points of presence, SoftLayer provides infrastructure as a service to leading-edge customers ranging from Web startups to global enterprises. SoftLayer's modular architecture, full-featured API, and sophisticated automation provide unparalleled performance and control. Its flexible unified platform seamlessly spans physical and virtual devices linked via a world...
SYS-CON Events announced today that ContentMX, the marketing technology and services company with a singular mission to increase engagement and drive more conversations for enterprise, channel and SMB technology marketers, has been named “Sponsor & Exhibitor Lounge Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York City, New York. “CloudExpo is a great opportunity to start a conversation with new prospects, but what happens after the...
IoT generates lots of temporal data. But how do you unlock its value? How do you coordinate the diverse moving parts that must come together when developing your IoT product? What are the key challenges addressed by Data as a Service? How does cloud computing underlie and connect the notions of Digital and DevOps What is the impact of the API economy? What is the business imperative for Cognitive Computing? Get all these questions and hundreds more like them answered at the 18th Cloud Expo...
SYS-CON Events announced today Object Management Group® has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY, and the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
What a difference a year makes. Organizations aren’t just talking about IoT possibilities, it is now baked into their core business strategy. With IoT, billions of devices generating data from different companies on different networks around the globe need to interact. From efficiency to better customer insights to completely new business models, IoT will turn traditional business models upside down. In the new customer-centric age, the key to success is delivering critical services and apps wit...
Join us at Cloud Expo | @ThingsExpo 2016 – June 7-9 at the Javits Center in New York City and November 1-3 at the Santa Clara Convention Center in Santa Clara, CA – and deliver your unique message in a way that is striking and unforgettable by taking advantage of SYS-CON's unmatched high-impact, result-driven event / media packages.
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, will provide an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life ...
As cloud and storage projections continue to rise, the number of organizations moving to the cloud is escalating and it is clear cloud storage is here to stay. However, is it secure? Data is the lifeblood for government entities, countries, cloud service providers and enterprises alike and losing or exposing that data can have disastrous results. There are new concepts for data storage on the horizon that will deliver secure solutions for storing and moving sensitive data around the world. ...
SYS-CON Events announced today that MobiDev will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. MobiDev is a software company that develops and delivers turn-key mobile apps, websites, web services, and complex software systems for startups and enterprises. Since 2009 it has grown from a small group of passionate engineers and business managers to a full-scale mobile software company with over 200 develope...
WebRTC is bringing significant change to the communications landscape that will bridge the worlds of web and telephony, making the Internet the new standard for communications. Cloud9 took the road less traveled and used WebRTC to create a downloadable enterprise-grade communications platform that is changing the communication dynamic in the financial sector. In his session at @ThingsExpo, Leo Papadopoulos, CTO of Cloud9, will discuss the importance of WebRTC and how it enables companies to fo...