More and more enterprises are turning to consultants to help out with security projects, often with mixed results. At the recent RSA Conference 2001 in San Francisco, a consultant who has been involved in successful projects as well as some less-than-successful engagements provided tips on how to avoid the pitfalls.

Eran Feigenbaum is a manager in PricewaterhouseCoopers Technology Risk Services group, leading its public key infrastructure (PKI) deployment practice. In his session, "When and How to Use Security Consultants," he first outlined the motivators that could drive a company to hire a security consultant. They include gaining access to specialized skills for things like ethical hacking that you would only do once or twice per year, or for a PKI implementation that you'd do only once. Consultants can also be cost-effective, in that they come in to do a single job, are not added to the payroll, and don't get paid if they don't produce. They also should be impartial and objective, without a predefined agenda.

Selecting a consulting firm requires that you ask yourself a series of questions, Feigenbaum says. Why do you need help? Is it a time to market issue, or a lack of skills? What is your corporate culture and that of the consultancy? If yours is a suit and tie firm, "Will you be able to deal with a guy in shorts on roller skates?"

Look also at whether your company has any history with any consultants you consider, whether it's been positive or negative, and why. Don't be too quick to give a consultant credit for success; maybe the project was just plain simple to begin with. Ask instead whether the firm did something special that led to success.

Examine the history of any consulting firm you consider, to determine their background in the area you need them to address. Find out if the firm has done similar projects in the past, and ask for references. "It's tough to get client references," Feigenbaum says, especially in the security field. "But don't accept no references at all."

When it comes to timing for the project, be wary if the firm can meet an aggressive start date. It may be just fortunate timing on your part, in that the firm is just finishing another engagement, but it could also mean the company doesn't have much work at all. Find out whether the firm can commit to the same number of people for the duration of the project. Ask, too, why the firm wants the job. What are its priorities? It could be the company wants to gain experience in a new area and will be training new people at your expense.

The quality of the project team is another consideration. "Beware the bait and switch," Feigenbaum says. That's where one team does the project presentation that sells you on the company, and an entirely different group does the real work. Look at the individuals on the team and make sure there's a good balance between junior and senior members. Try to assess whether the senior members will be able to manage the juniors, as well as the background of the junior members. Will they be able to handle your project?

Be especially wary of low-priced vendors. "Most firms have similar costs," he says, so an unusually low price could mean the firm is using lots of junior staff or has little experience with the security technology in question.

Once you've selected a security consulting firm, Feigenbaum says there are a number of keys to success.

First is consistent, top-level accountability from both sides of the fence. That means having a high-level person from the consulting and customer firm acting as point people on the project.

It's also important that the consultants and client employees work as a team. "You shouldn't be able to tell the difference," Feigenbaum says.

And aside from a detailed project plan, you also need a tracking mechanism, to flag any component that is falling behind such that you can determine its effect on other items and try to mitigate that effect.

Other keys to managing the engagement include getting consistent and frequent status reports and approving deliverables, when they are delivered. That's an important step, Feigenbaum notes, as it's bad news for the consulting firm to find out a month or more after the fact that a deliverable is unacceptable. At that point, it has probably already affected a number of other areas and will be that much tougher to fix.

Knowledge transfer is another key consideration. Make a plan for how to teach your employees what they'll need to know about the new technology without hindering the consultants in doing their job. Determine also who will maintain the system long-term. And tackle both issues throughout the project; don't wait until the end.

Beware also of too many changes in consulting personnel. Some turnover is inevitable, Feigenbaum says, but at some point you can say you're not willing to accept any more. Determine up front who pays to get new personnel up to speed.

It's also nearly inevitable that some problems will arise during an engagement. In that case, meet with the consulting reps who sold the project as well as the clients who bought it and determine where the disconnects in expectations are. Then come up with an action plan, which may include anything from adding resources to canceling the project or changing sponsors.

Whatever you decide, update all parties involved immediately, as they will be wondering what's going on. "No matter how fast email is today, rumors are faster," Feigenbaum says.