The Consultant
A number of security folks would resonate with having meandered through various security disciplines. Some folks would identify as being Security Generalist. Something that is subject to ones own view of what a 'Generalist' is and arguably a topic for debate just as what a security architect means/is. I for one, may consider myself to be a security generalist for what it's worth.
Context, I've had the chance to assume various roles, ranging from an security architect, auditor, risk assessor, risk manager, engineer, etc. The journey has been equally exciting and challenging. I can only attribute that to consultancy experience where I wore many hats. One thing that stuck with me over the years is that, security controls don't often change but applicability of which do depending on the environment. As an example the CIA triad - Confidentiality, Integrity, Availability- applies everywhere but with the evolution of technology at such a rapid pace, technical implementation of the triad varies distinctively in each environment.
An important lesson, is to have an excellent knowledge of the environment in scope for your role or under your responsibility. Additionally, having a good technical knowledge of the application systems within the area is a must regardless of your position. Further, you need a benchmark agreed to and signed-off by senior stakeholder(s). Often, this benchmark would be based on certain industry standard, key-controls, security requirements, etc. Seamlessly, it should align or map to internal policies and standards. Its main objective is to simplify the set policies and standards to help technology and business teams implement reasonable security controls. Experience shows that in some environments, it's too detailed (technology focused) or too high-level (loosely defined) or a mix (super confusing). There are pros and cons to having this benchmark but that's for another day. So why is this important? It begins with recent review where this time, the environment has been under my responsibility to implement the security controls. I assessed the reviewers actions against mine in previous world for similarities and differences. And here below is what I saw.
Technical know-how
I'll paraphrase a quote from the Christian Bible. "Hosea 4:6, For the lack of knowledge my people perish". Removing the theological meaning here if permitted, it's a simple but insightful quote that we can all live by. Anything you do without knowledge, would often end up in a disaster. But also we have to learn by doing without the knowledge. That is how we as human beings acquire knowledge. So my point isn't about knowing it all, rather, focuses on learning the fundamentals. These includes but not limited to protocols, networks, hardware and operating systems and its internals. These are the components that underpins our application ecosystem and without such knowledge, designs, and solutions implemented will be riddled with vulnerabilities. Not to mention security assessment will overlook the obvious gaps. Admittedly, I've been placed in the deep-end a few times and almost drowned. What kept me afloat is by applying the know-how I had in my arsenal. Technical knowledge is critical and maintaining and keeping up to date with technology trends is as watering your garden plants regularly. In this scenario, I noted the reviewer was adept in various areas but often drifted to focus on specific domain. A common traits of specialists of specific security discipline. That, I can only attribute to the fact that it's was an area of expertise. Does being a generalist help? No. Technical knowledge is independent to any specific technology and maintaining a good stance would make yourself and others lives easier.
Environment knowledge
I would encourage you to research, and read up on any organisation that you engage with for all security matters. You'd be misled to assume all organisations are the same. Each organisation differs from one another by - governance, structure, politics, compliance - and a view of how that sector works would potentially give you insight on how to navigate the environment. This can be explained better by looking at the various industry sectors. Some are bound be very strict compliance rules, hence security controls and applicability has no room for exception. Compensating controls is not accepted and mostly one complies with requirement or be deemed non-compliant. The latter is tracked and risk managed until the exact control is correctly implemented. Other sectors, may accept compensating controls, i.e. you don't meet the exact requirement, however have reasonable controls in place in principle and weighted up to what's expected. I fell victim to this and so was this consultant. In my experience, I jumped from an engagement in Banking to Oil & Gas and it was a real eye opener. My friend here felt the same coming into an Insurance sector without adequate research! Experience from all sectors are relevant and important, however, I'd recommend a research on how other sectors and organisation work to sail smoothly even when turbulent at times.
Benchmark
All assessment requires some kind of a benchmark. During your assignment in any organisation, seek for that and use as a guide in your assessment. Where a benchmark doesn't exist, and time permitting, engage the right stakeholders to agree and define one, else raise this as a finding. A word of caution though, you should not solely based everything on it as benchmark wouldn't make an organisation "secure". The sector and organisational knowledge discussed above is essential and often interlace with this to achieve your objective. It'll be embarrassing to be questioned on what benchmark you used in your review, only to respond, none. There are debates on usefulness of benchmarks. A personal opinion is that, having a selected few, mapping or aligning it to internal security policy(ies) and applying them correctly will lead to a good security posture. In our case, there was one, and each assigned consultant didn't have much time to review and define what's applicable. So we ended up with a set close to 500 which took almost a year and more. Yes, I saw consultants come and go and few years in and we still have more to do! Oh well.
Prejudice
This is a personal advise. During an engagement, throw away any prejudice you carry. Either what you've experienced in similar environment, heard and or even when you've been informed (brainwashed) by the same stakeholder who brought you in. For the latter, do not ignore their information but do not let it blur your own vision. Otherwise, it may leave you biased to any decision you make. The recent issue about race is a clear example. Any "Coloured" person is assumed to be bad, loud, and in some cases criminal. A stereotypical view, that many at times led to injustice and limited opportunities for the afflicted. Having a clear view creates an avenue for you to engage on a broader scale, to listen, share and understand your clients and their environment better and solidifies your network you sew. Normally, it leads to a successful service delivery. Similarly, engaging other people of various backgrounds, race, creed, gender, or whatever attribute you see in your own views with an open mind leads you up to different cultures, fascinating folks stories, history unheard of. Oh and you'd realise, there are bad, loud and criminals in every society. We can co-exist happily and build a better and safer world. And we'd end up building some reasonably secure products that we'd be proud of and safer to use!
Target audience
Appreciate experience that others have. Throughout my security journey, I've learned to appreciate and respect my stakeholders regardless of them being security folks or not. After all, they're your sponsor and reason why you're there. Honesty, transparency and flexibility in your engagement leads to your client gaining trust in you. Where your knowledge falls short, be honest about it and let it be known. This allows for right persons to be assigned to support you. You cannot be the project manager, designer, architect, etc. at the same time. You burn out quickly to stress, frustration, and you may end up burning bridges that you're meant to weave and maintain. In most cases, you're likely to work with the designers, project managers, architects, etc, that actually knows every corner of the business. Given they built up the business from governance through to architecture solutions. What'll be better than placing them in positions to support you. Nonetheless, not all would support you and from experience some dislike consultants for reasons unknown. To be a trusted advisor is a challenging feat, yet attainable through respect, humility and embracing others. In the end, you'd last in the organisation or leave with a good reputation after your engagement. A hard lesson for my good consultant friend!
By now, you'd notice I have not followed any review or audit approach here. The reason being that there are far too many to justify a selection and perhaps too broad for this short article. Again, far too many standards exist and effort to choose an audit approach and an industry standard, since we have no benchmark to use is beyond the scope of this article. Given the right benchmark to draw your scope from, one would be able to conduct security review or audit successfully if care planning, definition of scope, diligent field work and accurate reporting and recommendation is employed. Until then, stay healthy, safe and respect for all!