We all know who a doctor is! When we have a fever, headache or any other illness we rush towards the clinic and ask for medicines for a cure. Here’s a classic example. You wake up one morning with a sore throat. The kind that makes you sound like a frog and feel much worse. You rush to the clinic, explain the scenario, and discuss the symptoms and any relevant past medical history with the doctor. The doctor analyses and examines the data and comes up with a treatment plan. The treatment plan is communicated and then implemented. A financial transaction also occurs through the payment that is made to the clinic. The doctor sends you off with a warning that “prevention is better than cure “and you recall that the next time you are tempted to gulp down an icy drink.
Now let’s talk about another kind of profession. Doctors for organizations to maintain their health. They are called “Information Security Consultants”. So, what do consultants do?
For simple understanding let’s compare it with the scenario for the doctor. An organization goes to a consultant and conducts a checkup. The consultant gathers information about the patient, examines the problems (Gap assessment), analyses the past and current situations, foresees the future and comes up with a treatment plan (Risk assessment and Risk treatment). Then he/she prescribes medicines for the organization (Medicines are the mitigation plans for identified risks). Then he/she guides the patient in implementing it and conducts the required tests. Sometimes patients understand the risk and examine his/her financial state and evaluate it versus how big or small the risk is (risk value) and then accepts the risk if it’s not severe (Risk acceptance). When all problems are identified and treated the patient, in this case the organisation, conducts the financial transaction to compensate for the remedy. At the end of this corporate health report, the organizations get a certification to prove that they are strong and healthy. Sometimes the consultants also become detectives who look through organizations to find and correct their mistakes (vulnerabilities) so that they don’t become a problem (threat) in future. Consultants also give suggestions for continual improvement and handling tough situations caused by different diseases(risks) which they call incident management.
An Information Security Consultant wears multiple hats. They are most often your organisation’s doctor or detective, finding ailments and treating them diligently and making sure repeat incidents don’t occur.If you want to be a doctor but you want organizations as your patients, then consider a career as an Information security consultant!