An information security consultant is a specialist type of independent business advisor, bringing the benefit of scarce and highly technical expertise to bear on a wide range of issues in organisations today. There are many kinds of security consultants, with particular niches of expertise, as follows:
- A penetration tester attempts to find the vulnerabilities in an organisation’s computing network, and advises on how they may be fixed.
- An information security auditor will assess the compliance of the organisation with recognized infosec standards, such as ISO 27001 or PCI DSS, and may proceed to certify the business against the selected standard.
- A CLAS consultant will provide UK Government-accredited information assurance consultancy, usually to British government agencies.
- Business continuity professionals will assess the organisation’s resilience in the event of a major disruption, and will advise on ways of improving its ability to survive even a major incident. This includes disaster recovery measures for the organisation’s IT facility.
- An advisor who concentrates on computer security consulting will give advice on firewall configuration, network topology, anti-malware software, password policies, access control, allocation of access rights on a least privilege basis, and similar technical security controls.
- An information assurance specialist will give advice on an organisation’s information security management system, including the overall infosec policy, procedures and guidelines, security awareness and training, and the relevant sections of contracts.
It is clear that an information security consultant can have a wide range of skills and experience. He or she must be able to interact with anyone in the organisation, from presentations at Board level to deeply technical discussions with the IT systems administrators. Security experts in general may have a background in computing, but have usually branched out into a broader field of experience, and are able to set computer security problems in a much wider context that evaluates the impact of those technical problems on the business as a whole.
An information security consultant can be an enormous asset to a business that is prepared to use these skills wisely. He or she will be able to alert the organisation to unsuspected issues that might cause real problems later if not fixed. Even if no major issues are found, it can be of great benefit to have a fresh pair of eyes assessing the organisation’s current security posture, simply as a means of reassurance for the company and also for customers or partners. This is especially true in cases where formal accreditation to an international standard has been achieved. Security consultants may appear an expensive luxury, but in fact their expertise, and the benefits they can bring to a business, will more than repay the initial outlay. If an information security consultant prevents a breach by hackers, or a business disaster, then the investment has been very wisely made.