By Rich Loeber
In a recent post I started a description of how you can learn the job of being a security officer in the IBM i world of computing. This post will continue that thought by talking about how you can effectively use a security consultant, and learn from them in the process.
In the first post I talked about the need to read and to stay current with technology. In addition to what I mentioned in that post, I also want to recommend to you the book "Inside Internet Security: What Hackers Don't Want You To Know" by Jeff Crume. I found a used copy at Amazon.com. It is a real eye opener for those of you who have only been thinking about the IBM i side of the security question. The book is a little dated, but still contains a lot of good information that is clearly presented without a lot of acronymic netspeak that can be so confusing.
But today I want to talk about using a consultant. The classic definition of a consultant is "someone who borrows your watch to tell you what time it is", and to a certain degree, this is true. But a good consultant will explain to you every aspect of your situation.
The best way I know of to tell you about using a consultant is to describe a situation from my past. I had been working for 20+ years as a programmer, systems analyst and IT manager when I started consulting for a local direct marketing company. I was there for about 6 months trying to address the multitude of issues that this fast growing company was experiencing. The owner decided to bring in an expert and found a guy for $2000 per day (plus expenses, a fortune at that time) to spend a day with us. We cleared our slates, got several key people together and followed the expert around for the day as he walked through the entire operation. What an eye opener that was. In one day, we identified every issue that needed to be fixed, quite a long list. We turned this into a roadmap of sorts and started knocking items off. That one day visit ended up changing the entire course of the company for the next 10 years. It was more than worth the investment.
A security consultant should be able to do this same thing for you. But you need to use the consultant effectively. This starts by selecting a qualified person. Develop a list of people from reliable sources. Then check references to make sure that you're getting what you need. Once this is done and a date has been set, make sure that you have everyone needed completely available. When the consultant arrives, the clock will be ticking and if you're off doing something else, it will be a waste of time and your company's money. Clear the decks completely. Don't even take phone calls or check your email or texts.
While the consultant is with you, be completely honest with them. If you hide things because you're embarrassed by them, then your feedback from the consultant will be incorrectly skewed. Go through everything that you're doing and take copious notes on what the consultant has to say. You'll be amazed, if your consultant is good, at what you find out and you will learn to do a better job in the process.
After the consultant leaves, don't just go on with business as ususal. Make a list of the areas that the consultant brought up that need attention. Then, develop an action plan to get each item on the list addressed. And, make sure you have the right attitude as you go through this exercise. The objective is not for you to come out looking good (which is often the case when reacting to an audit), but to address security exposures and get them closed. Most consultants appreciate followup, so don't be afraid to get back in touch with the consultant with questions and clarifications after the initial consultation.
That day we spent with the consultant completely changed my understanding of how a direct mail company should operate and it has stayed with me. Your investment in a security consultant will do the same for you and for your company. Consultants are expensive, but the alternative of having security exposures, could not only be costly but devastating to your company.
If you have any questions about this topic you can reach me at rich at kisco.com, All email messages will be answered as quickly as possible.