I’m not going to lie, I love Yoo-hoo drinks, to the point that I have at least one a day and get grumpy if I don’t have one available when I want it. Don’t judge me; some people drink, smoke, do drugs, etc. My addiction of choice is Yoo-hoo and I make no apology.
It’s pretty easy with Yoo-hoo, I grab a chocolate drink and the consistency is fantastic, I would expect nothing less from a commodity based product. And Yoo-hoo consistently delivers.
Security consultants that provide services are a different story, I constantly hear about commodity based security services and it makes me scratch my head. How can something be seen as a commodity without a level of consistency? How do you gain consistency when the people and companies change? It might be fair to say that they’re common services, used by companies with a common desired outcome, but that doesn’t make it a commodity. Does it?
When asked by most security leaders what’s the most important thing when considering security you’ll hear something that sounds like, “People, process, and technology” in that order. That’s a great statement, but that’s not always the way it turns out. Is it?
As a security consultant company I often wonder what motivates people to select us over our competitors or our competitors over us for that matter. People matter. So does the deliverable that they’ll receive from the people doing the work. But rarely are we asked to see a redacted deliverable for their review. Rarely are we asked to interview the person(s) performing the work (though we always require it, as well as the SoW to be mutually agreed upon).
I’m not implying that information security consultants are shifty or even poor at what they do. Something I would ask if I was requiring these services would focus on the process. Yes people should come first and they should be vetted to ascertain their level of experience, but the process, that’s a difference maker.
I would suggest that process in this case, working with unknown or seemingly unknown people might be equally if not more important. Make sure things are outlined, expected results (not expected findings), communication, timeliness, and ultimate deliverable. Does the process offer the chance for you to remediate followed by subsequent retesting?
The bottom line is you own the security consultants, you should know the people and the process they’ll be undertaking. It’s kind of what I expect from Yoo-hoo, someone checks the quality along the way and if it’s bad the process recalibrates.
I like what we do and I don’t want to be thought of as a commodity regardless of what popular thought is. What we do is different, what we’re trying to reach and deliver is different. Why and how we’re doing it is different. But for Yoo-hoo, I don’t like different, I like the same. But that doesn’t fly in our world.