nCircle on Consulting, or: Sorry, Dave, I Have To Quit

Thomas Ptacek | March 21st, 2006 | Filed Under: Industry Punditry, Matasano

Ok, I’m taking the bait on Byron Sonne’s nCircle blog rant on consultants. And, by “taking the bait”, I mean “using this as an excuse to vent graceless and unattractive sarcasm”. And an obvious caveat: we make money doing security consulting work while we get our product ready to launch.

First, let’s summarize.

1. Consultants cause enterprises to waste in-house talent, like the “single sign-on guru” trapped in helpdesk waiting for his shot at the big time.
2. There’s a conflict of interest, because consultants make more money with Windows, and sometimes their own company sells products.
3. Consultants suppress in-house education; why train employees when you can lease outside talent?
4. I don’t know what Sonne’s fourth point means.
5. Consultants don’t know the environment. That makes them less effective.
6. Did he mention that they suppresses in-house education? Also, they cost money.

Well, allow me to retort.

1. That guy in help desk? Probably not really a single sign-on guru. And if he is: ask him what he’s doing in helpdesk. “But you’d never know!”, says Byron. That’s the point: you don’t know. If the project needs to get done two weeks from tomorrow, you might pay to mitigate that risk. Meanwhile: that helpdesk guy’s not an expert on algorithmic complexity attacks on link-state routing protocols. I guess that person is stuck in custodial.
2. Your other problem with IT consultants is, when you ask them to pick your Chief Operating Officer, they only look at guys with Harvard MBAs.
3. A typical Global2k enterprise might manage a docket of 10-20 internal web applications that need to be audited before being deployed customer-facing, staffed with a team of 6 internal security auditors, running a relatively steady backlog of, say, at least 2 critical apps that are held up because nobody is available to audit them. Which one of those auditors should spend 2 weeks bringing themselves up to speed on MIPS assembly, QNX, and Fiberchannel-over-IP so that, on the off chance that a new SAN switch needs to be deployed, they can reverse engineer the appliance to find remote vulnerabilities? Ok, I admit it. They answer is, “they all should”. But you can’t pretend like the right answer makes any fucking business sense.
4. Because I perceived no coherent point #4 to rebut, I will take this placeholder point as an opportunity to make fun of Byron Sonne for using the word “dudette” in his post.
5. A new consultant doesn’t know the environment as well as a full-time engineer. That is one reason why you should have full-time engineers.
6. Security is Hard. Not, “reading all the way through TCP/IP Illustrated Volume 2 and understanding TCP fast and slow timers” hard; Really Quite Hard. There are respected security researchers whose whole practice revolves around applied compiler design —- are we in a terrible world because they don’t understand Jain’s congestion control work? Or, should I freak out and short the stock when I find a Fortune 500 which doesn’t have anyone on staff that can find a timing leak in a closed-source Diffie Hellman library?

Here’s my problem, and why I’m taking the bait: the reality is, for virtually all large enterprises, without contract security work, certain important pieces of infrastructure simply aren’t going to get tested. At least, not by the good guys.

Byron’s main problem (read his comment) seems to be that he feels like enterprises overpay for security help. Do they? How much should we charge, Byron?