I reckon Scott Adam’s chapter on “Management Consultants”, (in his book, “The Dilbert Principle*”) is still the best I have read on this topic. If you are consultant and you haven’t read this chapter about your job, go out and do it right now! You may learn quite a bit.
It still amazes me that there is still an attitude of elitism amongst many consultants and consulting firms that if you haven’t been a “consultant” before, you are not worthy of consideration for a role within a consulting organisation – regardless of a person’s actual expertise and experience.
I know a lot of people who have tried to crack into consulting – coming from an internal role, and who have hit a brick wall.
A recent example is a good friend of mine, (now), and one of the best young CSOs I have met and worked with. He has not made it to the interview stage now for 2 consulting roles he has recently gone for. While he has kicked arse in his career and made it to management and senior management in relatively quick time, on the way doing some great things for the organisations he has worked at, this has not been good enough to get him even an interview for what I have seen as roles he could/should have walked straight into. (I’d like to think after so many years in the industry, I am a good judge and thus my position on him, but that assumes others in the/his critical path, are also). They [consulting firm] don’t know what they are missing out on.
Shouldn’t consultants first and foremost be “experts” or at least on a level where their expertise will add value to the clients that they are working with?
Now don’t get me wrong. I know many “experts” will never make good consultants for various reasons; eg; people and communication skills for a start…..but it’s easier to make an “expert” a “consultant” than to make a “consultant” an “expert” (coming from an experience and base knowledge level of scratch/graduate level for example). You can think about that on many levels.
Now my friend may have been discounted for other reasons but what they could be, I don’t know, but I know many others as I mentioned who have in the past not gotten roles because they have been told they have no “consulting” experience!
We, (Securus Global) don’t measure a person’s potential/critical success factor to get a role with us, based upon this selection criteria – never have and never will. So for us, from a business and competitive perspective, these “elite consultants”, can continue to go ahead and do what they’re doing. But that still does not make it right. It’s a reason they have such a relatively poor reputation within our industry for what they do “to”, (as opposed to “for”) clients.
Some somewhat related posts but a heap more in the archives:
Sucking corporate security budgets dry…
Bogged down in IT Security Audits of Questionable Value…
(*Hey, to me that whole book is the best Management textbook out there to this day. It’s a wonder it’s not in Management 101 in all universities).
Hey Drazen
Its a bit of a chicken and egg situation: some clients of consulting companies call in consultants for the very reason that they don’t have the in-house expertise. And for that same reason they can’t really judge the expertise of this “expert-non-expert” so they’re more likely to rely on chatter about previous gigs (which may sound like “water in the desert” by the time the consultant has finished talking
and judge the consultant on soft skills rather than applied expertise. And guess what? The consultant produces “really nice” looking project plans…plus wears a sharp suit: what could possibly go wrong? 
.
The clients that do have expertise in-house – but need more on a short term basis – will be able to articulate what they need far better and cut to the chase during the selection process. I’ve worked with some consulants from the large consulting houses that really did kick ass. They truly knew their stuff and their implementation experience in large environments was pretty hard to match. So they do exist, but they are rare and expensive (i.e. partner level).
Still, I have no suggestion for why your CISO friend was overlooked.
That’s my 2 HUF,
Cheers
Craig
As a former Elite and you should know this DD, your friend did not get the interview because he showed no revenue potential. There is no interest in infosec, it is the money! If he has shown an ability to bring in money, that is all that matters. Delivery is secondary as Craig mentions and all that matters is that what the clients gets is better than what they know and if they know little like most, even a grad produced Nessus report looks fantastic. Money Money Money.
It is hard to make a non-expert non-consultant into an expert consultant.
bluepants, but somehow they do. In title at least.
Hi dude,
I stated on Twitter I agreed with your and I still do.
I’ve had to hire consultants over the years and I genuinely could count those I would actually employ on one hand (4 fingers to precise!).
I think Craig has probably nailed it though, they consultant companies probably aren’t after the real experts. They want someone who can appear as an expert, produce fancy reports and schmooze with the clients to justify a hefty daily rate and potentially bring in more revenue.
I’m mainly working/interested in web app security as you probably know by now and the amount of “experts” who have appeared in the past few years in the consulting space is huge. These guys can’t actually do much more than run an overpriced tool (I’m thinking certain products from companies like those beginning with I and ended in M for example) and put that automated report into a template for the client.
I’d say your friend got overlooked because he was an expert in his area and maybe a threat to certain people
Personally I’d hire the expert over the consultant any day (yes, I do think they are two separate “things” – some people excluded) even if it means my report being sent in a notepad file
Dave
What if his ‘friend’ was able to turn around a billion $ client from walking away within weeks of starting on the account?
What if his friend had increased the size of the security portflio by ~600% within 9 months through creating a standard playbook?
Would he get a look in then?
Dunno… is it political? Is it experience? I have no idea…
I’m sure he’d have no problem then. I’d be happy to discuss employment opportunities with anyone who believes they can do this.
Of course the revenue making potential is a key requirement, if not THE requirement and more than likely had my friend created a CV that gave consulting firm X a sniff that he could bring in a lot of money to line the partners pockets, he’d have been a step closer to the role. (Regardless of actual expertise and experience to a large degree). For many of these professional services firms, what we do (infosec) is not their core business. It’s more opportunistic business to bleed as much out of a client as possible on top of the tax, audit etc work. We all know that. It’s also a fickle business for them where the size and commitment to this type of (non-core business) work is solely based upon revenue potentials and immediate returns.
Craig, Elite, Bluepants, David…nothing I disagree with in your comments.
We’ve had a number of security manager types bounce in and out of the firm over the years often at director level. They just haven’t been able to meet the KPIs and transition to the pressure cooker that is professional services.
If you are coming in as a lateral hire, you are best to come in at a manager level so you can build up your client base over the years. You would need to have high level relationships at say 10 to 15 clients (i.e. they trust your delivery capability enough to invite you to bid for substantial pieces of work) to have a chance at meeting the KPIs.
If you are at director level you will need to:
- SELL more than $1.2M a year
- MANAGE more than $1M a year (time on code less write-offs)
- be more than 60% utilised (i.e. billing your time)
- be responsible for a service offering (i.e. often building it from scratch)
- be responsible for managing multiple staff to harsh KPIs
It requires a real mix of SALES, technical know-how, delivery, training/mentoring/managing of staff etc.
Really what you need to do is be able to make the sales, keep a high performing team together working at a high standard to deliver say three or four $30-40K moderate security consulting gigs a month over the 10 months of the year that clients are “on task” one or two $100K jobs over the year and snagging a $200k plus job (that may have a lead time of up to a year).
@Anonymous Big 4 er interesting perspective thanks
So everyone is in agreement then I see. That is a first for infosec people. I am impressed.
All I can say is that their suits are nice. You cannot knock them for that. Sometimes that can mean more than actual skill and expertise. LOL.
Sitting reading through report from Big 4 done 12 months ago before I started. Wondering WTF company was thinking in those days and how and why approval to pay for the ‘work’ was given. No more.