I understand your sentiments and endorse the same. Big 6 has the brand. Brand sells. But, it is not difficult for you too. There is market for every ware and services. It is up to you, what you offer, how you define the product and package it. You can create your brand. It needs some more marketing efforts.
Regarding certifying Systems Audit / System Security professionals - there are at least 4 organisations, which are doing the certification. These are -
1. International Information System Security Certification Consortium (visit isc2.org). Certifies Certified Information Systems Security Professional (CISSP).
2. Computer Security Institute (visit gocsi.com) - promotor of isc2.
3. Information Systems Audit and Control Association (visit isaca.org) certifies Certified Information Systems Auditor (CISA).
4. National Centre for Research in Computer Crimes (visit ncrcc.org) Certifies Certified Computer Crimes Investigator (CCCI).
There may be more. You need to search and please let me know also.
From: edpaudit @
Sent: Monday, February 16, 1998 12:53 AM
To: firewalls-digest @
Subject: Certtfying Auditors
I have been an EDP auditor for 17+ years. I make my living keeping up with all
of the new technologies and performing reviews. I have most of the skill sets
that you professional data processing and systems folks have. The Big 6 or 4
depending on how you count them, perform a fraudulent act in performing these
services and charge a great deal of money. People like myself who understand
these technologies are paid miserably never are called until the gates are
broken and damage assesment is needed (wounded get stabbed, and the innocent
machine gunned down). Give your Internal EDP Auditors a break. The experienced
ones do understand. If they want do get involved at the front end of a project
like putting firewalls in give them a chance. The good ones will perhelp get
resources that normally are not available if they write the right kind of
I recently worked with a large big six corporation that conducted a
security audit/penetration review. I was astounded when I asked a couple
of them how they were trained and they had stated to me that they had
received no training. My question is who certifies them to ensure that the
following: 1. Actually under what they are auditing? 2. Can interpret the
results of an ISS/Ballista Scan and not just present the report 3. They
attended training at one of the various vendors to understand how to use
This situation concerned me since the customer was given the perception
that the people conducting the work were actually bonafide "Certified"
Security Auditors. Is this the common trend currently??