From: Frank Willoughby <frankw@in.net>
To: cypherpunks@toad.com
Message Hash: 263ff0d8389d6a815f06f4dfdd58454e9010a02d3ebabcd2fdb9924e51fdd669
Message ID: <9611030210.AA29337@su1.in.net>
Reply To: N/A
UTC Datetime: 1996-11-03 02:10:46 UTC
Raw Date: Sat, 2 Nov 1996 18:10:46 -0800 (PST)
From: Frank Willoughby <frankw@in.net>
Date: Sat, 2 Nov 1996 18:10:46 -0800 (PST)
To: cypherpunks@toad.com
Subject: Re: Computer Security Risk Assessment Software?
Message-ID: <9611030210.AA29337@su1.in.net>
MIME-Version: 1.0
Content-Type: text/plain
At 05:44 PM 11/1/96 -0800, Dale Thorn <dthorn@gte.net> allegedly wrote:
>Frank Willoughby wrote:
>> The solutions to the above-mentioned problems are:
>> Shop around. Find out which consultants are qualified and what they charge.
>> Make sure the consultant caps his cost. You should know the maximum
price tag
>> associated with the consulting engagement BEFORE the consultant walks in
the front
>> door. This helps to avoid having the consultant camp on your doorstep at
$XXX
>> dollars per hour for days, weeks, or months on end.
>
>The above is a nice ideal. You should of course get a "really good"
consultant,
>and even better, get one who's "real honest". But my guess is those guys
cost the
>most of all, or at the very least, require the most research to find.
Good point. To help establish the honesty, it wouldn't hurt to get personal
and business references. It also wouldn't hurt to check the BBB (Better
Business Bureau - a consumer rights group) to see if there are any complaints
against the company. Ideally, the consultanting company would also be in the
BBB's Care program which means that they will submit to binding arbitration
in the event of a disagreement. (BTW, the BBB also investigates all claims
to weed out claims made by one competitor against another, etc.).
>The ideal of capping the cost is commendable as well, however, when the
consultant
>finds midway through the project that his initial estimate (made as
carefully as he
>possibly can) is way too low, he will now have an incentive to lie, cut
corners,etc.,
>*particularly* if the customer looks like one of those antsy types who
might withhold
>payments and so on.
Depends on the consulting company. It is also a good measure which can be
used to separate the weasels from the good guys. The weasels will do exactly
what you said. The good guys won't. Granted that once in a while, there will
be a contract which will have some surprises in it and you - won't make as
much money as you were supposed to. IMHO, this is a part of doing business.
Usually, you will win, but once in a while you will lose. These things will
happen. Learn what went wrong and take steps to make sure it doesn't happen
again. Then go back to succeeding.
BTW, I think it is the customer's right to withhold payments until the job
has been performed to the customer's satisfaction.
>My advice: Get a consultant to find a good IT consultant. Seriously.
If you have the money to spend, this may be a good idea. Personally, I
would tend to separate IT consultants from InfoSec consultants. InfoSec
is a highly specialized field & seasoned InfoSec Officers don't exactly
grow on trees (as companies who don't have one and are trying desparately
to find one will testify). Seasoned InfoSec Officers who are consulting
for customers are even rarer, but I would rather have that to have the
security of my corporation depend on an IT consultant who has never had
any experience working as an Information Security Officer (who has
successfully implemented Information Security in a real business
environment). There is no substitute for experience, IMHO.
Food for thought.
Best Regards,
Frank
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
<standard disclaimer>
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting
http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817
Home of the Free Internet Firewall Evaluation Checklist
Return to November 1996
Return to “Frank Willoughby <frankw@in.net>”