When I was starting out doing consulting network defense, one of my mentors reminded me that we should always try to call out the things that a client does well in our report. I thought that was a little weird and unrelated, since our whole goal was to tell them what they did wrong, but he explained a bit more at length and I got it. I think that’s lesson that we can all benefit from, whether writing reports or giving a presentation to client leadership.
Expectations and Investments
While what we’re asked to do depends on which engagement we’re on, we’re generally asked to tell them what’s wrong with their network and how to make it better. However, in the overwhelming majority of times, we’re not asked to examine a brand new network - it’s typically a network that people have been running for a significant length of time. This means that the administrators tend to have emotional investments in why things are certain ways, what technologies are in use, and how they do their daily tasks. It’s also one that users have been on - and those administrators have had to deal with the users and their demands the entire time as well.
I once started a conversation a few years ago with some colleagues saying “I know you’re going to say no, I know you’re going to tell me this is an absolutely stupid idea, can never be secured, and will result in the destruction of the world as we know it. However, the CEO demands it. So either we figure out a way to accomplish this while staying moderately secure, or we tell him that he can’t do it. But if we go with Door #2, he’s going to do it anyway and then we get no input at all in how to secure it.” So again: by understanding the environment and why decisions were made, we can make intelligent suggestions going forward.
As such, if we come into a client’s organization and immediately start telling them that all of their decisions are horrible without understanding the business reasons that likely drove those decisions, we risk having our future opinions discounted because “we don’t get this environment.” That’s not to say that we give them a free pass, but that we need to adjust our line of thinking to what the client’s requirements are.
Adding More Tools
I frequently pick up good ideas from client implementations of various technology. It’s a rare client where I run across nothing new and nothing that I’d go “Huh, that’s a smart way of dealing with that problem.” At each of those instances, I try to make a mental note of what they’re doing and how I can extrapolate those lessons to the rest of my clients. The more details we can get (what works well, what doesn’t work, growing pains, etc.) the more accurately we’re able to spread good practices. After all, people are a lot more receptive to a recommendation if you can honestly tell them you’ve seen it working in a production network.
Since we aren’t doing the day-to-day operations of large networks, one of our primary sources to learn about such things is from our clients themselves. While doing a penetration test or red team engagement, have you ever run across a client security practice that makes your life harder? Something that, while you’re impressed they’re doing it, you really wish they weren’t doing it right then and there because it’s keeping you from being successful?
Giving Credit For Good Defenses
When we run across defenses like that, it’s always a good idea to make a note in our report. Why? Because this is a network that was built and operated by people - people who’ve probably been doing it for several years, who’ve done it across multiple budget cycles, and who have fought for every penny to add capabilities and defenses. And if we see them doing something right, we should compliment them on that - and they can take it to their management and feel justified that at least some of the money they spent on defenses provided value.
While our job isn’t to blow smoke for our clients, it is the nature of consulting that personal relationships tend to matter as much or more than your pure technical skills. As such, if we can honestly compliment our client in front of their leadership instead of only harping on everything they’re doing wrong, we are more likely to have a lasting working relationship and much more likely to be thought of as a trusted advisor instead of the guy who just does penetration tests for them.
And on an amusing note, I’ve had clients start laughing and groaning when my presentation starts with a set of things they’re doing well - because they know I’m giving them the compliments up front and about to hammer them with the stuff they’re doing wrong. But they know that I’m also invested in helping them get better, and they do like the reassurance that they’re moving in the right direction.