mailing list archives
Re: [PEN-TEST] Evaluating Auditors Abilities
From: "Tansey, Don" <hyghlander () MINDSPRING COM>
Date: Thu, 7 Sep 2000 14:18:11 -0400
This is just my $.02, the opinions are mine and mine alone.
The major certification out there is a CISSP, from (ISC)<superscript>2; you can check them out at http://www.isc2.org.
They have what I consider to be an excellent set of standards.
That said, I don't think certification itself in _any_ discipline is a _guarantee_ of competence; but an indication of
competence. (And yes, I do hold some certifications myself - and think IT Certification has tremendous value.)
I would approach hiring a security consultant the same way I would approach any other outsourcing. Solicit proposals,
select likely candidates, have them in to present what they're going to do and how they're going to do it, and then ask
for and check _references_.
In the end, there are no guarantees, but a process like this will winnow out much of the chaff.
Also, in the unlikely event anyone ever made me management, I sure as heck would trust my employees over a third party
consultant. If I couldn't count on the people that work for me, they wouldn't work for me for very long.