If You Have to Ask, You Shouldn’t Be Asking
May 29, 2007

By Ira Winkler

In my new book, Zen and the Art of Information Security, I have a chapter titled, If You Have to Ask, You Shouldn’t Be Asking. The catalyst for this chapter was that someone once attended a presentation that I gave on penetration testing, and then contacted me a year later with an e-mail that basically said, “I finally talked a client into letting me perform a pen test. I don’t know what to do, how to do it, what to charge, or any special legal language that should be in the contract.” My response was basically, “You shouldn’t do the work.”

Today, I was hit with another e-mail message that wreaked of the same problem. In today’s message, a consultant from a very large integration firm sent out a message saying that one of their clients wants to scope out integration of a NOC/SOC. He gave a very wide variety of requirements for the facility, and then wanted feedback from a wide variety of people not associated with his company. While I am normally all for helping out a colleague, this person should have either sought this info inside his own organization, which has access to such experts, or just told the client he doesn’t have a clue and to go elsewhere.

From a consulting perspective, it broadcasts that you are willing to take on tasks that you are not capable for. More importantly, this person doesn’t have a clue as to whether or not the broad people responding will actually respond with valid information. Opinions are like noses, everybody has one. You don’t know whether or not their information is accurate. Maybe the even did similar work and screwed it up. Just as important, the person does not appear to either know his own organization, or have faith in that organization to provide the required information.

While the person might have appeared to just be asking a simple question, the answer on how to create a NOC is not a simple answer. To properly answer that question is a consulting assignment itself, and it is not fair or appropriate to be asking a wide group of people for such an involved answered without reimbursing them.

All I can say is that the mark of a good consultant is one who knows when to turn away work.

Share and Enjoy:
  • Slashdot
  • Digg
  • del.icio.us
  • Reddit
  • digg
  • Technorati
  • StumbleUpon
By Ira.Winkler • Articles • •

Leave a Reply


 Sidebar
  • Pages
  •  
    May 2007
    M T W T F S S
    « Apr   Jun »
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Archives
  • Categories
  • Meta

    • copyright 2008 reavis consulting group, llc

    all postings and articles are owned and the copyright is held by the author, all opinions expressed are held by same.

    Riskbloggers is proudly powered by WordPress
    Entries (RSS) and Comments (RSS).

    design by | live | life | loud |