This week finds me back in the security consulting world, and I couldn’t be happier. After over a decade working in the security vendor space, I am back to pure-play, customer-facing consulting. I do recognize that almost all security professionals are consultants within their own sphere of influence. I’m back to doing that job as an outsider.
Even if you have a corporate security gig, and you’re successful, you’re likely playing the role of a consultant by gathering data and providing sage advice. I don’t know any security professionals who have the job of accepting, mitigating, or transferring risk on behalf of the organization they support. Those risk decisions are the purview of corporate executives, organizational leaders, and others responsible for the profit and loss of the enterprise. A savvy security professional realizes they provide a valuable service of creating and managing the programs that inform those critical decisions. They inform them, they don’t make them.
During the first week in my new role, I was brought into a situation where a fellow consultant had started a row with the customer by telling them, “This is how this [security function] is done – period!” The customer understandably bristled at this pedantic and arrogant proclamation. Now it’s become my responsibility to try to resolve the impasse.
I pulled the security specialist aside and asked if he had fully read their organizational security policies before making his statement. He had not. I asked if he understood their risk decision-making process. He did not. I asked is knew their corporate tolerance for risk. He was unaware. I told him we had lot of work to accomplish.
I was able to convey a principle I learned from the humorous Gerald Weinberg book, The Secrets of Consulting. In the book, Mr. Weinberg states there is a Buffalo Bridle Principle for consultants. He says you can put a bridle on a buffalo, and lead it anywhere it wants to go. However, if the buffalo decides it doesn’t want to go where you are leading it, you and the bridle make no difference.
The organizations we support are like the buffalo. We can lead and provide our advice, but ultimately, they will decide what risks they’ll accept, those they will mitigate, and those they will transfer. It’s up to us to advise them by performing comprehensive due diligence using sound empirical evidence. But the buffalo will ultimately decide where it wants to go.
John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].
