How long, how much? Not "thanks, that seems to make sense though thinking about it have you considered this that and the other?" Just "How long? How much?" Followed by (if the answer isn't ridiculously over-optimistic enough) "Why?".
Then comes the bit that really pisses me off - the clients will say things like: "Surely it's just a case of doing this, doing that, bish, bosh, bash and it's done? Shouldn't take more than half an hour? Shall we say 20 minutes?" It always amazes me that people get me in, ask me to do a job for them presumably because they can't do it themselves, then tell me what to do and how long it will take. I wouldn't dream of telling Lord Todd how to be a Rock God and yet he will no doubt feel quite comfortable in telling me how to do my job. Amazing.
So what I do is compromise because I need the money. How much I compromise depends on how much I need the money. I always start off by giving as good an estimate as I can for what I really think it will take.
So I said "How long, you ask. Well, let's see. There are 4 processes:
1. document exactly what happened the night of the attack
2. investigate who might be have been involved and why
3. identify security issues/faults from the products of 1 & 2
4. identify steps that could be taken to fix security issues/faults
Let's look at process 1: document exactly what happened the night of the attack. Well I guess that means talking to all involved parties (let's say half a dozen at 2 hours each - say 2 days) and reviewing any electronic material (let's say 6 hours - best part of a day). Then I have to write up, review, resolve discrepencies and job done. Write up - let's say 2 days, review etc let's say another 2 days. So in total 7 days effort. Of course that effort may be expanded in bits and pieces over several days depending on people's availability and the fact that I'll be running the other processes in parallel.
Process 2 is going to be far more vague - a case of following the investigation and where it takes me. The starting point will be considering all Mr Court's contacts who might have a motive and pursuing lines of enquiry based on that. I would like to suggest that I just report to you every other day on progress with this one. You can then stop it at any point if you feel you aren't getting value for money - in which case we can discuss impact on achieving the objectives at that point.
Process 3 is a desk job, pulling together and analysing the products of 1 and 2, and identifying how your current security set-up allowed it to happen. Shall we say 4 days effort for compile, analyse, review and refine?
Process 4 takes the product of Process 3 - must follow on from it as it is wholly dependant on the outputs of process 3. Again, it's a desk job with the expert from your TripleA security firm you mentioned. I guestimate 2 days effort for the analysis, review and refine.
So in total - 13 days known effort and an open ended effort for process 2. As I said, the elapsed time will depend on circumstances beyond my control, but if we meet every other day I can advise you of any issues impeding progress, or risks that might impede progress.
How does that sound?"
Lord Todd had the grace to look impressed, and I had the good grace to look smug.
"It's good," he said, "but I'm sure it could be done quicker."
It was my turn to raise my eyes to the ceiling and to sigh.
