Security work can have “cloak and dagger” aspects if you let it, but it shouldn’t. Security objectives and techniques should be straightforward to clients and sponsors, not vague and mysterious.
On that note, December’s Security Technology Executive magazine has a straight-out article on “Getting the Most from a Security Consultant”. Here are five pertinent principles that the article discusses in detail:
• Confirm what you need a consultant to do.
• Use peer review to enhance you consultant’s work.
• Require frequent deliverables.
• Use clear project milestones.
• Create a safety valve (should a consultant prove unsatisfactory) and use it if necessary.