I agree completely with all of you points on security auditors made below.
Let me set the record straight on this topic by saying:
Not all big 6 firms are untrained in the security field! Our group at
Ernst & Young (ISAAS) is very well trained from real life situations at
real companies. All of us in the security group have backgrounds in the
information security field before we joined E&Y. Finally, training
is an ongoing process, each day there is something new in this field.
Training providers have a hard time keeping up. That is why this type
of forum is great!
My 2 cents....
Date: Mon, 16 Feb 1998 06:03:11 -0800
From: Bennett Todd <bet @
Subject: Re: Certifiying Security Auditors
1998-02-15-18:28:09 Chris Brenton:
>I see this as being a "time" issue. It is going to take time for
>organizations to be able to identify the differences between a good and
>a bad security audit.
It takes about 1 audit, assuming the people being audited are paying any
If you're getting a systems security audit, then the results should
teach you something. If they don't then whoever paid for it was wasting
>This will push back and force "security auditors" to seek out
Certification may happen, though I hope not --- it'd be yet another
blind stupid waste of time and money, and this world already has enough
Security moves too fast for any certification to be any use at all; it
could testify that as of the date you took the test, you had acquired a
body of knowlege that was at that point only 18 months out of date ---
if the certification board tracked current technology better than most.
Certification can be a worthy idea for fields of study that have been
around for thousands of years, and in which much of the material remains
reasonably stable for decades --- e.g. accounting or finance. For
computer security it could only have a small negative value --- if
someone comes at you claiming they have a certification, at least you
know they have pissed away some time and money on something useless and
stupid, not a good sign for someone in the computer security business.
>For example, if I show up at your site as a consultant to fix your down
>server, you'll have a pretty good idea by the time I am done whether I
>have a clue or not (i.e. did I fix the server). With a security audit,
>the results are no so immediate. It may be months or years before a
>security breech is attempted, or detected.
No, if you don't teach us anything that improves our security then we've
wasted our time and money. That is a nice quick and easy test.
I speak from recent personal experience. We had one audit come roaring
through, complete waste of time, we were educating the junior drones who
came through attempting to collect data with questionaires on
clipboards. We failed. We ended up learning nothing, because the people
who were asking questions didn't understand them.
Next time and audit came around, we insisted on interviewing the people
who would be auditing us, grilling them to make sure they understood the
tools we were using to implement our security structure. Our stance was
that unless they knew enough to be able to understand our security
implementation, they couldn't analyze it for flaws and criticise it
inteligently. Worked like a champ.
The rule is simple: don't waste money getting audited by people who know
less than you do.