I had a colleague relate such a challenge when we shared a coffee last week. He has been an accomplished security consultant for a number of years and always staunchly refused to perform external penetration attacks without the complete knowledge and approval of all affected parties — especially the IT staff. He always felt it was unprofessional to launch surprise attacks without comprehensive support for the IT personnel.
He was approached by his employer to use his team to perform a “surprise” test for a very senior corporate client, without the involvement of anyone else in the affected company. He reluctantly refused by carefully explaining the nature and location of his boundaries. Even when the client offered a 30-percent uplift on the deal, he still said no thanks. Although his superiors weren’t happy, they acquiesced to his professional position.
When a competing consultancy took the job, it blew up in their faces. The individual who had contracted for the work was summarily fired by the board of directors of the client company. The security consultants were dismissed with a professional black eye, even though they had performed the work exactly as directed. They hadn’t established their boundaries, and when a “good deal” was offered, they eagerly signed on, only to face unintended consequences. Contemplating and defining your boundaries before the next “crisis” hits will ensure you make the right call.
John McCumber is a security and risk professional, and is the author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, please e-mail John at: Cool_as_McCumber@cygnusb2b.com.