Former NSA director General Keith Alexander has moved into the security consultancy field with a $1 million a month price tag.
According to Bloomberg, Alexander was invited to give a talk to the Securities Industry and Financial Markets Association, known as Sifma, shortly after leaving the NSA and starting his firm, IronNet Cybersecurity. Alexander offered to provide advice to Sifma for $1 million a month, according to two people briefed on the talks, and this was later dropped to $600,000, according to an anonymous source. Alexander declined to comment on the details, except to say that his firm will have contracts “in the near future.”
Security guru Bruce Schneier said in his blog: “SIFMA is the Securities Industry and Financial Markets Association. Think of how much actual security they could buy with that $600K a month. Unless he’s giving them classified information.”
Brian Honan, CEO of BH Consulting, was in agreement, telling IT Security Guru that companies “would be better off spending $1m a month on better defences and incident response capabilities than on consultants”.
In an email, security consultant Nik Barron told IT Security Guru: “Apparently times are hard as he’s already dropped his price to $600K a month. The obvious question is how would you get ROI on that sort of figure? Also, while it’s not unusual to see former spooks end up as private consultants (I know quite a few), there has been some concern expressed over whether Alexander could justify such fees without breaking confidentiality regarding classified information (either consciously or not; it’s difficult to completely compartmentalise such knowledge).
“On the flip side, there’s probably a lot of marketing capital to be made from saying ‘Our security has been evaluated by the former head of the NSA and he says it’s good enough’, particularly with the current high profile of nation-state threats to commercial networks.
“Whether there is any security benefit of Alexander’s advice over that of more technically competent but less highly cleared people is a more important question, and my personal view is that spending 1/10th of his fees with a decent independent consultancy would be a far better bet.”
Security consultant Bruce Hallas told IT Security Guru that the other dilemma Alexander will come up against is that he has come from an industry where budgets are slashed, but cyber security is a thriving area and to pay $1 million to set up a unit is “not unheard of”.
Regarding the cost, he said that as a consultant he usually has to justify a day rate and value to the customer. “If he is a true consultancy fee then is the pay for work or a consulting rate to help them? It is not clear on what I have read,” he said.
“What he brings to the table is a five to ten year view of threats and he has more knowledge than most. He can also advise on how to deal with a whistle blower and one thing he will bring is insight to the CISO, CTO and information security manager on how to deal with this as he learned the lessons.”