On Tue, 26 Mar 2002, Sean Donelan wrote: :If I was looking for top security talent, what would I ask for whether :I was hiring directly or outsourcing? Do I want a bunch of ex-miltary, :ex-law enforcement, ex-banker, lots of certifications (CISSP, GIAC) none :of which have existed for 10 years, published papers, can answer tricky :questions about checkpoint firewalls (why is a confusing firewall :configuration a good thing?), a college degree in crypto, big 5 :accounting firm (or is that now big 4 accounting firm)? I would ask for personal referrals. They are generally the only thing worth counting. The accounting firms have brand recognition, but the way the business works, you are rolling dice the same way you would using a boutique. Certifications are handy from a diligence perspective, but shouldn't be a deal breaker. Product knowledge is handy, but doesn't demonstrate expertise. Published papers will show expertise, but not indicate reliability or business focus. Industry specific experience will demonstrate business focus, but not neccesarily show clue. Academic credentials will show persistance and some clue, but probably won't ultimately help you sell more widgets. :Likewise, if I was going to outsource. What should I be looking for :in a security management provider? Track record over the last 3 years, and personal referrals. This on top of whatever criteria you have for requiring one in the first place. Brands mean very little in the face of a referral from someone you trust, or have paid enough to trust. Services companies only real asset is their staff, and many will debase their brand by diluting their talent pool to deliver a more reliable recurring revenue stream to investors. This means fewer high clue people delivering complex but high return services, and more middle to low end consultants delivering simple managed services to a much broader customer base. Think of it as a race to the bottom. So, it depends on the solution you need. If you need enterprise network architecture, customised IDS and incident response solultions, and bleeding edge technology to defend your network against theoretical threats and imagined hostile governments, find a geek-boutique of people who speak at blackhat briefings, tell spook stories, and can show signifigant contributions in openbsd change logs. I hear some will even throw in a tinfoil hat, gratis. If you need reasonably reliable, cost effective anti-virus, managed IDS, and a checkmark or smiley face on your next audit, but aren't terribly concerned about specific threats, read some Gartner Group reports and pick one that seems reasonable. I suppose this could just have been summed up by saying, get a personal referral, as the industry hasn't been around long enough to really judge from track records, who can provide the best service. -- batz