I guess now that I’m retired, it’s a good time to blow the lid off the whole cybersecurity consulting field. Heck, any work I do in this phase of my life will involve welcoming shoppers or serving up beer. In these less-prestigious environs, I will have the privilege that come with my age to evict surly, disrespectful, and nasty people from the premises. As a consultant, we just called them clients.
When I first started cybersecurity consulting, it wasn’t really called that. They were called inspections. I was still an active duty USAF officer and led small teams that traveled to military bases to inspect the security attributes of their computer facilities and programs. I had been an author of several regulations and directives on that subject, so the brass thought I should be forced to see if what I wrote on paper actually found its way to implementation at the pointy-end of the spear. “McCumber, here’s a plane ticket. Go out to Boondock AFB and see if they actually think any of this stuff you wrote makes sense.”
Of course, before any inspection team could be dispatched, a message had to be sent from HQ USAF to the Operating Command, then to the Wing Commander, to the Base/Installation Commander, followed by the Organizational Commander, then the Communications and Data Center Chiefs and their respective staffs. All in all, this primitive electronic process took a few days and would often involve wordy, eloquent replies requesting more details such as “Why the hell are you sending these clowns to my base?” and “Don’t you fools have enough to do in Washington, DC?”
As my personal way to push back against this abuse, I made it a point to arrive two days early for the inspection – usually a weekend. I began without contacting any of the gatekeeping colonels or fussbudget majors. I would simply take my rental car onto the base and go behind both the Communications Center and Data Center. I then proceeded to climb into the dumpsters. Inevitably, I was greeted by all the hastily-discarded security documents, hardcopy password sheets, social security numbers, and other sensitive materials they had spent the week before my arrival throwing out to avoid a write-up. These were the documents they had been directed to destroy by burning or shredding in those tedious regulations I had written. Our Monday in-brief (a prepared presentation to base leadership on why we were there and what we would do) was always more fun when it began with a large pile of improperly-discarded sensitive documents on the table.
As my career evolved, I became a civilian as the days of hardcopy were quickly vanishing. Yet in the heyday of early information security consulting (as it was called then), arriving early was still a sensible practice. Instead of showing up days early, I would show up a couple hours early and check in with the front desk. In most cases, as a contracted consultant, I was given a visitor’s badge and ushered into a small conference room or waiting area holding a paper cup of tepid coffee. This was usually behind the desk used to check in, so I took advantage of this lack of oversight by walking around the offices — normally cubicles with office and conference rooms ringing the outside walls with the windows. Sometimes I was confronted for unauthorized wandering, but usually I was simply ignored by the employees coming into the office with their travel mugs and backpacks.
I would go on this scouting trip because the employees had already gone to the trouble of showing me exactly what the major issues were in their company or organizational environment. These were the days when Dilbert cartoons dominated company discourse and water cooler chuckles. People used to cut out Dilbert cartoons that spoke to the problems or quirky aspects of their job and tape them up on their cubicle or office window. Everyone did this. Many were about security and related policies. Thanks to Scott Adams and his insightful humor, before that 11:00am meeting, I had already gotten surprisingly accurate insights into what was bothering the employees and what issues they thought needed to be addressed by their leadership.
During the subsequent in-brief, I would normally wait until we were about done, then look at my host and ask something like, “Can you give me any insights into the problems you are having with assigning the appropriate application permissions for new and reassigned employees?” I was inevitably rewarded with a look that said, “How in the hell does he know about that? He just got here.”
Today, even that world has gone away. Current cybersecurity consultants have a whole new bag of shortcuts and tricks to make the job easier, quicker, and thus more profitable. The big secret? Well, the same ones we learned back in the day. Every organization has a subset of the same 25 to 30 major security vulnerabilities. The key to a quick and effective engagement is to identify which subset applies, go back to your previous write-ups, perform a cut-and-paste, and — voila — a tailored report for the client pulled directly from your previous reports to other clients. It sure saves a lot of typing and proofreading. You will need, however, to check you accurately performed a global replace for [insert CLIENT name here].
That’s right — these vulnerabilities are universal. There are certainly innumerable targeted and unique ones depending on the technology and applications in place, but for the most part, everyone has a subset of the larger list of common vulnerabilities and exposures. A practical consulting team either has this list or is building it as they go. When they show up at the client’s site(s), the job is basically to determine what subset applies. When consulting teams gather back at the office, they consolidate and review their notes to find large Client A has problems 3, 4, 7, 9, 11, 14, 17, 22, 23, 27, and 30. They then write up descriptions of the client’s environment, then refer back to their saved files to copy-and-paste in definitions and recommendations from previous work. Done.
You’re now asking, if this is how cybersecurity consulting works, why do people pay for it? Isn’t it expensive?
Of course it is, but the secret here is that cybersecurity consulting is usually cheaper and far more effective than doing it internally. Security practitioners, CISOs, security chiefs, CSOs, and security officers within the organization are subject to pressures from organizational politics, financial constraints, and staffing problems. Hiring out the cybersecurity consulting job to an outside contractor lends an aura (deserved or not) of professional expertise to publicize vulnerabilities, systemic problems, and personnel shortcomings. In a way, cybersecurity consulting transfers a lot of risk from organizational leaders and places it on an outsourced expert. Whether or not anyone will act on these findings always remains to be seen.
Actually consultants don’t accept any risk. It always says so right in their contracts.Report
It’s not about the consultants accepting risk, it’s about management offloading that risk.
There is no law of the conservation of risk as it applies to career security.
Kinda like thisReport
Another sensible reason to bring in an outside security consultant for occasional reviews is for the same reason it’s good sense to let someone else proof-read your work.
Outside eyeballs help.
Your internal experts know what they know — bringing in a fresh set of eyes that might know something ELSE is useful! And your internal folks are so used to the problems they routinely face, that they might not see other lurking dangers.
Not that anyone ever listens. Security is expensive and a hassle to employees, so nobody cares until they’re burned.Report