[In response to a LinkeDin query about finding an information security consultant for a 'security compliance project' (whatever that means!), I developed a slightly shorter version of the following advice, extending something I wrote much earlier in relation to finding a contractor/consultant IT auditor. I think the basic principles are quite general and deserve a wider airing, so I'm repeating them here for now. I may yet turn this into a paper for one of the websites or journals if the feedback is positive, provided I ever find the time and energy to continue.]
In preparing to contract with a consultant, there are maybe three or four distinct aspects to consider and document. Some issues blur across the aspects shown, and there may well be other factors you need to consider. Furthermore, answering the rhetorical questions below may involve reviewing other answers, plans etc. - this is an iterative process of Consider - Document - Review - Reconsider ...
- Define the work package or project including the business case, the objectives and deliverables, scope, resources, key parameters and ideally the metrics that will be used to determine and drive its success. Perhaps develop an outline or even a detailed project plan. Identify key milestones. Think about how the assignment fits in with others activities, initiatives, strategies, constraints etc. What are the project risks and opportunities, and how will they affect things? [This information would still be needed if the job was to be performed in-house. It is worth investing you and your colleagues' time to get this part right from the outset, and in fact to maintain it as the project proceeds since things often change (particularly the scope and hence the deliverables, but also the resources and timescales and hence the costs: see Val IT).]
- Determine what type/s of person or people you want for the assignment. What qualifications and experience matter most? Are you happy with a junior or do you have enough of a challenge to tempt a guru into full engagement? What are the personal characteristics that would particularly suit the job (e.g. drive, resourcefulness, flexibility, creativity, attention-to-detail, wisdom, good dress sense ...), or conversely would be unsuitable? What Myers-Briggs Type Indicator would your ideal person probably have? What kind of person would you personally like to work with - a friend and mentor or self-contained get-the-job-done type? Are you looking for a consultative, assistive or collaborative approach from them, or something more confrontational or challenging? Someone who fits-in with your preconceptions, culture and ways of working, or someone a bit different to stir things up, innovate and introduce change? A team-player, leader or loner? And, talking of team, who will they be working with, and what are their drivers, needs and preferences? [There are plenty of creative possibilities in this section to go well beyond the traditional job specification. Thinking it through, writing it down and discussing it with candidates (both before, at the start and during the job) increases the chances of them doing what you want, and is a good way to identify emerging issues that can be addressed at the earliest opportunity.]
- Determine how the project/assignment will be managed and paid-for. How would you like to relate to/manage/deal with the consultant(s)? Do you want them to take the lead, drive the job, report their findings, generate action plans, deliver specific deliverables etc. or do you purely want a lap-dog to do your bidding under your strict guidance? Or something else? Seriously, who's in charge? Are you thinking about someone to organise and coordinate/manage a team of information security pros, or a lone worker? How will the deliverables be assessed for quality, suitability and customer satisfaction? What about those metrics mentioned above: do you want daily/weekly status updates, monthly progress reporting, a completion statement, timesheet and invoice, or what? Do you expect 9-5 attendance on site, 6-8, 24x7, weekends and holidays, off-site working, mixed on/off-site, multi-site, occasional hours or days or weeks, or what? Can the consultant take lunch breaks, tea breaks, holidays, sick days ... or is it full-on nap-under-the-desk stuff?! Will you pay an hourly/daily/weekly/monthly rate for as long as it takes (or up to a certain fixed amount), or agree a fixed price up-front, possibly with initial, interim and final settlements)? If things back-up or go wrong, do you expect the consultant to work additional hours/days/weeks to get them resolved, and if so will you pay (do you have contingency in your budget, and what are the criteria for using it?). How will things be addressed if the consultant is not performing as expected? Who makes the key decisions - you, your boss, a project board/committee or ??. At the end of the assignment, what will happen: will you shake hands and part company, or is there a genuine prospect of further work in the pipeline if everything goes well? This governance and management stuff is another important section, often neglected. If you get this section right, your working relationship with the consultant/s should be much less stressful all round (exactly the same point applies, by the way, to the consultant/s!).
- Determine and clarify the broader context. Think carefully about the corporate, business and even industry and social contexts for the job, recognizing that the situation as it is today may change in due course both because of the assignment and despite it. Review the drivers, objectives, timescales, constraints and risks to distinguish those that are genuinely cast in stone from those that have some flexibility. Think about other strategies and parallel initiatives, and how they might or will affect the job. For example, are you at the primitive or more advanced stages of maturity, today, and where do you expect to be in a few months' time? Aside from the identified, discrete deliverables of the project, look for other more subtle changes in the organization if the project is a success (and, for bonus marks, consider the full range of possible outcomes from 'wildly exceeds all expectations' to 'abysmal, abject failure'!). [Note: this is an ongoing activity throughout the assignment but it will help the consultant/s get off to a good start if you have considered it in advance.]
I fully appreciate that one of the main reasons for seeking consultants and contractors is that you are resource constrained, and that addressing all of the above is yet another drain on your valuable time and effort. On the other hand, as an auditor reviewing numerous projects, I usually found myself wishing that the project sponsor, manager or board had paid attention to the items shown - in some cases, not just 'paid more attention', but given them any thought whatsoever! Project governance and management are tricky topics even for highly-experienced, well-qualified professionals, and I urge you to prepare proactively for proper projects because prior planning prevents piss poor performance (or something like that). Do your homework.