This blog post is a culmination of dozens – no, hundreds – of discussions with clients, partners, and above all else, my awesome colleagues about the magic behind successful consulting. While some of these topics apply primarily to the art of security consulting, many of them transcend industry boundaries and apply to life in general. They are not presented in any particular order as some musings will resonate differently with each reader.
There’s no sheet music. The beauty of the consulting world is that you get to encounter different clients, cultures, technologies, and processes. That also adds to the challenge as there are rarely any clear “do this every time” solutions for your clients. Instead, you will need to rely on common sense, logic, and intuition (along with playbooks and established methodologies, of course) to provide meaningful advice to your clients. Funny thing – but it seems that a high percentage of consultants are musicians or have acted in their past lives. There is a parallel here. In essence, for this concert, there is no sheet music – we oftentimes need to make it up as we go along. A good consultant knows the difference between making shoot-from-the-hip recommendations and thinking on his or her feet.
Game on. As consultants, we are essentially “putting on a show” for our clients. Our clients pay good money to have professional services delivered and they want to feel that they are getting their money’s worth. This means that you should ALWAYS be prepared to address your engagement needs and be ready to be in charge. It’s common to walk into a kick-off meeting where you don’t know if there will be two or 20 people present. A key factor to client retention is to be memorable to your clients. That means not just “going through the motions,” but engaging the client. This may include a little bit of small talk, providing meaningful analogies, a random metaphor, and sure, maybe throwing in some humor. Customers are going to gravitate to the consultants that they like, so invest in the relationships with your customers (e.g., know their hobbies, likes, professional aspirations, etc.). And by all means – be confident and speak with swagger! Customers do not want to pay for a restrained soft talker – they want someone who exudes confidence.
Come out of the gates strong. Similar to “Game on” – it is critical not to stumble coming out of the starting gate. Work closely with your clients to make sure that they are adequately prepared for the engagement. This can normally be done during kick-off meetings or through established engagement methodologies. Do they know what questions you will be asking or what materials you will be reviewing/assessing? The worst feeling is to walk in the door on day #1 and sit in an empty office or conference room while the customer scrambles to gather resources. First impressions mean a lot – if you commence an engagement appearing disorganized, the customer will have a lower opinion of your capabilities and it may take a while to dig out of the hole that you created.
Be objective and sensitive. It is rare for anyone to compliment IT personnel on things that are actually working (e.g., “the network is working exceptionally well today”). Instead, they only hear about it when things are broken. To be blunt, don’t tell your customers they suck. As a consultant, you should be objective in rendering your opinion. Sure, let your clients know where they can improve (that’s a key reason we’re there, to help our clients improve), but also let them know where they are doing a good job. When there ARE areas that can stand to be improved (…and there always are), work on your delivery in a way is more “coach-like” than “auditor-like.” Your words will resonate much more and you stand a lesser chance of alienating your client. Oftentimes, the point of contact who hired you may be the one who most feels the brunt of your report, so be sensitive to their needs, politics, and how your message will be received.
Be a mentor, within reason. As you collect more and more wisdom from your experiences, you are in a unique position to provide powerful advice to the client. If the customer is paying you to perform an assessment, you should focus most of your effort on the assessment (i.e., 90-95%), but make sure you take a little bit of time to share pearls of wisdom. I’ve known some consultants who forget that they were brought in to perform an assessment and they end up burning through all the hours by just trying to provide advice – so find the right balance. For example, a consultant is performing a PCI assessment when she encounters a situation where other sensitive information is not adequately protected. This would be an opportune time to have a brief discussion with the client to discuss this particular risk and perhaps brainstorm some potential solutions. Another example would be to work with a client to fine-tune an existing solution based on your experiences of having reviewed that same solution in prior engagements with other clients.
You are the authoritative source! When I was a Network/Security Manager prior to my life in consulting, upper management often took our internal recommendations (e.g., “we need IDS”) with a grain of salt. Oftentimes we would bring in consultants to support our strategy (and sometimes offer supplemental advice) or to tell us we were barking up the wrong tree (and put us on the right path). Well, once you are on the OTHER side of the fence (i.e., consulting), YOU are in the position to help your customers with their initiatives. Even if it’s not the primary objective for a particular engagement, this is some of that “free” advice you can give to your clients – AND it oftentimes helps you win them over as our clients want to get opinions from those who are in the industry trenches. I’ve participated in risk assessments where the customer was standoffish in the beginning, but by the time I explained that I had been in their shoes before and that I, as the consultant, may be able to help run their ideas up the flagpole, they tended to be much more collaborative (this correlates with the “mentor” paragraph above).
It’s about business, NOT technology or security. At the end of the day, business trumps technology or security. In the world of infosec consulting, it’s about working with organizations to help them DO business in a reasonably secure manner. It’s easy to limit your perspective to only focus on the scope of the current engagement. Consider technologies and security measures that align with the business objectives and not because of the technology itself. In the security consulting world, this means you need to be able to put yourself in a position to analyze risk.
Why can’t we all just get along? You will not always see eye to eye with your customers, so you must choose your battles wisely. Don’t get wrapped around the axle of a finding that is inconsequential (e.g., “your security policy says ‘should’ instead of ‘must’”). Instead, make suggestions that best resonate with the business. Sometimes it is more important to be “right enough” than to be right, and keep in mind that oftentimes, recommendations cannot be made in a vacuum as there may be other factors churning under the surface (political undercurrents, agendas, etc.). You need to walk the fine line of being an authoritative source, while also being flexible enough to work with your clients and their agendas.
The whole is greater than the sum of the parts. This is one of the great intangibles of a strong consulting practice that works well as a team. A consultant comes armed with a wealth of knowledge based on his or her experiences. That said, one consultant who has a team of trusted advisors at his disposal is as strong as the collective knowledge of a team (e.g., “we have a client who ... has anyone seen that before?”). This applies not only to consulting groups, but also to individual consultants who have strong networks of associates. Check your ego at the door. Don’t be afraid to “dial a friend” – your client is more interested in getting the best advice than caring if it comes directly from you.
Finally, in anything that you do – but magnified even more under the consulting microscope – be compassionate. If you give off the air of not caring about your work or your clients, the first folks to notice will be your clients. Consulting is not a career that just anyone can embrace – it is a world filled with uncertainties, trials, and tribulations. Hopefully, some of the thoughts outlined in this Manifesto can help you to become a better consultant or scare you away from the field all together!