Before we get into the nitty-gritty of this article, I'd like to briefly outline why I decided to write it. There are few key reasons:
- The UK governments decision to break up the 'Big Four' (B4). (Something I wholeheartedly back and I hope to convince you is a correct decision.)
- My time at the B4 has come to an end, for now, so I feel safe to voice my opinions.
- Lock down and gardening leave has given me ample time to reflect on my time at the B4 firm and sadly, I don't look back on all my time fondly.
About me: (Although this section may not interest you, understanding my prior experience is key to understanding my comments about the B4.)
Every family has a tech guru, called upon when the internet goes down or the family PC/laptop runs too slow, I was my families tech guru from the age of 10. However, in reference to cyber security I only knew the basic's. What trojans, adware or keyloggers were, a little about how they worked but I couldn't programme a GUI-less calculator let alone investigate,dissect or build my own malware. I had a general overview of what cryptocurrency was, how it worked, and how it gave rise to a new type of malware, ransomware. However, again I knew nothing more.
I graduated with a Computer Science degree in August 2016, this took my skills from beginner to novice. I know knew the fundamentals of how computers, the internet and basic encryption worked, alongside some scripting in Python, Java and machine language. Yet, I knew nothing of what a Security Operations Centre (SOC) was, or the software they used such as:
- a Security Information and Event Management (SIEM)
- Vulnerability Scanning and Management (VM) platform
- Endpoint Detection and Response (EDR) tooling
- Security Orchestration, Automation and Response (SOAR)
Despite all this, I did it, in September 2016 I started my first day within one of the B4 as a Cyber Security Consultant. Now I'm not shocked I got the job, I knew more about cyber security then most despite all my short comings listed above, and like any entry level job the B4 hire you for your potential.
Finally, I worked within the B4 for 3.5 years, across several clients spanning multiple countries and continents. I worked within both the public and private sector from banks to healthcare to logistic firms. I was promoted several times throughout this period until I finally left in August 2020.
A needed market?
From my first year to my final year as a consultant one question constantly came to mind, one reiterated by colleagues.
"Why does the consulting market exist?"
Firms pay above the odds for contractors who earn a fraction of what is paid to the B4 firm. The consulted firm also has the added cost of expenses which, I know from personal experience, for a single B4 contractor can get as high as £2000 per week!
Don't believe me? Lets go through a quick example and check the maths
A client wants a pen-test completed. They hire the B4 who in turn submit a team of 4 for a 2 week period, with two days on site post pen-test to present their findings and recommendations. Team Breakdown:1x Client Engagement Lead Cost: £800 per hour x 20 hours Total: £16,0001x Project Manager Cost: £500 per hour x 40 hours Total: £20,0001x Senior Consultant Cost: £300 per hour x 80 hours Total: £24,0001x Consultant Cost: £200 per hour x 80 hours Total: £16,000Total: £76,000
Expenses Breakdown:Hotel 4 people x 2 nights @ 130 per night Total: £1,040Food 4 people x 2 days @ £50 per day Total: £400Travel (Air/Train/Taxi) 4 people x 2 days @ £100 per day Total: £800Total: £2,240
Total project cost £78,240 for 2 weeks of work. For the same price you could hire the Senior Consultant and Consultant full time in house for a year! Not only would they be able to conduct such assessments on a rolling basis, they'd also be able to manage the recommendations as well as possibly double as security analysts in the SOC.
But let's argue the other side, why are consultants needed? Consultants are only as good as their brand. They can only charge what they're worth and so the work they provide must deliver results. By hiring the B4 you're paying top dollar and thus getting top tier partner reviewed work.
The B4 can also help with scale, whether you need 1 contractor or 100, in one country or several, you just need to present the work and let them organise themselves across their partner firms and get on with the implementation. You also don't need to worry about the added costs of pensions and so forth.
If the consultants don't deliver you can withhold payment or sue. However if an internal employee doesn't deliver you can only fire them and you're still left out of pocket and with incomplete work.
Breaking up the Big Four and increase regulations, a necessary step?
Yes, yes and yes, but even more needs to be done! Across my almost 4 years of experience I'm ashamed to say there was more than one client that was negatively impacted by conflicts of interest. But are you really shocked? How can a firm be responsible for assessing you and also be bidding to perform the remediation activities? That's like asking a car salesman if you really need a new car.
But without providing some rational behind my words you have no reason to believe me. So lets quote some managers I've had.
"Can we choose attributes in the assessment that will provide our internal MSSP and vendor partner with better scores?"
Here my manager was asking me to tailor our SIEM recommendations against client requirements to rank the B4s internal managed SOC and vendors we were already partnered with above other SIEM platforms.
"While on-site see if you exaggerate some flaws in their threat intelligence so we can win more work"
This one is pretty self-explanatory, and although not a direct conflict of interest still didn't sit well with myself. I don't think there would've been an issue if it wasn't for the unneeded addition of the word 'exaggerate'.
"Can we add to the list of recommendations, we've already won the remediation piece and need to justify the time billed"
Here a manager was asking myself to extrapolate the recommendations we'd be implementing to make it look like more work was being done then in reality in order to justify the invoice.
Counter argument? There is none! Sure you could blame this practice on a few bad managers, some rotten eggs, but there really is no upside to a firm being in charge of remediation and assessment. It's like marking your own test!
B4 means a skilled workforce right?
Wrong. Let me tell you my own personal true cyber consulting horror story.
6 months into my time at the B4, when I'd only learnt what a SIEM was the prior month, I was responsible for the prioritisation of log on-boarding to the B4 managed SOC. I had no idea what half the logs did and those I did I had no idea what systems they mapped to or information they actually provided. For example, did the managed SOC have existing usecases for some logs? If so they should be on-boarded first. Did the Fortinet firewall logs cover the global network or just the UK region? Did the Active Directory logs cover cloud single-sign on or just local authentication? Hell if I know, I didn't even know at the time that these were questions I was meant to ask!
But what about the training they offer? The SANS courses and so fourth? Well I admit, not everyone has the same experience, but if you want SANS training or a masters be prepared to commit to 2+ year extension to your contract or you'll have to repay the training fees.
So I must've hated working at the Big Four?
On the contrary, I loved my time there. The work life balance was great, I rarely worked over my hours and I could work my own hours as long as the work got done. My managers were relaxed and supported my personal growth and aims within the team and I had the opportunity to learn first hand from colleagues who are geniuses in their own right. Also we can't mention consulting without the grand benefit of paid travel, becoming a Hilton Diamond member, first class tickets and dining on the customers nickel.
This is the first article I've written, so comments on what to improve on, or what you liked would be appreciated.