This is part of my occasional series on security consultants and how best to employ them.
Security consulting operations come in the standard small, medium and large sizes. Small shops are less than 30 consultants, medium 31-200, large 201+.
Small shops: Sometimes known as boutique firms or lifestyle firms (since the people that run them take jobs when they want and only when they want) can be excellent resources within their specialities. Typically these are 1-5 person shops that are fairly niche focused, maybe they specialize in Web Application Security, secure development, or PCI audits.
Advantages: If you are using them in an engagement that is their speciality you are going to get a lot of bang for your buck. Prices are generally in line with normally hourly rates but try to get them to make a fixed cost bid. Most of the smaller shops are terrible at estimating and you have a lot of leeway once you get them in to push a little scope creep on them, all within reason of course. Don’t forget these people have to eat and they might not have another gig lined up after yours.
Disadvantages: Scheduling and resources. Small shops can easily get stretched. They can generally only handle 1 or 2 engagements at the same time. If they are a lifestyle shop they like to take long vacations. If you need a time sensitive service, like incident response or forensics, it might be better to go with a larger shop or at least have a backup plan if your small shop is not available.
Medium Shops: In my opinion the medium shops are the best balance between flexibility, resources and mailability. They typically employ at least 3-4 people for any given service they are offering so you get some decent coverage. Quality stays fairly high top to bottom. They will employ junior people but they are not likely to send them out solo.
Advantages: Good flexibility, reasonable prices and good access to people resources.
Disadvantages: Increasingly are becoming part of traditional VAR shops so they might be prone to push product on you. Can still run into resource issues if something big comes. Also are prone to the bait-and-switch where they pitch the rockstar and the new kid shows up to do the actual work.
Large Shops: Have hundreds if not thousands of consultants and a bill rate to match. Incredible appetite for large and lengthy engagements. I did time at EDS and let me tell you they are pretty evil, at least when I worked there. We would get a long term contract, then hire the cheapest talent we could find. They would then proceed to screw things up and cause other problems and we would then point out that fixing those problems was outside the scope of the contract! Cha-ching!
Advantages: No one gets fired for going with IBM, EDS or PWC. You will have a lot of people show up day 1.
Disadvantages: Masters of the bait-and-switch, the business model they run practically make it a requirement. Not usually the home of subject matter experts. All those people that show up day 1 need a place to sit.
Who are you favorite security consultants and why?
If you enjoyed this post, make sure you subscribe to my RSS feed!
