In the future, only ignorant companies will keep their IT security teams completely in-house. And those ignorant companies will become the first to collapse under a variety of malicious computer attacks. I cant blame them, though. The alternative is to go with consultants, and they bring their own problems to the table. Heres whats wrong with consultants. First, most security consulting organizations are less than 2 years old and, therefore, cant be trusted completely. There is no guarantee that any of these consultants will last through a downturn in the economy, which, by all indications, is happening now.
Then, theres the employee problem. There is so much demand for security consultants yet so few actual experts that the quality level of experts is being diluted. This means a consultancys top expert might be a 20-year-old former hacker who only escaped from his bedroom last year.
Organizations must also be aware that some companies are linked with vendors, so their recommendations may be based on the architecture used in a certain companys infrastructure of routers, switches and servers.
Finally, as with any IT field, there is employee turnover among consultants, which means that companies placing their secure assets into a consulting companys hands might find those hands have gone over to a competitors outfit.
These warnings sound severe, but they are mainly scary things being said by scary people trying to spread fear, uncertainty and doubt. Security consulting companies can be the best bet for securing and protecting corporate assets—when they work in tandem with employees of the organization.
Combining a security consulting companys expertise with a permanent staff members commitment to an organization makes it more likely that the security plan will succeed for two reasons. First, the fresh eyes and focused experience of a security auditor are sure to uncover nearly all the common exposures in a network. Second, the in-depth knowledge and insider experience of a permanent staff member will probably be enough to ensure that changes recommended by a consultant meet the business priorities and requirements of the organization.