Series Introduction

Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.

Introduction:

As a long-time consultant in the information protection field, I have often observed, to my dismay, that outsourcing information protection work is a particularly risky business. I sometimes find myself advising my clients not to use consultants as much as they do in the information protection area.

Since my clients almost always follow my advice, you would think that this might not be very good for my pocket book. But don’t worry about me. My clients almost always ask me to work for them doing things that are appropriate for a consultant to do.

Basic Issues:

The fundamental role of organizational information protection programs is to keep people from being harmed as a result of information or information technology. In most cases, this is translated at the organizational level into protecting corporate information assets. Since outsourced people in information protection roles (we’ll call them consultants from now on) are, in essence, information assets, we could analyze their utility just as we would any other information asset. I will use return on investment as the driving force in my simplistic analysis here.

But before we can understand return on investment, we have to understand the different roles that consultants can play in an organization so we can understand the risks and the values associated with having them in. Without this, we cannot make a business case for hiring an outside consultant anyway.

In today’s world, we can potentially hire a consultant to do anything that an employee can do, so every internal role is open to this possibility. But there are also roles that an outside consultant can play that no insider can play. Two of these roles are providing knowledge about what other organizations are doing and providing context from outside of the organization.

• Providing knowledge about what other organizations are doing in the information protection arena sounds almost like competitive intelligence, and indeed, it can become this if employed in unscrupulous hands. But good consultants are able to bring a great deal of expertise to bear based on other consulting they have done without revealing any information that could harm other legitimate interests.
• Providing context from outside of the organization has been a major historical role for the consultant. This is similar in many ways to the role of board members from outside the company. It also allows insiders to reduce their internal risks in decision-making. (In effect, the insider is laying off bets on the consultant. If the result is good, the insider is credited with the decision and hiring a good consultant. If the result is bad, the insider blames the consultant and avoids responsibility.)

The three roles:

This then sets out the three major roles of information protection consultants:

1. The consultant can act as an independent expert. Examples of this role include but are not limited to the validation or countering of an internal opinion, assistance in settling internal disputes, tracing down an attack by a trusted insider, providing additional credibility to management or outsiders, and deferring internal risks.
2. The consultant can provide knowledge not otherwise available. Examples of this role include but are not limited to special knowledge regarding a specific system, method, or challenge, special expertise relating to a high-valued decision, and experience in helping organizations change.
3. The consultant can temporarily supplement internal resources. Examples of this role include but are not limited to assistance on a specific short-term project, assistance during an emergency situation, assistance during a dramatic expansion or contraction, and assistance when a major shift in direction is taking place.

It is perhaps noticeable that the use of consultants for long-term supplementing of full-time employees has not been included in this list. This is not because I am a heavy union supporter, but rather because a long-term full-time consultant is, in essence, a full time employee, as far as risk management is concerned – or at least should be treated as one. This implies that similar background checks, clearances, agreements, and other similar things should be in place for such a consultant, and that the differentiation between this person and employees should be based only on a legal distinction.

Risk management:

The risk management approach I typically use begins by understanding dependencies, vulnerabilities, and threats. We begin with dependencies.

1. The consultant provides independence. In this case, our dependency on the consultant is typically rather low. The client is asking for an objective outside opinion and, even if the consultant is completely wrong, the client should not be in a position where such an error will cause great harm. Proper use of such a consultant should result in few, if any, substantial dependencies. Example: If the consultant agrees with our previous opinion and the consultant is wrong, the only real effect is the added cost of the consultant. If the consultant disagrees and is wrong, we will spend a little bit more effort making certain and it may reduce our certainty a bit or cause us to find a different solution.
2. The consultant provides knowledge. In this case, our dependency on the consultant is substantial because we depend on the consultant’s special knowledge to uncover things we would not otherwise find. If the consultant does not have adequate expertise, their lack of knowledge could often translate into a great deal of damage. Example: The consultant says the firewall is safe and it is not. The organization soon loses a very large portion of its information assets because the consultant was wrong and was trusted.
3. The consultant supplements resources. In this case, our dependency on the consultant is potentially very high in that any work they do may leave a long-term effect on the overall protection program. Example: The consultant helps to set protection bits on network file servers and does it incorrectly. The potential for harm is severe, while the cost of redoing the work the consultant did poorly is about the same as the consultant cost in the first place. The longer the consultant works for us, the more we come to depend on the quality of their work.

Now let’s look quickly at vulnerabilities:

1. The consultant provides independence. Unless things are done very shabbily, no new vulnerability is introduced as a result of this sort of activity other than the fact that one more person knows about the decision being made and the reasons behind it.
2. The consultant provides knowledge. New vulnerabilities can be introduced by poor technical judgements and existing vulnerabilities can be left unnoticed through a lack of adequate knowledge. While this supports the notion that consultants can increase vulnerabilities, it is incumbent on anyone using a consultant to check out the consultant’s credentials as well as any results the consultant provides.
3. The consultant supplements resources. In this role, the consultant has the potential to accidentally or maliciously induce vulnerabilities into systems and, as side effects, weaken protection throughout the organization.

Now we will consider threats:

1. The consultant provides independence. In this role, consultants are rarely a threat to the organization. In the worst case, they may reveal some inside information related to their consulting work, but in this case, we might be able to track them down and counter any ill effects fairly easily.
2. The consultant provides knowledge. In this role, most good consultants very quickly come to know precisely how to attack the organization’s information systems. If consulting is done properly, this threat will be minimized by the consultant and client taking care to limit the role to one of providing knowledge. For example, the consultant need not know specific passwords to be able to determine that inadequate controls are in place to assure that they are hard-to-guess. Systemic vulnerabilities will be much harder to protect and to this extent, the consultant in this role is a serious threat.
3. The consultant supplements resources. In this role, the consultant is most dangerous. The keys to the kingdom are given to the consultant for whatever efforts they are to aid in. In a policy role, this is rarely a serious problem, but as the role becomes more technical, access to specific vulnerabilities and systems becomes increasingly likely. The threat is potentially very severe in this role.

So we see that the risks introduced by consultants are, at least qualitatively, more extreme as we move from the role of independence to the role of knowledge source and into the role of supplemental resource. It is also often the case that the value of the consultant is far greater in the independence and knowledge source roles than in the supplemental resource role. The former roles tend to involve higher cost per hour but far fewer hours to get the job done well, so that the total cost in those roles tends to be lower than the total cost in the supplemental role.

On this basis, it would therefore appear that the return on investment is higher and the risks are lower for the information protection consultant in the independence and knowledge source roles and that this is where organizations should spend their information protection consulting dollars.

Other factors to consider:

Other outsourcing factors that tend to make it less suitable for information protection than other areas include:

• There tends to be less control over the consistency of the personnel, especially in cases where the contractor determines which people work on which projects at which times.
• Always remember that the best experts are used in the sale of consulting services and in high-level customer contacts, but these are not always the people working on the actual projects. As you move toward the supplemental role, the level of expertise and consistency of personnel tend to get lower.
• Contractor personnel tend to have a different trust relationship with the client than employees. Because of the central role of trust in information protection, it is vitally important that the trust level of consultants be considered in decisions about their roles.
• Sometimes, you just don’t have the personnel to get the job done and management won’t or can’t provide it. Perhaps you have no choice but to outsource, but then perhaps there is another solution that would eliminate the need to do so. This situation is an ideal opportunity to bring in a consultant for the roles as an independent expert and knowledge source. They may help find another way to meet the challenge, help convince management of the need for more and better insiders, or perhaps even validate the need for outsourcing in this special case.

Conclusions:

Outsourcing information protection is a very risky business and it is more risky in the role of supplemental assistant than in the roles of independent expert and knowledge source. Limiting outsourcing to these two areas in all but the most exceptional cases is in the organization’s best interest.

About The Author:

Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Senior Partner of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing in information protection. He can be reached by sending email to fred at all.net.