In my last article, I started a description of how you can learn the job of being a security officer in the System i world of computing. This article will continue that thought by discussing how you can effectively use security consultants and learn from them in the process.
It is necessary to read about and to stay current with technology. I recommend the book "Inside Internet Security: What Hackers Don't Want You To Know" by Jeff Crume, which can be found used at Amazon.com. It is a real eye opener for those of you who have only been thinking about the System i side of the security question. The book is a little dated but still contains a lot of good information that is clearly presented without a lot of acronymic netspeak that can be so confusing.
Are consultants worth the investment?
The classic definition of a consultant is "someone who borrows your watch to tell you what time it is." To a certain degree this is true, but a good consultant will explain to you every aspect of your situation.
The best way for me to tell you about using a consultant is to describe a situation from my past. I had been working for over 20 years as a programmer, systems analyst and IT manager when I started consulting for a local direct marketing company. I was there for about six months trying to address the multitude of issue that this fast-growing company was experiencing.
The owner decided to bring in an expert and found one for $2,000 per day (plus expenses -- a fortune at that time) to spend a day with us. We cleared our slates, got several key people together and followed the expert around for the day as he walked through the entire operation.
What an eye opener that was! In one day, we identified every issue that needed to be fixed, quite a long list. We turned this into a roadmap of sorts and started knocking items off. That one-day visit changed the entire course of the company for the next 10 years. It was more than worth the investment.
Using a security consultant
A security consultant should be able to do the same thing for you, but you need to use the consultant effectively:
- Start by selecting a qualified person.
- Develop a list of people from reliable sources.
- Check references to make sure you're getting what you need.
- Once this is done and a date has been set, make sure everyone who's needed is completely available.
While the consultant is with you, be completely honest with them. If you hide things because you're embarrassed by them, then your feedback from the consultant will be incorrectly skewed. Go through everything you're doing and take copious notes on what the consultant has to say. If your consultant is good, you'll be amazed at what you find out and you will learn to do a better job in the process.
Implementing security consultant recommendations
After the consultant leaves, don't just go on with business as usual. Make a list of the areas the consultant said need attention. Develop an action plan to get each item on the list addressed. It is important to have the right attitude as you go through this exercise. The objective is not for you to come out looking good (which is often the case when reacting to an audit), but to address security exposures and get them closed. Most consultants appreciate a follow up, so don't be afraid to get back in touch with the consultant with questions and clarifications after the initial consultation.
The day we spent with the consultant completely changed my understanding of how a direct mail company should operate, and the experience has stayed with me. Your investment in a security consultant will do the same for you and for your company. Consultants are expensive, but the alternative of having security exposures could not only be costly but devastating to your company.
If you have any questions about this topic, I can be reached by email. All email messages will be answered as quickly as possible.
ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.
This was first published in October 2007