My CTO prefers to hire very expensive consultants than to trust on staff. It's funny, because he also decided that all technical teams should run on the absolute minimal amount of resources.

You can't imagine how shitty it felt this morning when he sent an email talking about a security consultant that we should hire, just because he thinks the guy could "take our expertise to the next level".
They will charge us 450/hour to run assessments, to find the exact same things my team discovered a year ago.

@tarstrong Some are people he used to work with in his previous company, so it's definitely not a very ethical move.

@null0v0id that is how it works. But good news for you when he moves on to another company. You get to be a highly paid consultant.

I'm Dutch so perhaps it's a culture thing but I would go to him with both reports and the bill (or estimate is you don't have access). And all him:What have you learned?

If he does not give a satisfyingly grovelling answer: You will pay this bill in threefold. We learned that upper management leaves security issues untouched for a year. And by insulting the reporters and grossly mishandling resources upper management has lost trust and respect of his workforce.
By this bill the work we do is worth a lot more and you seem to drown in funds so I expect a raise soon.

@hjk101 Yeah, I'm also in the Dutch market and noticed this to be a somewhat common practice. Just never saw it being so blindly applied.

My CTO won't budge to do anything unless it's determined by something or someone external and then takes the credit for the "initiative and energy".

And I don't think I'll ever get to be one of his preferred and beautifully paid consultants. The CTO hates to be challenged at the technical level and that is pretty much all I have to do for my job.

I had a division head like that. We had a really good conversation one day, that i am sure he regrets, about this. I asked why he keeps hiring consultants, spending a fortune, to make recommendations we could. His response was "scapegoat and I get what I want". He tells the consultants what the outcome is. That's the way consultants work. The C-levels trust consultants more than employees and that makes two of the same recommendations going up the chain. Easy approval.

I hated how right he was.