My stance on security consultants vs dedicated security staff is pretty much across the board. Probably because it boils down to, “It depends.” I think security consultants have a sweet gig, to be honest, despite the issues.
If I were a typical business owner today, I would probably act much like a typical homeowner when it comes to security: wait until it is convenient, in terms of time, effort, finances, and emotional situations (i.e. did someone you know just get broken into? [is that transitive risk? risk-by-proxy?]). That probably means asking two questions and needing possibly one thing that consultants or a third-party provide:
1. How secure or insecure am I? This is answered by the function of audits or pen-tests. No folks, they’re not going away as long as this question is asked. Stop making it so damn complicated for the business owners when they ask a simple question like this. Compliance falls into this question, because owners will wrongly ask, “Am I compliant with XYZ?” rather than the correct question, “Am I secure?” A subtle, but important difference.*
2. What suggestions do you have that would improve my security? A sub-question usually not spoken but definitely just as important would differentiate between ideal suggestions versus high value/low resources suggestions (not the same as ROI if you ask me!). There’s that big difference between “patch Windows boxes” versus “patch all your software you use.” Or “log management” versus “out-of-band log management with your admins locked out, backed up to encrypted, secure tape and offloaded…” It is when business owners hear the extravagent solutions that they decide to just forget the whole thing and not bother. There is still a huge thirst for security knowledge, not just from enterprises, but even from individual consumers. It just needs to be doled out in digestible, actionable chunks. Often this ends up looking like, “Give me the top 10 things to do, in order of value/effort. I’ll only do the first 4, but I want to know what roadmap would be possible for the next 6.” This is healthy, and I think should be encouraged.
3. And consultants or a third-party can provide some managed services and regular tuning of an environment somewhat above and beyond advice and audits and pentests. I can argue that situation back and forth, but I concede there is realistic value. If you can share a security expert between 4 or 5 companies and they can tune your firewalls and give regular advice, that might provide a good value without the overhead of dedicated staff. Why try to figure out what PCI means on your own, or how best to maintain router config integrity or what to monitor with Tripwire, when some shared consultant already knows how? And if you get someone dedicated to you and a few others, you’ll probably get better service than some cog in the huge wheel of a large enterprise professional services department.
This third point that consultants provide is one thing that I often rag on because I don’t believe a third-party service will top quality internal, dedicated staff, and some consultants gets to happily throw down their suggestions and walk away without ever actually implementing them or experiencing the day-to-day realities of them. But relatively few firms have the ability to have dedicated security staff. Many barely get away with dedicated IT staff let along specialized security staff!**
And it is a nice step up from just buying point products with the intention of not maintaining them, but rather plopping them in and spending as little time with them as possible. This often ends up meaning unqualified persons put it in and call it good, when it fact no one knows if it is working properly or being used properly. This is why SIEM is in such a weird boat. They’re a bastard child between your typical “turn-key” solution and your high maintenance “gotta watch it!” process. Other recent complex solutions also fall into this trap, like WAFs and DLP and even identity management. They’re complex, they sound like low-maintenance efforts, but anyone who truly gets security knows they’re still going to be time vampires quite often, especially when used wrong.
* Compliance is a great driver, but it really should be placed under the auspice of having “security” as the goal. Sure, it may be a thin, cheap veneer, but it’s better than building a culture of just meeting compliance XYZ.
** Adding a bullet item to your IT staff job descriptions that says “maintain security” is not the same as having security staff. Yes, baking in security is necessary. But operations and even IT projects will always, always, always trump any security-related tasks that *should* be done to maintain a quality security posture. The only way to do this is to have dedicated time carved out of your staff hours for security, and that’s just never adhered to without a real SOC they can retreat to.
What if the first question were asked differently?
Instead of asking about secure versus insecure, what if the question were “am I managing the risks to my business efficiently?”
It’s a subtle shift, but I believe an important one.