Recently, I saw a social media thread asking for bad recommendations organizations receive from consultants.  Examples included “ensure all systems are patched”, “implement network segregation” and “Maintain an asset inventory.”  From a high-level view, these suggestions seem anodyne, after all, they are based on and included in many security frameworks, including ones from NIST and ISO.  Indeed quite a few people leapt in to defend the recommendations.  So, let’s discuss why they are not helpful:

It is not 1998 anymore, everyone, even those not worth their salt, are aware of the need to keep systems patched, to segregates networks, to assign access on the principal of least privilege.  Every CIO, CISO, VP of Technology, etc, if they could wave a magic wand and seamlessly patch every system, would.  “Well then,” ask the critics, “why aren’t all systems patched?” Which is the question too few consultants bother to ask, or if they do, they don’t pay enough attention to the answer. 

Perhaps the organization has outgrown its patch management system, and the system itself is not able to keep up with the volume of systems or the variety of different types of systems.   Perhaps the staff isn’t using the system to its full potential.  Almost certainly, there are numerous systems where there are OS or library patches that are incompatible with the application software. 

If a consultant can determine these root causes, likely through discussion with management, then they can make recommendations such as, “Consider upgrading your patch management system” or “Staff needs additional training to fully implement your existing patch management system” which will be far more effective in aiding IT management to get budget to improve the environment and keep systems patched than a generic, “ensure all systems are patched.” Highlighting to senior management that some small system that they think “just works” is actually risking a cyberattack is more valuable making them think their IT staff isnt doing a good job.

Consultants should focus on the goal of improving the organization that hired them, not catching some part of the organization in a mistake. While improvement requires identifying areas that are ripe for improvement, it also means identifying what is holding those areas back from improvement. For the fees consultants are paid, they should offer more insight than a simple, “Do better.”