5 Things to Look for in an Information Security Consultant

As a management consultant, I am constantly faced with clients who pose the question, "How do we know a really great candidate, when we meet them?".

Although the criterion of what makes a great employee can change with both industry and profession, perhaps one of the most difficult hires a company will ever make is that of the information security manager or consultant.

An information security consultant must engage with both business and technology stakeholders throughout your enterprise, and at levels ranging from the c-suite, through to the employees working on the factory floor or in front of the customers. They must understand the varying needs of every level of every function, and be able to articulate the value proposition of change to stakeholders from a diverse background and career level.

Security also requires that a consultant be able to sell a concept that has almost no perceived value. Although information security may act as insurance within the enterprise, and reduce the likelihood of a security incident, or the impact of such an incident when it occurs; security does not directly add revenue, or reduce costs associated to a particular business process. In point of fact, security actually increases costs associated to many processes, and can also increase both complexity and organizational ambivalence if implemented poorly.

If implemented correctly however, with both skill and diplomatic tact, security can often reduce unnecessary expenditure and improve resilience of business processes at a relatively nominal cost to a business unit.

For these reasons, when selecting your next security resource, try to keep in mind these five key points:

1. Professional accreditation

A security consultant should be professionally accredited with a broad range of recognized vendor-neutral certifications, such as CISSP, CISM, CISA, CEH or CHFI, depending on their specific role. Never hire a resource that only has vendor specific security skills, because information security spans across application, infrastructure, platform and process stacks; including a diverse range of technologies and products.

2. Business and technology skills

Great security consultants have both business and technology skills, giving them the understanding they need to engage with stakeholders from any part of your enterprise, and to fully appreciate the risks associated to functional processes outside the ICT department. Consider hiring only security consultants who have an undergraduate degree in business or management as a minimum, and give preference to professional candidates with post-graduate degrees in security, business administration, commerce, finance or management.

3. Strong exposure to your industry

Because your business needs are unique to your particular industry, seek out professionals who have a strong background in your specific domain, such as aviation, energy, government, finance, or technology services. Strong industry experience enables a consultant to anticipate risk and future security requirements.

4. Understanding of local and international law

Perhaps the greatest failure of most security resources is a lack of legal awareness. Understanding domestic legislation, and international legal obligations is critical to the formation of an accurate risk profile and security control matrix. Issues related to the United States Patriot Act, United Nation's Covenants and Declarations, local privacy laws, industry compliance requirements, and legal enforceability will form the basis of a security solution prior to organizational demands. Without an understanding of your legal environment, a security consultant is providing professional advice without appropriate knowledge, and this may leave your organization open to future legal challenge related to failures in "duty of care" and negligence.

5. Outstanding soft skills

Security consultants are often seen as insurance providers, not adding real value to a business's operations or process outcomes. It is also a fact that the majority of companies only see the value in security after a major incident, which for many organizations can be too late, especially in the modern world where the expectations and opinions of your customers are altered in minutes by social media. To ensure engagement through the business, the security consultant must be a master of communication soft skills, and be able to act in the role of persuader, diplomat, negotiator, and even dictator, depending on the circumstance.

By remembering these five key attributes; your next security hire will be more engaging, and better armed with both knowledge and professional expertise to deliver results and tangible value to your organization.