Here is something to think about as a security/privacy consultant or consulting team, big or small …
When you work on client consulting engagements, what are you really focused on?
- Is it just your methodology, the “quality” of your documentation deliverables or implementing a piece of technology?
- Are you also thinking about the immediate and long term value to the client in terms of definite outcomes? By outcomes, I mean the results that should really matter in security/privacy profession (i.e.) specific reduction in security or privacy risks
Based on what I see of the Information Security and Privacy engagements, most consultants are so fixated on the former and just don’t get themselves to think much of the latter.
Here is something I would urge all consultants to do – Go back and talk to your clients that you have worked with over the past few years. Do a honest evaluation of how useful your engagement deliverables have been to the client, in terms of the outcomes that really matter (i.e.) the extent to which the deliverables have helped the client reduce security/privacy risks (risk of regulatory non-compliance included). Assuming that the client has indeed benefitted by way of the outcomes, do you honestly think the benefits were worth the dollars the client paid you?
I see one too many engagement deliverables of even “big name” consultants ending up as just “shelf-ware”. I have noticed this trend especially with engagements related to risk assessments and development of specific security or privacy strategies. In almost all cases, I would attribute the failure to a lack of understanding by the consultant regarding what “really matters” to the client. I also suspect in some cases that the consultant didn’t bring the “right” people to the engagement and perhaps failed to provide a quality oversight or leadership to the Engagement Team. In some extreme cases, I believe the consultant was trying to blindly leverage template deliverables from elsewhere. In other words, they were trying to fix a square peg in a round hole, as it were.
Now.. I know there are many consultants or consulting teams that would argue that it is not (at least not entirely) their responsibility for all of the client outcomes once they were no longer working with the client. While that may be true, I would argue that it is your responsibility to leave the client buyer or sponsor with a list of actionable objectives that the client needs to work further if he/she were to realize the expected outcomes. And of course, your deliverables should have been good and conducive enough in the first place for the client to execute effectively towards those outcomes.
So, what do we need to do to stop this trend? Here are some thoughts:
- Right from the first conversation with the client, focus on client outcomes and how the client may measure those outcomes
- Based on the outcomes, agree upon appropriate deliverables. Don’t include deliverables for the sake of deliverables
- When signing the engagement letter, make sure to include a section on measurable outcomes and how your engagement deliverables may help the client in realizing those outcomes subject to the client taking some specific actions.
- Coach your engagement team to always have a keen eye on how every task they perform during the engagement is going to help what “really matters” to the client (i.e.) achieving the outcomes
- Don’t be wedded to your methodology and deliverable templates. They are only as good as how much they will help the client realize the outcomes.
- As part of each deliverable, include a section on next steps that are required to be taken to realize one or more agreed outcomes identified in the engagement letter. Make sure to arrive at an agreement with the client sponsor regarding next steps before finalizing the deliverable.
- At the end of the engagement, leave the client with a mutually agreed “Plan for Realization of Outcomes”, a set of actionable tasks that everyone agrees will be essential to achieve the outcomes identified in the engagement letter
Following these steps has served us well over the years. I’ll be interested in readers’ feedback.