Welcome!

Microservices Expo Authors: Miska Kaipiainen, Automic Blog, Liz McMillan, Elizabeth White, Sematext Blog

Blog Feed Post

Five Ways to Hire an InfoSec Consultant

Five Ways to Hire an InfoSec Consultant
By: Bill Mathews

This is not a nice post. This is not a post about posing great interview questions or how to tell if someone can actually do the job. No, this is a post about how to watch out for people you want to hire to help your company. You know the ones – the con-sultants, the slick ones, the rockstars, the ones you should fear. Some of these guys can be worse than the actual bad guys and here are five things to look for when you’re trying to spot them.

1) Shortcuts?

Are they promising you the world? One thing about information security that you should know upfront: there are absolutely no magic bullets. Anyone promising you one from a product or a particular process is lying to you. It requires a blend of products and a blend of methods, no shortcuts will help you – period.

2) Rock Out with Your NOC Out

Are they rockstars? So-called rockstars happen in every industry, it is just human nature and cannot be helped. The problem I’ve seen with most rockstars (almost universally in infosec) is that they are not the least bit interested in your problems. They are interested in getting paid and increasing their already big, and in most cases, undeserved reputations. You really have to be careful with these folks – a lot of them are just naturally talented public speakers so they get it on at various conferences and accumulate massive Twitter followings, making them think that those alone qualify them to dispense advice on applications and networks. In most cases, and sadly I’m not overgeneralizing here, they’ve never had any operational roles so they don’t really know what works and what doesn’t. So if it isn’t in the buzzword dictionary sitting in their blazer pocket, it just isn’t valid in their world. You’ll know these people by their insistence that whatever you’re currently doing is wrong – you should be using the method they developed or their tool they wrote because that is the only way to solve your problem. They won’t really listen to you, usually just nodding along with whatever you say until you hit the keyword they need in order to tell you how cool they are. Of course there are some “good” rockstars, so if you’re set on hiring an allstar look for one who has had operational roles in the past and actually appears to listen. Chance are though if they do that then they are very bad rockstars.

3) Lazy Web

Watch the website. Does it ever change? Chances are if they don’t have time to devote to their own website they’ll never get time to devote to protecting yours. Avoid the companies that never update their website or only list their products and services. Try to find one that offers practical advice and is active in the security community. When you’re looking for an outside company to help with your information security, try to find one that has something of their own to protect – a web service or their own network, many do not. This is a really self-serving one because, well, this is how our website is set up and we have a fairly sophisticated network of our own that we protect.

4) Agree to Disagree

Are they really just that agreeable? Good security people are contrarians, they just are. It is either the industry that attracts them or it creates them, either way few people in it are described as agreeable. If you’re in a pre-sales meeting and the sales person or consultant is constantly agreeing with everything you say, ask them what you need to hire them for if everything you’re doing is so right. I use this technique on a lot of our vendors because they are constantly nodding along and agreeing with everything we’re doing. They’re usually taken aback by that question but it really tells you who you’re dealing with. You need to know, upfront, what they are going to really be able to help you with. It is dangerous to have a security person agreeing with you all the time. Conversely, they shouldn’t be disagreeable for the sake of being disagreeable, you have to strike a balance. This is a tough one because, as I said, the industry is filled with both contrarians and slick-haired salespeople. You need the former but should forego the latter. Someone can be a skeptic or a contrarian without being completely disagreeable or being a miserable person to be around.

5) Auditors in Disguse

Beware the auditor in a security person’s clothing. There are literally thousands of information security consulting companies out there. There are probably as many ways to categorize them as there are letters in the alphabet but let’s take a look at just two. The technical group and the auditor group. Now let me say upfront that I’m not denigrating real auditors here, the people that really do the audit job, I’m denigrating the pretenders here. You will find this very prevalent with companies that do penetration testing or vulnerability assessments. For a proper penetration test you really need a good technical person that can communicate both the technical risks and the business issues associated with that risk or exploit. You’ll be hard pressed to find this in just one person, so you want to hire someone with a penetration testing team as opposed to just some solo testers acting as a team. You’ll have a rough time finding the right team and you’re bound to make a few mistakes, but you really do need the best of both worlds.

Now penetration testing service companies come in two flavors – again the very technical and the not-so-technical auditing tester. Penetration testing is difficult and is very technical, so you cannot rely on a person just checking boxes to call your network well tested. You need someone who is doing more than just running a scanner and calling it done, you need a person who can actually exploit the vulnerabilities found. This is a skill that requires some sophistication and usually doesn’t lend itself well to “normal” people. You never want an auditor performing a penetration test and, vice versa, you would never want a penetration tester performing an audit. Why these two things are fused together so much is beyond me. If you’re hiring for a penetration testing company then hire for that, if you just need some audit work then hire for that – but do not hire one set of people and think you’re done, they are entirely different skills.

Of course, there is no 100% guarantee when it comes to the hiring process – you almost never see their true colors until it’s just too late. Be sure to keep sharp and use a little common sense when following these guidelines. If there’s anything else you think you should look out for, leave it in the comments!

Read the original blog entry...

More Stories By Hurricane Labs

Christina O’Neill has been working in the information security field for 3 years. She is a board member for the Northern Ohio InfraGard Members Alliance and a committee member for the Information Security Summit, a conference held once a year for information security and physical security professionals.

@MicroservicesExpo Stories
Let's recap what we learned from the previous chapters in the series: episode 1 and episode 2. We learned that a good rollback mechanism cannot be designed without having an intimate knowledge of the application architecture, the nature of your components and their dependencies. Now that we know what we have to restore and in which order, the question is how?
All clouds are not equal. To succeed in a DevOps context, organizations should plan to develop/deploy apps across a choice of on-premise and public clouds simultaneously depending on the business needs. This is where the concept of the Lean Cloud comes in - resting on the idea that you often need to relocate your app modules over their life cycles for both innovation and operational efficiency in the cloud. In his session at @DevOpsSummit at19th Cloud Expo, Valentin (Val) Bercovici, CTO of So...
SYS-CON Events announced today that Commvault, a global leader in enterprise data protection and information management, has been named “Bronze Sponsor” of SYS-CON's 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Commvault is a leading provider of data protection and information management solutions, helping companies worldwide activate their data to drive more value and business insight and to transform moder...
SYS-CON Events announced today that eCube Systems, a leading provider of middleware modernization, integration, and management solutions, will exhibit at @DevOpsSummit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. eCube Systems offers a family of middleware evolution products and services that maximize return on technology investment by leveraging existing technical equity to meet evolving business needs. ...
SYS-CON Events has announced today that Roger Strukhoff has been named conference chair of Cloud Expo and @ThingsExpo 2016 Silicon Valley. The 19th Cloud Expo and 6th @ThingsExpo will take place on November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. "The Internet of Things brings trillions of dollars of opportunity to developers and enterprise IT, no matter how you measure it," stated Roger Strukhoff. "More importantly, it leverages the power of devices and the Interne...
Whether they’re located in a public, private, or hybrid cloud environment, cloud technologies are constantly evolving. While the innovation is exciting, the end mission of delivering business value and rapidly producing incremental product features is paramount. In his session at @DevOpsSummit at 19th Cloud Expo, Kiran Chitturi, CTO Architect at Sungard AS, will discuss DevOps culture, its evolution of frameworks and technologies, and how it is achieving maturity. He will also cover various st...
Monitoring of Docker environments is challenging. Why? Because each container typically runs a single process, has its own environment, utilizes virtual networks, or has various methods of managing storage. Traditional monitoring solutions take metrics from each server and applications they run. These servers and applications running on them are typically very static, with very long uptimes. Docker deployments are different: a set of containers may run many applications, all sharing the resource...
Video experiences should be unique and exciting! But that doesn’t mean you need to patch all the pieces yourself. Users demand rich and engaging experiences and new ways to connect with you. But creating robust video applications at scale can be complicated, time-consuming and expensive. In his session at @ThingsExpo, Zohar Babin, Vice President of Platform, Ecosystem and Community at Kaltura, will discuss how VPaaS enables you to move fast, creating scalable video experiences that reach your...
19th Cloud Expo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterpri...
SYS-CON Events announced today the Enterprise IoT Bootcamp, being held November 1-2, 2016, in conjunction with 19th Cloud Expo | @ThingsExpo at the Santa Clara Convention Center in Santa Clara, CA. Combined with real-world scenarios and use cases, the Enterprise IoT Bootcamp is not just based on presentations but with hands-on demos and detailed walkthroughs. We will introduce you to a variety of real world use cases prototyped using Arduino, Raspberry Pi, BeagleBone, Spark, and Intel Edison. Y...
In his general session at 18th Cloud Expo, Lee Atchison, Principal Cloud Architect and Advocate at New Relic, discussed cloud as a ‘better data center’ and how it adds new capacity (faster) and improves application availability (redundancy). The cloud is a ‘Dynamic Tool for Dynamic Apps’ and resource allocation is an integral part of your application architecture, so use only the resources you need and allocate /de-allocate resources on the fly.
Internet of @ThingsExpo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 19th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devices - comp...
The many IoT deployments around the world are busy integrating smart devices and sensors into their enterprise IT infrastructures. Yet all of this technology – and there are an amazing number of choices – is of no use without the software to gather, communicate, and analyze the new data flows. Without software, there is no IT. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will look at the protocols that communicate data and the emerging data analy...
This digest provides an overview of good resources that are well worth reading. We’ll be updating this page as new content becomes available, so I suggest you bookmark it. Also, expect more digests to come on different topics that make all of our IT-hearts go boom!
DevOps at Cloud Expo, taking place Nov 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 19th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long dev...
In this strange new world where more and more power is drawn from business technology, companies are effectively straddling two paths on the road to innovation and transformation into digital enterprises. The first path is the heritage trail – with “legacy” technology forming the background. Here, extant technologies are transformed by core IT teams to provide more API-driven approaches. Legacy systems can restrict companies that are transitioning into digital enterprises. To truly become a lea...
The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, will compare the Jevons Paradox to modern-day enterprise IT, e...
Information technology is an industry that has always experienced change, and the dramatic change sweeping across the industry today could not be truthfully described as the first time we've seen such widespread change impacting customer investments. However, the rate of the change, and the potential outcomes from today's digital transformation has the distinct potential to separate the industry into two camps: Organizations that see the change coming, embrace it, and successful leverage it; and...
SYS-CON Events announced today that LeaseWeb USA, a cloud Infrastructure-as-a-Service (IaaS) provider, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. LeaseWeb is one of the world's largest hosting brands. The company helps customers define, develop and deploy IT infrastructure tailored to their exact business needs, by combining various kinds cloud solutions.
DevOps at Cloud Expo – being held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real results. Am...