The notion of a security consultant guild is a seductive idea. Promoting quality, defining service levels and enhancing professional standing are good things, but there is a red ocean of professional forums so – I would not just jump in and start a guild.
Just take a look at forums like LinkedIn and Infosec Island – most (sometimes it feels like all…) of the folks in professional networks are independent consultants – and that makes perfect sense – we all have to eat. Yet LinkedIn cannot replace industry forums like ISACA or ISC2 that work to promote industry standards, improve security awareness, drive private-public partnerships etc.
The problem with ISC2 and similar industry lobbies – is that they have vested interests, therefore they don’t or can’t represent independent security consultants. When was the last time Raytheon called me up – asking to collaborate on a data security project for DoD – like never?
I would take some lessons from the IETF.
Any security consultant organization should have three principles: free, open, and based on vendor-neutral standards.
Note my emphasis on “Vendor-neutral standards”. This is the secret of the success of the IETF and the Internet in general and it will be the core of the success for any group of security consultants that want to do more than kibitz in LinkedIn security forums.
Regarding standards. There is this eternal debate between the US and the EU – but I think that we can probably agree that ISO 2700x is the most comprehensive, vendor-neutral standards framework existing today – and that should be the one vendor-neutral standard adopted by the guild.
However a guild of consultants is not enough.
We already have similar entities in the shape of the Linked In security communities – which are in general a bunch of consultants talking to each other – with endless threads with shallow input generated by open-ended questions like “What is the best anti-virus” or “What is the best firewall” or “How should I choose a UTM appliance” or “Is confidentiality, integrity and availability part of your security strategy?”.
In order to turn a consultants guild into something of value – (and I mean dollars and cents – not social networking gratification) the guild most include and engage (using it’s own terms of engagement of free, open and vendor-neutral standards) with 3 other kinds of people:
1. End user line of business decision makers
2. Vendors
3. Hackers
I am aware that this is a tall bill of requirements – but is, I believe, the only way to create something unique with value to all.
Just take a look at forums like LinkedIn and Infosec Island – most (sometimes it feels like all…) of the folks in professional networks are independent consultants – and that makes perfect sense – we all have to eat. Yet LinkedIn cannot replace industry forums like ISACA or ISC2 that work to promote industry standards, improve security awareness, drive private-public partnerships etc.
The problem with ISC2 and similar industry lobbies – is that they have vested interests, therefore they don’t or can’t represent independent security consultants. When was the last time Raytheon called me up – asking to collaborate on a data security project for DoD – like never?
I would take some lessons from the IETF.
Any security consultant organization should have three principles: free, open, and based on vendor-neutral standards.
Note my emphasis on “Vendor-neutral standards”. This is the secret of the success of the IETF and the Internet in general and it will be the core of the success for any group of security consultants that want to do more than kibitz in LinkedIn security forums.
Regarding standards. There is this eternal debate between the US and the EU – but I think that we can probably agree that ISO 2700x is the most comprehensive, vendor-neutral standards framework existing today – and that should be the one vendor-neutral standard adopted by the guild.
However a guild of consultants is not enough.
We already have similar entities in the shape of the Linked In security communities – which are in general a bunch of consultants talking to each other – with endless threads with shallow input generated by open-ended questions like “What is the best anti-virus” or “What is the best firewall” or “How should I choose a UTM appliance” or “Is confidentiality, integrity and availability part of your security strategy?”.
In order to turn a consultants guild into something of value – (and I mean dollars and cents – not social networking gratification) the guild most include and engage (using it’s own terms of engagement of free, open and vendor-neutral standards) with 3 other kinds of people:
1. End user line of business decision makers
2. Vendors
3. Hackers
I am aware that this is a tall bill of requirements – but is, I believe, the only way to create something unique with value to all.
