Many years ago, my budding career as a consultant was deeply influenced by a lighthearted book by Gerald Weinberg: The Secrets of Consulting. Mr. Weinberg was consulting in the rapidly-expanding field of information technology of the 1970s. His humorous advice still instructs me today. In his opening chapter, he outlines three basic rules of consulting:
- No matter what the client tells you, there’s a problem; that’s why you’re there
- No matter what the client tells you, it’s not a technology problem, but a people problem,
- Remember you are being paid by the hour, not the solution.
I don’t think a week goes by where I don’t reflect on these key fundamentals. They are only the opening salvo in a small book packed with sage advice, but they are always front of mind when I begin a new engagement.
During our recent engagement opening meeting, I chuckled to myself as the CIO for the organization welcomed me and my team by saying there weren’t really any problems in security, they just wanted a check-up with some pointers for improving their program. He went on to list the numerous investments they had recently made in security technology and how they were going provide a dramatic improvement in their security posture. Soon after, we began our on-site work.
After two weeks of digging and debating, we bade farewell and left to write up our findings. We discussed how surprised we were to learn the infrastructure shop couldn’t provide any current network diagrams nor plans for proposed upgrades and changes. When we asked for a recent inventory of organizational IT assets, they simply shrugged and said none existed. On it went. Configuration management? Limited. Change control processes? Ad hoc.
When we presented our draft findings, we had a follow-on meeting with the CIO. He explained he had been asking for network diagrams and inventories for over two years. Let that sink in: he has been waiting for TWO YEARS for answers to his requests. Suddenly, the sweep and majesty of Weinberg’s wisdom blossomed right in front of me. All the recommendations we could make would not provide any demonstrable benefit for this client if they couldn’t resolve the people problems that negatively impacted their basic information technology hygiene.
When we were initially told there wasn’t a problem, we would ultimately find not only was there was a problem, but a very large one. In addition, it wasn’t specifically a technical problem, but a complete disconnect between the CIO and his managers: a serious personnel issue. In the end, we knew we weren’t going to be able to patch these foundational problems with security recommendations. Fortunately, we were being paid by the hour.
As security professionals, whether consulting or working within an organization, it’s our responsibility to dig deep to uncover the underlying factors that can impact our risk management program. It’s so often a people problem, and in the end, we are being paid by the hour, and the solution isn’t always our choice. We are the advisors.
