Categories
For Infosec professionals

Conversations with an Infosec Consultant…

yakyak

You know you are a consultant when you are unable to describe what you do for a living to an acquaintance you meet. Most of my casual conversations go like this:

Me: “So, what do you do?”

Acquaintance(ACQ): “I work at a bank/ an IT services firm/  a manufacturing organisation.”

ACQ: “And what do you do?”

Me: (already beginning to dread the conversation)”I am a consultant.”

ACQ: (with little crinkles around his nose) “So what EXACTLY do you consult on?”

What I fail to understand, is that while working at a bank is a perfectly acceptable answer that requires no further explanation, being a consultant requires you to provide a justification for being a consultant. This is how I would like to take the conversation forward.

Me:”I advise companies on what to do. What EXACTLY do you do at the bank?”

ACQ: “I am in the treasury department.”

(Again, notice the fact that being in a department is considered sufficient explanation)

Me: “So what EXACTLY do you do in the treasury department”

ACQ:(starting to shuffle a little)”I am in liquidity management”

Me:”What do you do in liquidity management?”

.

.

.

You get the drift.  I would like to get to the point where the fellow says “I stare at a screen full of numbers in excel and report to my boss if it goes above an agreed level.”, or “I generally send some mails to my team members and hope they will do some work.”, Or “I try to search for avenues where I can embezzle funds”. Now, that would be fun.

Alas, most of my conversations actually proceed like this:

Me:”I advise companies on risk management in IT.”

Now, either the acquaintance will say OK and not talk to me any further, or he will labour on

ACQ: “What do you mean when you say risk management?”

Me: (to myself, of course)”You idiot. If I could explain the whole of risk management in a few minutes of casual conversation, I would not have too many consulting assignments. Or, do you want me to get into the entertaining discussion of black swan and perfect storm events and that lively discussion on the usefulness of the bell curve? Or maybe the technical differences between the NIST and Octave methodologies?”  (Out loud) – “Well, every business has some risks. We identify the risks, we identify how likely are these risks and what would happen if they occur.”

I generally try to simplify the concept as much as possible. No point in explaining to casual acquaintance the many ways where the ‘probabilities’ are calculated, or the way ‘impact’ is calculated, the tangibles and the intangibles and the whole risk universe. This, however, seems to encourage and embolden the acquaintance.

ACQ:(now scoffing at the simplicity of it all)”OK, I get it now. So how do you identify risks?”

Me:(to myself)”I should have asked him what HE meant by working in a bank first.” (Out loud) – “Well, we conduct management workshops and brainstorm different scenarios…”

ACQ:(interrupting me) “So you ask us what our risks are and tell it to us… HAHAHA”

Me: (imagining strangling the acquaintance with my bare hands) “HAHAHA – that is what I am – A consultant”

One reply on “Conversations with an Infosec Consultant…”

Leave a Reply

Your email address will not be published. Required fields are marked *