The primary function of a consultant
Hi All and to my brothers (you know who you are) Salam,
Sorry I'm a few days behind.
I noticed there are not many comments on the last post, so nothing to answer or clarify (as yet?)
Lets talk about the role of a consultant, in the years that I have worked in IT as a supplier, consultant and client/customer, I have seen many different thoughts on what is expected from a consultant. If you look at the Oxford English Dictionary a Consultant is 'a person who provides expert advice professionally '. This has always been an issue with the consultants I have known and dealt with, the word 'professional' means different things to different people the same for 'expert'. Personally, I always say that I have never been a 'pert' so I could never be an 'ex-pert'
When you look at professional conduct, each type of career choice has different interpretations or guidelines. Take a lwayer for instance, they are responsible if not accountable for giving the client the best advice while stealing their money throught changing an arm and a leg and some of them the entire body. However, if it is found that they did not have the client's best interest at heart, they could lose their licence and possibly end up in jail. Believe it or not, this would also hold true in the Kingdom. The same goes for a Doctor or an Engineer. However, in IT, this is not the case.
The question you have to ask yourself is, why not? Is this an easy answer, black and white or is it grey with a few other colours in the mix as well?
In my humble opinion, the answer relates to what the client's expectations are and how much they are willing to spend versus the expected profit from the consultant/supplier.
I am a CISM and CISSP and both bodies make sure that I know what my responsibilities are with regards to consulting (even if I knew it before). If I do not abide by their rules, quite simple, I lose all the certifications resulting in a loss of income. Remember, a certification body has an agreement with other bodies, they tell each other if you have not been doing your work right.
So lets go back to the 'professional' part and see what this means in IT. As I stated in my previous posting, the client must save money, the consultant and supplier must make money. If the client wants a Business Continuity Programme for instance, the consultant/supplier will look at the potential of making as much profit as possible and allocate junior team members (who have limited or no BCP knowledge or experience) and deliver a 50/50 job. That is why there are different levels of consultants, Junior, Senior with wait for it; a Subject Matter Expert. Each costs the client extra, my experience in KSA was that a Junior was billed from USD 800 a day, a Senior from USD 1,600 a day, and this is for a small company. The going rates for South Africa is about the same. If the consultant is billed to the client for a month then it is USD 800 * 20 working days = USD 16,000 a month for a Junior, the Senior comes in at around USD 32,000 a month. The cost to company for the different resources is maximum Junior USD 8,000 and Senior USD 15,000. Not a bad profit!
But wait! Why employ a Senior when we can pass off a Junior as one and make more money. The result of this? The client gets a resource that does not know what is required and does not have the knowledge and/or expertise to do the work. The result? The client fires the first and gets another company to do the work properly with usually the same result.
Wait, stop everything. Think about the expectations, the client knows what they want but need the knowledge and experience of a consultant/supplier to assist them in getting there. Alternatively, the client will ask what should be done and the consultant/supplier will give them advice to the best of their ability. If you have no knowledge or expertise in the subject, how can you give anything to the client? This is what makes the difference between a 'Resource' and a 'Consultant'.
As a consultant, I have left companies and projects due to the use of resources that did not have the knowledge or expertise to deliver and I do not talk about the 'scope' of the project but also the 'big picture' of the client's requirements (or their strategy). I have just left a project in South Africa because of this. Why you ask? Is he stupid? No, there is such a thing as ethical consultants who will try their best to do the work the right way as it is their name (and not the company's) that will get blamed, who then choose to leave a project before their name is dragged through the mud and blamed for what went wrong even though they notified the relevant people of the risks.
What does all this mean? Simply, a professional consultant has the best interest of the client at heart while they make money for their employer. However, the client's expectations are agreed to, managed, and delivered all within budget.
How do you measure a consultant? This is a difficult one as there are many ways to ask, I usually ask clients at my first engagement if they want to be 'told' how to do it or do they want to be 'guided'? If they say guided, then they need a consultant else they need a resource.
Many people will disagree with me on what I have mentioned, but ask yourself this question (say it as it is written); "when the last IT consultant did work for me, did I learn anything about what he was doing or supposed to do?" If you answer 'No' to this then you had a resource. He was there to do the job and do it as cheaply as possible, guiding or mentoring (an experienced person in an organization or institution who trains and counsels new employees or students) is not on his agenda even if it is in the deliverables. A consultant guides and mentors the client even if he annoys the living hell out of the sales person. Ask Fahad about the talks we have had with different clients and the accusations that came from the sales people.
This is called the ethics of the professional consultant. Look at www.isaca.org (click on Code of Professional Ethics) and www.isc2.org (http://www.isc2.org/ethics/default.aspx) for guidelines.
Comments are as always appreciated.
Wa Alaikum As-Salam until next time,
Enjoy the rest of the week and may you travel safely.
Next to come;
- The primary function of a supplier,
- The primary function of a consultant,
- The differences between client and supplier,
- The differences between supplier and consultant,
- The differences between client and consultant,
- Ethics as a consultant,
- Ethics as an employee and
- Is there ethics in business.
The primary function of a client
Hi there,
What do I mean when I say 'client'. Well, in business it means the person who comes to your shop and buys the products you have in your store. In a company's IT department (say a bank), the client would be the 'users'. To a supplier and contractor, it is the person who buys the product they sell or pays the consultant for the time he spends.
Alright, as a client to say Jarir book store, you go to buy a laptop, the price is marked as say 5,000 SAR (yes, it is not a Toshiba). You ask for a discount and what does the sales person say? Sir/Madam, there is a 'discount' card which you may use, else the price you see is the price you pay. Now, you go to a reputable shop in the Computer Souk (Olaya Street, Riyadh) and you see the same laptop, for say 5,500 SAR. You ask them for a discount and they agree to the sell the laptop for 4,500 SAR after the required discussion where I am sure the saying 'you are taking the food out of my grand children's mouths' will come up. Yes, this does happen, ask a few of my friends.
What is the difference? Same product, one is cheaper than the other. In a nutshell, Jarir has a support team that will 'repair' the laptop if there is a problem. I used them to get a Linksys 3G router to work properly with a 3G card I purchased from them. They spent 3 hours on the problem, finally told me to upgrade the firmware which solved the issue. Some of my experiences with the shops in the Souk is different, the sales person seemed to have disappeared. From others, I got good service, the same as at Jarir. However, on average, the service at the Souk was worse than the average at all the Jarir stores I went to. Believe me, I own shares in Jarir, I spent enough money to get them free 
Now lets move to an IT department in a company, ultimately, the client of the company is their client as they provide or support the systems that the company uses in their service offerings. But, unfortunately, the IT shop always see their clients as the 'USERS'. They also have the requirement to save the company money when they spend it on new systems or consulting. This is where the difference between Jarir and the Souk come to play.
IT managment will always look at the 'cheaper' option but expect the service of the most expensive. What is the difference? Surely, spending the company's money demands good service and delivery of what is required. YES, it does, however, there is a limit, service delivery costs money (read as resources) and the 'client' must realise the fact. However, in all my years as a consultant in IT and Information Risk Management, I have not seen a client understand that good service (what the client expects) is more expensive. You get what you pay for. A saying I heard in the Kingdom and which I use in South Africa is 'If you pay peanuts, you get monkeys'. Don't get me wrong, the level of service is based on the client's expectations of what he is buying and the expectation of the sales person and consultant of what they will deliver at that price.
Now remember, the management of a company must contain the costs both Capital Expenditure (CAPEX - new Equipment/systems) or Operational Expenditure (OPEX -maintenance and support of current systems) or they will lose money (their bonus) and the supplier or consultant, if you do not make money, you do not survive.
This is where 'ethics' becomes important.
Wa Alaikum As-Salam until Thursday,
Enjoy the rest of the week and may you travel safely.
Still to come;
- The primary function of a supplier,
- The primary function of a consultant,
- The differences between client and supplier,
- The differences between supplier and consultant,
- The differences between client and consultant,
- Ethics as a consultant,
- Ethics as an employee and
- Is there ethics in business.
I’m back and some pointers on what I would like to write about (amongst others)
Hi all (سلام),
I have been out of the Kingdom for 6 months now and let me tell you, I miss it.
Well, I have not been doing nothing and have learnt a few things about people of my home country South Africa, some of them good some of them bad. Unfortunately, the bad seems to outnumber the good.
Since I have been back in South Africa, I have engaged with many people and have been involved in 2 projects, both of them worth a lot of money for the supplier and a major cost to the client. After spending 20 months in the Kingdom, some of the experiences are the same for both others are particular to South Africa and to the Kingdom individually. Lets see if the readers can see which fits where?
I will be writing about the following subjects across the next few weeks, at least twice a week and hopefully get comments from the readers in either Arabic (which I believe Fahad will translate) and English. Each discussion will have both person's thoughts, clients, supplier and/or consultant.
- The primary function of a client,
- The primary function of a supplier,
- The primary function of a consultant,
- The differences between client and supplier,
- The differences between supplier and consultant,
- The differences between client and consultant,
- Ethics as a consultant,
- Ethics as an employee and
- Is there ethics in business.
By the way, if you want to chat to me outside of this blog, send me a mail message at gavin.ferreiro@gmail.com or, speak to my good friend Fahad who will be a father soon. Remember, I am 1 hour behind or at GMT +2.
Wa Alaikum As-Salam until Tuesday,
Gavin
To script or not to script?
Coming from a UNIX background (SUN, HP, AIX, Tru-64, SCO) when the only navigation aid on the system was a keyboard and later a mouse. The mouse was primarily used to click on an icon that opened a 'shell' either Korn, Bourne or C. These are, for Microsoft fundies, similar but more powerful than the 'cmd' prompt you see in windows. All administrative work was done from the shell with no 'click here, drag here, drop here' ability. It was only later in the 90's and early 2000's that UNIX and Databases went GUI (Graphical User Interface).
What did this teach me? Well simply, when doing any system changes and/or configurations to write the commands into a 'script' file. I would then save the script file and use it as documentation of the change or configuration. With a friends help, we changed the 'scripts' into actual programs using AWK (pre Java) and Shell scripting that was a fundamental part of UNIX. These scripts then became our documentation on how to configure or change the systems from a clean install which was scripted as well.
When I started working on the Window's platform, back when NT 3.51 was launched in South Africa, I tried with limited success to get the same scripting functionality. The reason? According to Microsoft in South Africa it was due to the fact that people could now use a 'mouse'. 'What does that have to do with it?' was my reply. After a pause, and I quote this correctly (I think) "Microsoft does not expect that any of their administrators will have (be able?) to type in commands as the GUI makes it easier". When I asked the person what would they do if the mouse did not work, I again quote "why should it not?". Hmmm, I wonder why not?
Now, any person will tell you that a GUI makes it so easy, yes it does, BUT you have the be there. A script is something you execute and the walk away. There is also the chance that you may make a mistake with the GUI, we all have, thats why MS put the BACK button on all screens.
As a consultant and project manager, I always try to make sure I take as little time to do repetitive tasks as possible. Yes, you have it, I script it. It takes more time to do it the first time but then everytime I do the same or similar task it takes a fraction of the time. What would take me 30 minutes I can now do in less than one and instances where I had to be physically at the system. I do not have to sit and look, I can work on something else. And, the scripts allow me to show the client what I have done and how I do it.
The great thing about scripts are you;
- write them,
- test them,
- document them and then
- forget them (unless they need to be maintained)
and go onto other challenges in life.
Try them, you will make mistakes and improve with experience, in the end, it will save you and the company time and lots of it.
Role of auditors in an organisation
Back to the 'auditors', when asked by friends and aquaintences about what work I did, I mentioned that I did GRC, short for Governance, Risk and Compliance. What? You have to be joking? How do you do that?
Easy, I audit existing processes against requirements and make recommendations. Well, the big 'A' word hit the spot so to say. You are an Auditor, one of those morons put on earth to make other peoples life unbearable and painful similar to a boil on your behind?
The 'A' word in business has the same impact as the 'C' word for men and women. 'C'ommitment for men and 'C'ellulite for women. Something Bad times 10 to the power of infinity.
Not so, the role of the auditor is and I quote; 'to give the board the assurance that there are sufficient controls in place to mitigate risks to business'. That is why internal audit is the only division in the enterprise that has the 'Authority' to access any system or information based on their auditing schedule. This is actually written (or should be) in the Internal Audit Charter signed off by the board.
So think about us as good samaritans, see us as people who can assist in making your life easier and not as seagulls - 'birds who fly into your office, fly around and poop on your head and then fly out'. And unfortunately, controls equal documentation.
Documentation and Auditors
I was involved in a dicussion with a few close friends and collegues of mine last week where the subject of 'documentation' came up. Just to give you an indication of what business disciplines were around the table; 1 x lawyer, 3 x IT gurus, 2 x project managers (IT and Civil), 1 x business analyst, 1 x business process consultant (BPC) and myself (GRC). The subject came up due to 2 IT guys being hammered by an external audit performed on their division. The term 'Auditors, what do they know? It is not a perfect world!'.
To my surprise, everyone agreed except for myself and the lawyer. When we asked for more information which they saw as 'the spanish inquisition', it turned out that the auditors requested documentation. Needless to say, there was 'some', not 'much' but 'some'. When pressed for the meaning of 'not much' it turned out that the documention was a visio diagram. You have it, a 'picture'. When asked what the picture showed, it came out that there were pictures showing how the systems were placed or located on the network including all network devices. When asked 'Do you know what the systems do? Does your subordinate? Does your manager?' the answer was "yes, should hope so, will ask if they don't know".
From an auditing perspective this is foolish, why? Simply put, documentation saves you from all types of unpleasant experiences in life. Lets take two examples;
- You have a contractual problem with a person, you go to a shark, oops lawyer, what does he ask for first (other than money), yep you got it, paperwork, proof so to say.
- You need a loan, you go to the bank, what do they ask for? Yep, your salary advice slip and your monthly expenses (unless they are loan sharks then they ask you if you have insurance just incase you default).
Simply put, no documentation results in nothing.
Back to Auditing, simply put, if it is not written down it does not exist! Auditors work with proof, evidence or better still 'show me the money' and yes, while a picture is better than a 1000 words it does not show 'Who, What, Where, When, Why and How'.
So, when thinking about documentation, think about what you will need to prove you did your job!
The concept of Accountability
A cornerstone of Risk Management in an enterprise is 'Accountability'. Maybe you have heard the term spread around like butter on a slice of bread. What does this mean? Well, depending on who you talk to, it means different things to different people. Similar to 'different strokes for different folks'. In my experience the understanding depends on how high you are in the food chain. Yep, it all comes to where you are on the corporate ladder. As a system administrator, your manager holds you 'accountable' for the availability of the system you are 'responsible' for. His/her manager holds him/her 'accountable' for your performance and so up the food chain. This is where it gets interesting, how is it possible to be 'accountable' if you are only 'responsible' for the system. What about 'Ownership' and 'Authority' surely, these two play a major role in the 'Acountability' framework. Yes they do, how can you be accountable for the availability if you do not have the 'authority' to purchase new hardware or the 'ownership/authority' to tell people what they may or may not do on the system. Again, my experience has taught me that while management expects 'accountability' they are hesitant to give 'ownership' and 'authority' due to potential 'political' repercussions, one of them being financial. Another matter is that there is the expectation that a document, whether it be a Policy, Process, Procedure, Control or Standard enforces 'accountability' is again up to debate. A legal policy does, provided there are certain controls in place to ensure or at least measure awareness and conformance. However, I have found that a policy that governs the administration of a system does not deliver 'accountability' as there are too many reasons as to why something was not done unless it is written in a Standard. The standard is however based on the 'business' requirements accepted by management. In a nutshell, 'ACCOUNTABILIY' can only be enforced if there is associated documented proof of 'OWNERSHIP', 'RESPONSIBILIY' and 'AUTHORITY'. In other words, the explicit not the implicit, ownership and authority usually found in job descriptions.
Business requirements versus Technology
This is my major bug with IT staff especially those in security and administration. When you sit around a table talking to IT people, their eyes shine when you start talking about technology. The newest and the greatest....Well, what are toys for, but to have men spend time on them.
Talking bits, nibbles and bytes to IT is not a problem provided you have no requirement for motivating the purchase of the technology to business. This is when the wheels come off the proverbial geeky cart, ask IT to deliver a business requirement specification that sells the new technology to business and wait.
It all usually starts with, 'uhm', followed by, 'you know', then by....(pause) 'they need it'! Maybe they do, but how do you sell it? Well, 'it has x CPUs, 4 Gbyte RAM, can handle 20 quadzillion processes' and for additional money, it can make coffee.:mrgreen:
Well, lets see, business does not know what a quadzillion is, has no idea about the RAM and the CPUs. It may be interested in the coffee but surely a coffee machine is better suited? This is where Service Management comes to play. Business has a requirement, what is it and what do they need to meet it?
At this point, all the techies start saying, 'how are we supposed to know what they want, we know what they have to have'. Nope, wrong again! Business needs to see what it costs and what the benefits will be. Point to note; NEVER mention Return on Investment (ROI). Gartner trashed that one by stating that it was never measured after the fact.
The solution is simple, take off the techie hat and put on the business analyst hat, very similar to baking a cake. Talk to business of their requirements (make some up if you don't think they know) and confirm this with management. Taking what they want, measure what technology they have and see what is lacking. Take the stuff that is lacking and look to see if any of the current could be upgraded or if a purchase is required. With the investigation, you should determine what the risks are to business if they do not upgrade or purchase.
You now have the reasons for;
- the current stuff will not meet business requirements
- the list of stuff that will meet business requirements (for at least 18 months)
- Strategic/Tactical/Operational Risks
Based on the business requirements and the reasons, you have the business motivation to purchase your new toy.
Qualifications: Degree or Practical experience with certifications?
The question of what is better to have on your CV/Resume, a degree or practical experience? Well, the majority of companies especially in the Gulf have the expectation that people should have a degree with practical experience. A degree indicates that you have a common body of knowledge, the knowledge is however based on what the lecturer requires you to do and know and what you are willing to do in excess of their requirements. This knowledge is also based on 'text books', which are seen as a perfect world.
Personally, I have found that in certain circumstances a degree limits a persons ability to understand the basic logic and gives the person the impression that they 'know it all'. Ask yourself this, the subjects you studied at varsity, how old were the text books and when last was the lecturer in business? Personally, when I studied I found that a large majority of the lecturers had never been in business and had moved from being a student to being a lecturer due to their high marks. Therefor the question, which is best.
In the Governance, Risk Management and Compliance environment that I currently work in and as a previous Information Security Officer (ISO) and Information Officer (CIO), I have found as a manager and consultant that a person that does not have a 'common book of knowledge' of the subject is better suited for the work than that those that do. The reason for this is that there is nothing to 'unlearn' and the experience gained is 'real world'.
From a business persective (efficiency and effectiveness), the person with practical experience is able to be productive in less time than the person who has a degree and no 'real world' experience.
All said and done, business is now requesting that a person has an international 'certification' in their area of expertise (knowledge). Based on Risk Management and certain local and International laws and regulations, the requirement for having certifications in order to do a job is fast becoming a fact and not an option.
Calendar
Free Softwares
- Miranda 0.9.3
- Ad-Aware 8.3.3.0
- Google Chrome 7.0.517.0 Beta
- Vista Codec Package 5.8.2
- 7-Zip 9.16 Beta (32-bit)
- Google Toolbar 7.1.2010.0830b (Firefox)
- Firefox 3.6.9
- SeaMonkey 2.0.7
- phpMyAdmin 3.3.7
- Safari 5.0.2