What makes a good Security Consultant?
written by Jay Schulman
I was reading an Information Week article on the secrets to a high performing IT Manager and I thought I would write a similar piece on the secrets to a high performing security consultant.
After about ten years of hiring, I have noticed a few commonalities among the successful consultants (and a few among the less successful as well). If you’ve reached this post in preparation for an interview with me — and many of you will — nothing here will help you prepare for my questions. I know better.
The Swiss Army Knife
In the corporate world, security people can be very narrow focused. Many companies need an Active Directory Senior Security Engineer. I use the analogy an inch wide and a mile deep. At those companies, you’re highly coveted and well compensated for your unique skill-set. In consulting, I’m looking for a mile wide and two inches deep.
Too many candidates have a wide breadth of knowledge but not enough to survive a client meeting. “Does X integrate with Y?” You know what X and Y are, but that is where it ends. A really good security consultant has the experiences to answer a wide variety of topics intelligently.
The Well Read Consultant
So how do you expand your knowledge base? Read and play. What I enjoy most about information security and privacy is the ever changing landscape. For every door that closes, a new one opens. The only way to keep up is read. Constantly. And when you’re done reading, you need to start playing.
I started playing with Asterisk a few years back to beef up my understanding of voice over IP and the SIP protocol. My spare time hobby turned into a Blackhat presentation on how Asterisk can be used as a Phishing platform. Until you get your hands on the tools, you’ll never really understand the possibilities. Within 10 minutes, you can have a fully functioning server running with Amazon’s Web Services.
You Have to Love This
Security consulting is not for everyone. You can watch movies like Sneakers or Swordfish and create an image of security consultants. I love it. Not everyone does. Sitting for three hours watching Nmap port scans is not necessarily exciting. I can promise, the more you love the work, the better the consultant you will be.
As we enter 2011, I believe we will see a huge uptick in both internal security positions within companies and the need for security consultants to help their clients. Everything outlined above is something everyone can do themselves. There were no information security degrees when I went to college and a security training course was usually about how to configure a firewall. You had to be self taught.
I don’t think there is anything groundbreaking here, but am amazed by how many people don’t invest in themselves.