10 Questions to Ask an IT-Security Consultant

Updated: April 30, 2009

Finding the right IT-security consultant is a little like searching for a good family doctor. You need to hire someone who is intelligent, insightful, understanding and a good communicator. To get to the truth and discover if the person you're interviewing really knows his or her stuff, you'll need to ask some offbeat and tricky questions . Here are 10 questions to use in your search for an IT-security consultant:

1. What is the danger posed by the MyDoom virus? Actually MyDoom is a well-known worm , not a virus . A sharp consultant will correct you on this point. If the consultant simply proceeds to describe MyDoom's actions, he or she may be unassertive or ignorant — not good traits for a security expert. If the individual has never heard of MyDoom, you may want to wrap up the meeting in a hurry.

2. A DDos attack has just been launched against my Web site. What can you do to stop it? Once launched, DDos (distributed denial of service) attacks cannot be stopped, but steps can be taken to defend the site. If the consultant makes elaborate claims about how he or she would halt the onslaught, or says there is no way to defend against a DDos, find someone else.

3. What are three ways of securing a wifi network? A consultant with even minimal knowledge of wireless security should be able to answer this question without pausing.

4. Create a password for me. Why is this a good password? If the consultant cannot create a well-constructed password and explain the logic behind it, he or she does not understand a most basic security concept.

5. How can HEPA help my security? HEPA (high efficiency particulate air filter) is a type of air filter that is often used to clean air in a data center, helping servers and other expensive hardware guard against dust contamination. It's OK if a consultant doesn't know what HEPA is, since it's not directly related to security. But a consultant who thinks HEPA is an acronym for a type of IT or security specification may be trying to bluff you. You don't want to hire someone like that.

6. Why is WEP a good way of encrypting a hard drive? This is another trick question that's designed to test basic security knowledge and smoke out bluffers. WEP (Wired Equivalent Privacy) is a rather poor way of protecting data sent over an 802.11 wireless network. You would not use WEP to encrypt a hard drive.

7. You've just discovered that Frank in HR has a secret stash of child pornography on his hard drive. What do you do? This question will help you judge the consultant's ability to handle a serious and complex problem with security, business and legal implications. Most of all, you want to see that the consultant will not do something stupid, like contact Frank directly without involving you or another senior staff member.

8. Has a client ever fired you for doing something dumb? No intelligent, skilled security expert would ever admit to doing something so stupid that it resulted in losing a client. A dumb security consultant would, however. Listen carefully to the response and decide for yourself whether you should ditch this person before something preventable happens to you.

9. How can iPhone security threats be mitigated? The iPhone is a relatively new product, so the consultant's response can help you determine whether he or she is keeping up with emerging security issues.

10. How would you handle network-endpoint security? This question on the broad topic of endpoint security will give the consultant a golden opportunity to showcase his or her knowledge and analytical skills. If the individual answers with a detailed multi-faceted strategy, great. If the answer is vague or ambiguous, send the consultant home.

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more