thoughts on the challenges of it consultants

We have a couple consultants (I use consulants and contractors synonymously in this post) in this week to do some work for us on implementing a piece of technology that we have not had the time nor expertise (the expertise recently left us) to get it done ourselves.

Two issues I have with using consultants to get work done.

1) Consultants should be used when a team is lacking expertise, but I am dubious whether they are useful when a team is lacking in time. Consultants cannot just come in and know how to build systems the way you build them, or fit right into your environment or network or business processes. To me, it seems consultants are best when directing an existing staff member through something new; not when they are doing the work and the staff are too busy to help or absorb knowledge. This indicates a need for more staff, not consultants to triage and bandage. (To note, we are hiring, but getting absolutely nothing for resumes.)

2) Consultants are notorious for ignoring security. “Aw, just make it a domain/local admin and it’ll work fine,” is a common response. When left in a vacuum to make their own decisions, they too often ignore security ramifications. I’m not entirely surprised. Staffers under the gun for a deadline will likely also get things done and think about security later, but consultants seem to be under more pressure to get things done quickly and stop billing the customer!

2 thoughts on “thoughts on the challenges of it consultants

  1. I would tend to agree with you. There are two reasons to use contractors: when you need the expertise, and when you need the bodies. There are indeed some situations where you need extra bodies with a certain level of training (say, to sit in front of monitoring screens, or to run a bunch of tools, or do perform a mass migration), and if the project is a “one-off,” you only want to staff it up temporarily* to avoid hiring people and then having to downsize later.
    But you’re right: bringing anyone onboard, even temporarily, requires management resources and at least some amount of training time, so you need to factor that in when deciding whether outsourcing makes sense.
    *I tried really hard to avoid using the word “surge.”

  2. Regarding the first, do you have your build processes thoroughly documented and/or automated? If so, the consultant should be required to follow the documentation, or if automated, not be needed at all.
    Regarding the second, how critical is the work from an impact perspective if security standards are lowered/laxed by a consultant hired who was not sufficiently queried regarding their ability? If critical enough, the work is delayed until a consultant with appropriate understanding of security processes is engaged.

Comments are closed.