I'm comming in mid way but I'd say that from your discussion you obviously
recognize that the Big Audit firms have made some substantial commitments
towards information security and more specifically penetration study services.
Hiring ex-hackers (LOD members have been known to be a part of the Big Six
world) and building alliances with vendors are a few of the commitments. The
reason for this commitment is to respond to our client's need not because we
want to compete with the smaller boutiques. I belive that we are in a different
business and a different market altogether. It's not "fluff". We get our butts
kicked and challenged by some of the best technologists in the world. Believe
me, for the money they spend, they are demanding a big bang in change and
impact. CIOs and system administrators are not dumb... They know value when they
see it and they know bull when they smell it. We are worked and put through the
ringer to deliver value in a big way.
With regards to certifications. There are numerous certification processes.
For example, at KPMG's Information Risk Management (IRM) practice we certify our
systems auditors not only for information systems audit (CISA), Certified
Information Systems Security Professionals (CISSP), Certified Fraud Examiners
(CFE), but also core technologies like Microsoft (MCSE), Novell (MCNE), Unix
(various vendors), databases (Oracle & Sybase), hardware like Cisco. We also
certify all our practitioners who provide security services with ISS for their
product, Axent, and BindView for theirs. That's not to mention the loads of
certified SAP, PeopleSoft, and BAAN people. We even have certified SAP security
specialists just to focus on SAP security. All under one roof!
I think the problem that some have is that they see the Big Six as a bunch of
accountants. As you all well know, this is not the case. A large if not
greater portion of our business is driven by business advisory and consultative
services. e.g. SAP, PeopleSoft, Tax, financial restructuring, mergers and
acquisitions, electronic commerce, reorganization, human resource management,
etc... A large portion of the services are technology oriented because, today,
technology a key enabler of business objective and ultimately prosperity.
To this end, controls, management, and security over technology is a natural and
necessary fit. Additionally, the assurance/audit services serve to provide a
level of attestation and or assertions regarding effectiveness and maybe even
trustworthiness of specific areas. For all people, technology can be a
convoluted and confusing mess. There is a need for assurance over business
functions/transactions/reporting which demands reliance on technology
infrastructure. That's why we see Big Six getting involved in systems audit and
There are also substantial differences in what Big Six can offer and what other
smaller boutiques can offer. Aside from obviously more services, more people,
more locations, and more assurance. We offer the experience that we have
gathered from other leading edge organizations. I am sure many of you have
heard about the long hours, demanding schedules, and tremendous travel that Big
Six consultants do. All of these things do add up to a tremendous value. We
are most of all business driven and value driven because all we are selling is
our knowledge and experience... Not just hardware or softwares. Intangibles are
the hardest things to sell!
However, if a small organization just wants a scan? Well then Big Six is
overkill, in fact, inappropriate and foolish. Then there are many organizations
that have highly qualified people internally that can do similar things. We are
not interested in being better than our clients. We want to help our clients to
be better. - Hey, that's kinda corney..sorry. - But in fact, our clients hire
us because they want to get outside experience, independent assurance, proven
expertise, or even just because they don't want to burn out their own people.
The Big Six environment offers its consultants tremendous challenges and
exposures to new and diverse technology and businesses. You just gotta be
carefull not to get eaten up in the great race. I think it works out well.
Technology is a funny thing. The topic matter seems to always promote
challenges and on-ups-manship. At the end of the day, its all just tools to
enable our objectives.
From: Mark Teicher <mht @
To: Roger Books <books @
us>; christopher_burgher @
Cc: firewalls @
COM <firewalls @
Date: Friday, February 20, 1998 6:32 AM
Subject: Re: Certifiying Security Auditors
>I have seen enough advertisements for conferences over the years to see
>that this really needs to be addressed at not only the conference level,
>but also at the certification level.
>Anybody with a little bit of money or very little money with some
>knowledge of Unix/NT, take a pick of O/S and a little bit saavy with one
>or two script languages and some sort of fancy vulnerability checker can
>be a bonafide security auditor. There is a lot more to it than just
>having the tools and running, it the understanding of the information you
>are looking, working with customer to get an understanding of their
>requirements are, and where the areas they need help and assisting them.
>Some of the larger type organizations (i.e Big N-1, I like to pick on
>them a little bit) made the leap into this market, recruited a whole bunch
>of top notch people here and there, made all kinds of deals with certain
>companies, money passed between hands, press releases, a whole bunch of
>marketing press releases, promises to build a security lab for
>their many offices, manage to snarf material to get accepted to
>some of the major security conferences, etc. Great marketing
>strategy by the way, but they still missed the fundamentals of security
>auditing, which it seems some customers of their are oblivious too, and
>they just see it as an extension of the Big N-1 services and still have
>not addressed the real needs of the customer, clearly identifying the
>problems, clearly assessing the risk and impact and finally clearly
>producing a well written report to a customer without the fluff.
>Currently, all of the Big N-1 firms are in state of flux of where to
>concentrate their business practice in, the efforts into resources,
>investment in tools etc. Here is a hint, for those partners and senior
>managers looking for good people, find a couple of them, without moving
>them 1600 miles away from their wives or significant others, and make a
>huge investment in training at least 3 mos intensive training, just like
>your new hire program for college recruits before throwing them to the
>wolves. You will see a dramatic difference in discipline, conduct and
>work than with those people then just matching new hires with experienced
>hires with some mentor program.. It doesn't work, half of the experience
>hires have 'Partner on the brain' or 'How much information/business
>contacts or business expense money can I scarf before I get caught
>with my pants down scenario' or 'See who I can steal research material
>from and get on the conference circuits with' or 'Who can I convince to
>leave and start a startup company with ' or 'I'll take their signon bonus
>money, relo money, recruit a few people for them, and leave within a year
>with nice change in my pocket' I think I covered most of the scenarios I
>have observed in the last 12 mos.
>If anyone from the Big N-1 firms, would like to correct the above
>statement, please feel free to insert your business methodology and
>strategy above to impress us. Some of us would like to hear what recent
>developments they have done to improve security auditing for the industry
>and not just their bottom line.
>For those who are interested in real bonafide security auditing please
>contact some of the people who have posted to this thread. Those people
>are the real bonafide people who have not only proven to some of us that
>they have a real understanding of the internals of a security audit, the
>tools and the savvy to help the customer. If some of those people work
>for a Big N-1 firm, the customer should request those people specifically.