10 Questions to Ask an IT-Security Consultant

Updated: August 20, 2012

Finding the right IT-security consultant is a little like searching for a good family doctor. You need to hire someone who is intelligent, insightful, understanding and a good communicator. To get to the truth and discover if the person you're interviewing really knows his or her stuff, you'll need to ask some offbeat and tricky questions . Here are 10 questions to use in your search for an IT-security consultant:

1. What is the danger posed by the MyDoom virus? Actually MyDoom is a well-known worm , not a virus . A sharp consultant will correct you on this point. If the consultant simply proceeds to describe MyDoom's actions, he or she may be unassertive or ignorant — not good traits for a security expert. If the individual has never heard of MyDoom, you may want to wrap up the meeting in a hurry.

2. A DDos attack has just been launched against my Web site. What can you do to stop it? Once launched, DDos (distributed denial of service) attacks cannot be stopped, but steps can be taken to defend the site. If the consultant makes elaborate claims about how he or she would halt the onslaught, or says there is no way to defend against a DDos, find someone else.

3. What are three ways of securing a wifi network? A consultant with even minimal knowledge of wireless security should be able to answer this question without pausing.

4. Create a password for me. Why is this a good password? If the consultant cannot create a well-constructed password and explain the logic behind it, he or she does not understand a most basic security concept.

5. How can HEPA help my security? HEPA (high efficiency particulate air filter) is a type of air filter that is often used to clean air in a data center, helping servers and other expensive hardware guard against dust contamination. It's OK if a consultant doesn't know what HEPA is, since it's not directly related to security. But a consultant who thinks HEPA is an acronym for a type of IT or security specification may be trying to bluff you. You don't want to hire someone like that.

6. Why is WEP a good way of encrypting a hard drive? This is another trick question that's designed to test basic security knowledge and smoke out bluffers. WEP (Wired Equivalent Privacy) is a rather poor way of protecting data sent over an 802.11 wireless network. You would not use WEP to encrypt a hard drive.

7. You've just discovered that Frank in HR has a secret stash of child pornography on his hard drive. What do you do? This question will help you judge the consultant's ability to handle a serious and complex problem with security, business and legal implications. Most of all, you want to see that the consultant will not do something stupid, like contact Frank directly without involving you or another senior staff member.

8. Has a client ever fired you for doing something dumb? No intelligent, skilled security expert would ever admit to doing something so stupid that it resulted in losing a client. A dumb security consultant would, however. Listen carefully to the response and decide for yourself whether you should ditch this person before something preventable happens to you.

9. How can iPhone security threats be mitigated? The iPhone is a relatively new product, so the consultant's response can help you determine whether he or she is keeping up with emerging security issues.

10. How would you handle network-endpoint security? This question on the broad topic of endpoint security will give the consultant a golden opportunity to showcase his or her knowledge and analytical skills. If the individual answers with a detailed multi-faceted strategy, great. If the answer is vague or ambiguous, send the consultant home.