Shrink-Wrapped Security - Page 2
In IT, as in any other field, but particularly in security, real world experience makes such a difference. In a given year, a system administrator may have to deal with one or two security incidents. A security consultant will most likely deal with more than this on a single day. The knowledge and experiences gained from this intensive exposure allows security consultants to develop finely honed skills in both risk assessment and identification. They are far more able to thoroughly test a security solution than someone who has just read the instruction manual for a software package.
That is not to say that using a security consultant is a foolproof means. Not all security consultants, or consultancies, are created equal. As much time should be invested in choosing a security consultant as choosing the security solution in the first place. The introduction of certifications programs by a number of the leading security software vendors can lead you to believe that holders of these certifications are competent and knowledgeable, but it is not a guarantee. In the same way that there are inexperienced and 'paper' holders of other certifications, security certifications are no different. The exact skills which are so important in the work environment -- up to date knowledge and hands on experience -- are the two hardest things to incorporate into a certification test. As mentioned earlier, that is not to say that certified individuals are not competent, but the value of the certification can only be estimated when it is backed up by practical on-the-job experience.
Through this experience, security consultants are able to understand business issues as they relate to security. Understanding the risks is actually a step that comes before any kind of remedial actions, as Allen Vance, Vice President of Offer Management for Internet Security Systems, a leading provider of security testing software, points out.
"First, customers must understand what kind of business level risks they have," says Vance. "A bank will have different associated risks than, for example, a baker. Next, you have to determine whether you have the appropriate skills to manage the solution in house. In each case, not determining your needs or understanding the requirements fully will most likely prove to be a false economy". Vance has the luxury of providing an impartial view on the subject, as customers of ISS fall into both camps.
If, at the end of the day, you have the skills in-house and understand the risks that you are protecting against, using testing software and performing your own checks may be a valid approach, but if there is any doubt, use a suitably qualified and experienced security consultant. As one veteran security consultant puts it, you could save a few bucks and it could cost you your business.
Compelling argument, isn't it?