1996-11-03 - Re: Computer Security Risk Assessment Software? [RANT]

Header Data

From: Dale Thorn <dthorn@gte.net>
To: Frank Willoughby <frankw@in.net>
Message Hash: a54f0834c08e685d125cb5a939f0d2eed87c0fd81fea80025d8b89d86d3473e9
Message ID: <327C5610.74DA@gte.net>
Reply To: <9611030210.AA29337@su1.in.net>
UTC Datetime: 1996-11-03 08:28:18 UTC
Raw Date: Sun, 3 Nov 1996 00:28:18 -0800 (PST)

Raw message

From: Dale Thorn <dthorn@gte.net>
Date: Sun, 3 Nov 1996 00:28:18 -0800 (PST)
To: Frank Willoughby <frankw@in.net>
Subject: Re: Computer Security Risk Assessment Software? [RANT]
In-Reply-To: <9611030210.AA29337@su1.in.net>
Message-ID: <327C5610.74DA@gte.net>
MIME-Version: 1.0
Content-Type: text/plain


Frank Willoughby wrote:
> At 05:44 PM 11/1/96 -0800, Dale Thorn <dthorn@gte.net> allegedly wrote:
> >Frank Willoughby wrote:
> >> The solutions to the above-mentioned problems are:
> >> Shop around.  Find out which consultants are qualified and what they charge.
> >> Make sure the consultant caps his cost.  You should know the maximum price tag
> >> associated with the consulting engagement BEFORE the consultant walks in the front
> >> door.  This helps to avoid having the consultant camp on your doorstep at $XXX
> >> dollars per hour for days, weeks, or months on end.

> >The above is a nice ideal.  You should of course get a "really good" consultant,
> >and even better, get one who's "real honest".  But my guess is those guys cost the
> >most of all, or at the very least, require the most research to find.

> Good point.  To help establish the honesty, it wouldn't hurt to get personal
> and business references.  It also wouldn't hurt to check the BBB (Better
> Business Bureau - a consumer rights group) to see if there are any complaints
> against the company.  Ideally, the consultanting company would also be in the
> BBB's Care program which means that they will submit to binding arbitration
> in the event of a disagreement.  (BTW, the BBB also investigates all claims
> to weed out claims made by one competitor against another, etc.).

Personal and business references that you can check out are a good start, but beware
of expecting much from org's such as BBB, etc.  The reasons are twofold:

1. Most org's today are (despite the fact that they have computers on their desks)
   extremely shy about picking sides in computer software business matters, because,

2. Unlike nearly any other business, software development/implementation is not
   predictable in many situations like house or bridge building.  Costs and hours
   may run many times what was estimated, unless the up-front estimate was so
   exhaustive (paid for, huh?) that it could be relied on as usably accurate.

   The fact is, the more cookie-cutter the project is, the more likely it will meet
   estimates.  Unfortunately, most customers don't want cookie-cutter for a number
   of reasons, one being the reluctance to pay for old (tried and true) technology.

> >The ideal of capping the cost is commendable as well, however, when the consultant
> >finds midway through the project that his initial estimate (made as carefully as he
> >possibly can) is way too low, he will now have an incentive to lie, cut corners,etc.,
> >*particularly* if the customer looks like one of those antsy types who might withhold
> >payments and so on.

> Depends on the consulting company.  It is also a good measure which can be
> used to separate the weasels from the good guys.  The weasels will do exactly
> what you said.  The good guys won't.  Granted that once in a while, there will
> be a contract which will have some surprises in it and you - won't make as
> much money as you were supposed to.  IMHO, this is a part of doing business.
> Usually, you will win, but once in a while you will lose.  These things will
> happen.  Learn what went wrong and take steps to make sure it doesn't happen
> again.  Then go back to succeeding.
> BTW, I think it is the customer's right to withhold payments until the job
> has been performed to the customer's satisfaction.

Another qualified OK - you may be able to identify the weasels all right, but if you
expect the "good guys" to absorb all cost overruns for way-inaccurate estimates, well,
maybe they will on the phase of the project that they have a solid committment to,
but then they'll still leave you with a dead end product if it costs them way too much,
and they'll do it legally, and they won't need you as a reference anyway, since they
will have other satisfied customers.  And with all this, it still comes down to the
fact that a comprehensive, thorough, and accurate estimate on a significant computer
project is either impossible, or it'll cost way more than a customer will want to
pay for.  You already know if you've been to court that telling the "honest truth"
will not get you the best result many times, so it shouldn't surprise anyone that
these kinds of projects would not bring out the most honest side of people.

[snip]






Thread