I'm a security consultant for <<I don't know the firm's new name yet because we
I'M NOT SPEAKING FOR <<I don't know the firm's new name yet because we just
merged>>, ALL COMMENTS ARE MY OWN, BLAH, BLAH, ETC., ETC.
Hadn't checked my mail in a week and I found this massive thread talking about
the same things I talk about at work on a regular basis. Some of the criticisms
of the Big N-1 are exactly on target (like smart bombs, actually), and they are
things I sincerely hope to change (Notice I didn't say "Reposition the market's
perception through strategic alliances", I said I want to fix the problems). I
wanted to go into depth about various examples people have cited, pros, cons of
Big N-1, etc, but that reply got too involved, so I thought I'd just jump in
Mark Teicher wrote:
> I am still waiting for someone from the Big N-1 firm to come forward and
> state something that significantly sets them apart with their people and
> their business practice.
I'm not the one running around saying "We're better than everyone else," so
forget about that question. I got into Internet security because I love the
work, and I've always believed that you need to find work you are passionate
about, because you'll do a much better job, and put in a lot of extra hours, and
the rest will take care of itself. There are like-minded individuals and groups
within the Big N-1 (I love that term) with extensive real world sys admin
experience, plus CS degrees, plus the ability to put the client's technical
issues within the scope of their business needs, policy issues, organizational
politics, and IS and security staffing needs. We (I'm not claiming this for the
whole Big N-1, just for the people I know and work closely with) are useful to
our clients because we act with the intent to obsolete ourselves - I regularly
tell clients, e.g. "You want to do it this way, and hire these IS staff so you
can have the in-house knowledge to handle this yourself, instead of hiring us
once a year to 'clean up security'"). If my group did not have this attitude, I
would stop working here. To the extent that others don't have this attitude, I
refuse to work with them, and when it's time to hire, we look for like-minded
> Still waiting for some one to explain to me why a customer would pay money
> to a Big N-1 firm to conduct a security audit when they use the same tools
> that are available to any 12 year with a dialup connection and some time
> on their hands..
I say the same thing to EVERY SINGLE CLIENT, i.e. "Learn how to do this
yourself. Here's how. It's not rocket science." I'd be perfectly happy if
everything was secured and the security field dried up; there are plenty of
other interesting technical challenges in the computer field (for me, Java,
neural networks, A-Life)
The unfortunate fact is that most corporations and individuals don't give a
steaming pile about security, until it becomes a negligent mess, and then they
only seem to care for about 2 weeks. Basically I can say "Here's exactly how I
do things, you should get rid of me and do it yourself. Go ahead I dare you.
Hire the extra staff you need, download these tools, check these logs every day,
follow this policy. I know you can do it." And the sad truth is that the average
organization won't take up the challenge. It's the same mentality as (I wish I
had a dollar for every time I heard) "We have a firewall, we're secure" or "He
has a CISA cert/PHD/weirdforeignname, he must know what he's talking about."
Instead, it's "We hired some consultants for a security project, we're secure."
I did a firewall implementation a couple months back where I practically begged
the IS folks to look at what I was doing so they could know how to do it
themselves. I tried to tell them, I made clear, precise technical notes, and
they consistently ran screaming in the other direction. And the plain fact was
that the people in this IS department spent, literally, 5 to 6 hours PER DAY
just surfing the net, checking their stocks, etc. They had time to do the
security work. They just didn't care ("Drop everything, time for the 5 o'clock
Quake session!"). Which brings me to the last point...
It's not so much Big N-1 vs. non-Big-N-1 (is that like Big Endian Little
Endian?), just as it's not about who has what certification - It's "Do the
people who come to do the job, on any given day, be they from Ernst & Young,
Bellcore, or your own IS department, have the skills and intent to do the job
they're paid for?" You have to talk to them, give them technical tests, set
meaningful goals and deadlines, and kick their butts if they don't come through.
It's a pain, it puts the responsibility squarely on your shoulders, but it
i.e. as Mark Teicher said:
If some of those people work for a Big N-1 firm, the customer should request
those people specifically.
I know top notch people and bottom notch people in consulting firms, IS
departments, internal audit, vendors, etc.
One last request, when you flame me, make it a good one, like "I envy you having
me to envy" or "Your mother swims out to meet battleships." I need some good
reading for this weekend, and I need suggestions for the obligatory snappy quote
to add to the end of every e-mail message.
<<The usual mea culpas about off-topic (firewalls right?) postings>>
Senior Analyst, Internet Security
I don't know the firm's new name yet because we just merged
Fort Lauderdale, FL