Most annoying consultants

Sunday, June 13, 2010

Javvad Malik


Infosec would have a better reputation if all consultants were perfect like me. When speaking to a project manager, we should have completed our research. Scoured the internet, finding out what a particular application does and how many security vulnerabilities are out there. The list goes on, but suffice to say a good consultant always does their homework before they actually start talking to people and make themselves look like an ignoramus.

Like I said, some of us are perfect. It's those other consultants who wastes time, and means you have to wait two weeks to complete a 10 minute decision. I have been watching these people, and they fall into a few distinct categories:

Reassurance Guy - Gonna OK it but Needs His Hand Held

This chap is a good bet for spending a quiet afternoon mulling over one tiny risk. He will endorse eventually, but it's going to take a long time to get him there.

He'll be asking question after question, even though he has likely done his research and already knows the answers. He might even contradict himself, but eventually, after much foreplay, he'll send the approving email.

Think of it like a first date: You have to go through hours worth of dinner-buying, listening with feigned interest, hand holding and such before you get to put the cash in the register, as it were.

Annoyance factor: 3/5

Columbo - Questions and Never Decides

This is the guy I get stuck with on projects all the time. He drifts from assignment to assignment, usually on a Friday afternoon (hey, it's not like he has a girlfriend to hang out with) and asks questions. They'll range from lamely open "Which encryption should I recommend" to pointlessly precise, designed only to show that he knows something "So, this has the encrypted media, but this one has USB lockdown. Which is best?

The worst part is that everyone knows this can't decide on anything, and the project is left having to answer the never ending inquiries. This guy takes longer than anyone, and you never know when it will end. It's like an episode of Columbo - "Oh, one more question."

Annoyance factor: 5/5

Try-Out Guy

This one is a pain for the business, but great for other consultants. Try-Out Guy has already done his homework online and narrowed the selection down to three security products. He is on the project merely to get a feel for the kit and decide which one he would like to spend the most time in the test lab with. You'll recognize him as the professional looking fellow who tells the project that he "can't decide" between the, products and wants one last scan before deciding. At every stage hell tease the poor PM that he's almost decided.

Us other consultants love this guy as he plays around for a few days to his hearts content with some bleeding edge technology and we get to use the results.

Annoyance factor (for consultants): 0/5

Annoyance factor (for project manager): 5/5

Quick Question Guy - It's Never Quick

This one is a real pain. You know the guy - he calls you up just as you're heading off to lunch and says "Hey, mate, a quick question!" How can he refuse? If you were hoping it would be a quick "Do you have the latest template? Great, can you email me one." then you are a gullible fool. Quick Question Guy always manages to make it long, either rattling off more questions or just acting as if he scheduled a meeting in the first place. I hate this guy.

Annoyance factor: 5/5

 This article was originally published at

Possibly Related Articles:
Enterprise Security
Humor Consulting
Post Rating I Like this!
Ian Tibble This is all bad - but believe it or not, it sounds like you had better experiences than myself. What i'm about to relate to you is a common story.

The situation I most often came across: a security consultant knows management standards, check-lists and buzzwords. When it comes to any practical situation, such as a new application migration, he or she has not even developed careful strategies to hide the fact that they cannot contribute anything useful to the project. Their checklist says "must have two-factor authentication" for example - but when it comes to the discussion of risk and whether or not the project team can be granted an goes silent. Pretty much the checklist is all that said consultant can contribute.

There is nothing clever in the approach. It's just - stay quiet. Don't answer emails. Don't contribute anything in telecalls. But when you're staying quiet and not contributing anything - don't appear to be ashamed. The one skill they have is to appear confident when they don't know anything useful - which is all the time.

The skill is really in "smarm". A consultant who can appear confident when not contributing anything useful, and is skilled in smarm, has a long career ahead of them. In the eyes of the clueless security manager - the confidence factor can make a useless consultant seem more useful than a knowledgable consultant. And they have CISSP - so they must be ok.
Saarang Aloni I appreciate your thoughts
Jamie Adams Excellent.. I got a good laugh. Thanks, and yes, I can relate.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.