I’ve led cybersecurity programs at several companies, and since shifting into consulting, I have helped clients lead and oversee their programs in a fractional and interim CISO capacity.
As I think about the pain points I faced in working with consultants over 20 years as a corporate practitioner and cybersecurity leader, I am very intentional about showing up every day with my clients in a way that I would have appreciated on their side of the table.
I’ve gotten too many cold calls, emails, and follow-ups from consulting companies convinced they have the strategy my teams have been missing.
Here’s the thing: Those consultants rarely took the time to understand our actual needs, business climate, and budget reality.
When I joined the team at #RevealRisk, I knew I wouldn’t be one of those consultants that companies dread hearing from or felt compelled to use because senior management or a board member had some affiliation. My goal, always, was to provide consulting solutions that put the client first.
Along the way, I’ve collected a list of insights and requirements that I ensure I exemplify and insist from all my team members.
DITCH THE BAIT-AND-SWITCH
What do you do when the promised top-tier consulting talent fails to materialize on projects you’ve owned or sponsored? I’ve sat across from consulting partners and leads who promise their work on a project they are selling.
However, in far too many cases in my corporate cyber leadership roles, their time is replaced with junior talent who might not be up to the work. In some cases, these inexperienced resources were left alone with unclear guidance. The result? A waste of valuable time, resources, and money. AKA – the pesky “bait-and-switch” maneuver.
A note to the consultants that follow along: deliver on your promise. Don’t “outkick your coverage.” Your brand and credibility matter.
POWERPOINT FLUFF ISN’T ENOUGH
Pretty PowerPoint presentations are nice and, in some cases required, but it not hard to pick out decks that are cookie-cutter in nature or lack meaningful content. My questions when seeing a presentation for the first time? Is it aligned with our organizational needs? Is it bold but practical? Is it clear? Is it implementable without selling me an additional project?
This all may sound pretty basic, but I’ve paid for far too many PowerPoint decks that lack meaningful content in my corporate tenure.
In mitigating risk, mapping out cyber strategy, and protecting business crown jewels I much prefer practical recommendations and solutions over jazzy powerpoint skills.
KEEP CONSULTANT TEAMS LEAN
When teams are overloaded with too many consultants, costs go up while efficiency goes down.
I believe in adequate resources. But, when consulting teams pile on the “support” (and with it, the cost and loads of consultants all covering the same meetings), I draw a line.
I believe in operating with lean, agile teams (and finding the right team members for the engagements).
Here’s how we do just that at #RevealRisk.
- Engaged director with practical client applicable experience. I own scoping for all the work I oversee and have ownership of execution.
- Right-sized team to get to the result, but not add any waste (or extra costs).
TRANSPARENCY OF METHODOLOGY MATTERS
I get it. In consulting, you are buying and selling expertise. Intellectual property (IP) in consulting can be unique methodologies, but it is essential not to keep it too close to the vest that it is hard to understand.
For instance, I wasn’t eager to buy into a consulting company with a unique model to assess a cyber program that blends concepts from NIST, ISO, proprietary concepts, etc. That wouldn’t have helped me as a cyber leader in my corporate role, but I can see that it might lead to stickiness where all recurring assessments flow to that same firm because it is hard to compare with any other results.
I would instead suggest that consultants apply their thought leadership and insights to the strategy and recommendations coming out of the gaps that are found. I often left feeling shortchanged at the end of NIST CSF Assessments.
LISTEN FIRST BEFORE RECOMMENDING
Simple request: understand my actual needs versus pushing generic solutions. I get the temptation to bring insights from elsewhere, but when you rush into trying to know the answer, you can miss or lose the context. Unfortunately, with that often goes your credibility.
I would much more value a consultant who listens, learns, recommends, and acknowledges when they don’t have the answer but is eager to help find the answer.
At #RevealRisk, I’ve experienced a great culture that doesn’t coerce me to become a used car salesmen… which is good, because I’m not about to tell the cyber “cassette deck player” is a hip cool fad that everyone is going with. I did just buy a record player though, because I’m retro like that.
PRODUCT PUSHERS NEED NOT APPLY
After shifting to a consulting leadership role after 20+ years on the corporate side of cybersecurity, I thought I had a good bead on the various options in the consulting market. However, I see a more complete picture now that I’ve been on both sides of the table.
And I definitely have my opinions on where consultants should be positioning with products and where they shouldn’t. Here are a few of my own personal tips for both consultants to think about and buyers to be wary of:
· “Advisors” should be careful or avoid pushing proprietary solutions and must prove unbiased recommendations.
· Both the consultant and the buyer should be transparent on where they have affiliations and business relationships, especially when helping with cyber strategies, technology rationalization, or supporting RFPs (request for proposal) from numerous tool vendors.
· I only want to support a client in procuring a cybersecurity tool if requested. I’m able to remain technology agnostic unless a client makes a decision and wants my help. This is why I did not join a Value Added Reseller (VAR) firm where selling tools is a primary objective. I don’t intend to knock on VARs, I’ve used them in my corporate life – I just encourage you to use discretion of where they have conflicts and where they do not. Otherwise, you might be paying them to recommend something they are getting paid for.
· At the end of the day, our industry needs fewer sales pitches masquerading as consultations or consulting engagements!
STRIVE FOR PARTNERSHIPS NOT JUST TRANSACTIONS
Building a “partnership” between a corporate client and a consulting company doesn’t happen overnight. It takes time and work to achieve and maintain, just like any relationship.
However, sometimes consulting companies and individual leaders take on too much, and the output starts to feel more “transactional.” It is important to build trust through transparency and responding to feedback (2-way).
In my 2+ years at Reveal Risk, I’ve appreciated how we get to spend real quality time with clients and build lasting relationships and support that transcends an individual project. Most of our clients return to us for more work, but it is not always immediate. I’m always eager to help, but I don’t want to come off as pushy (as I know that this is “turn-off” to engagement on the buyer side). I tend to tell people that I’m following up because I know they are busy, but I have been in their shoes when answers, approval, or funding are not always immediate.
MEASURE SUCCESS COLLABORATIVELY
Many of my ideas and posts in this Corporate / Consulting Cybersecurity Insights series have been focused on helping clients better discern quality consulting solutions, but also to help my fellow consultants learn how to be better through my experience on the other side of the table.
However, one of the most important things to get that win-win involves being proactive and intentional in defining how to measure success collaboratively between client and consultant. This can pertain to success criteria for the project itself, but maybe even more importantly, measure success for the output or execution from the consulting project. For example, if I’m helping a company revamp its cyber risk management program strategy and roadmap, I always like to spend some time structuring some success criteria and operational effectiveness measures that the team can use as they implement or grow the process/program.
As a consultant, I can’t just pull out what worked at the last client. I have to dial that into something meaningful for that program, leader, and company culture. It needs to align with realistic goals and be achievable so the team doesn’t lose momentum.
How many of you have completed an engagement with a consulting company and have been left with a long list of gaps and opportunities with an unclear path forward to implement or sustain them?
A good consultant or advisor is very intentional about tailoring recommendations with clear prioritization and alignment to budget and resourcing reality. Otherwise, the output may just be an expensive paperweight that achieves a low percentage of its potential.
The recommendations phase of any project should be collaborative to dial this in. The solution must live and breathe in the client’s organization to be effective. The client stakeholders need to be able to carry the function, program, or process forward without additional help from the consultant who delivered it.
At Reveal Risk, we evaluate, design, and deliver strong processes and results in cyber, privacy, and risk that work efficiently, are fit-for-purpose, and are sustained. If you want assistance building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to contact us at info@revealrisk.com
317.759.4453
About the Author
Chris is a recent practitioner with 20+ years of security risk management experience and over 15 years working in pharma and life sciences organizations. He’s worked in the cybersecurity programs at Merck & Co., Inc., C.R. Bard/Becton Dickinson, and Catalent Pharma Solutions. Chris specializes in program development across several domains in cyber security, including strategy, internal/third-party risk, vulnerability management, engineering, operations, incident response, and data security.
