How much would it cost me to hire a security analyst for a day or two

manic111 · 27 Jan 2012 at 15:04

I've been asked to look into how secure my company's networks etc are and write up some recommendations. However, while I can look at certain things such as viruses, our WiFi security, and the like, more in-depth networking stuff isn't really my area of expertise.

Therefore, I'm going to recommend to my MD that he brings in an analyst for a day or two to audit our security. How much - very roughly - would this cost? How much do security contractors cost per day?

Please note that I'm just looking to get an estimate of cost, I'm not asking anyone to put their hands up for the job

GhostlyPea · 27 Jan 2012 at 15:13

Depends on a lot of things - quality, experience, credibility.
AFAIK we'll charge ~ £1500 a day but this *does* vary and is a general consultation fee. There are companies that specialise in this kind of thing and I would guess prices vary wildly

- GP

oddjob62 · 27 Jan 2012 at 15:54

I'd be suprised it you get it for any less than 500/day

J.B · 27 Jan 2012 at 16:22

We could probably do it for about 700 a day, maybe slightly less if you batter your eye lids. Pretty good price for a big 4 I reckon!

Send me a trust if you want to chat about anything specifically.

kefkef · 27 Jan 2012 at 16:34

Last time i did this, it was £750 a day, but it was a company who have a good few grands worth of business off us a year also.

TRNC · 27 Jan 2012 at 18:39

That seems like a lot of money, out of interest what do these security analysts do?

J.B · 27 Jan 2012 at 19:00

TRNC said:
That seems like a lot of money, out of interest what do these security analysts do?

Well if we told you that we couldn't charge so much!

Seriously though it does sound like a lot but these are people with very niche specialties and 100ph is pretty low for any consultant

TRNC · 27 Jan 2012 at 19:09

No seriously, what do you do that isnt covered by things like having a good password policy, not allowing remote connections to unsecure places, ensuring Wireless is properly secured or turned off and things like external port scans that can be performed (mostly free) by any number of security websites?

tntcoder · 27 Jan 2012 at 19:16

TRNC said:
No seriously, what do you do that isnt covered by things like having a good password policy, not allowing remote connections to unsecure places, ensuring Wireless is properly secured or turned off and things like external port scans that can be performed (mostly free) by any number of security websites?

Do you really think that's all there is to securing a network?

TRNC · 27 Jan 2012 at 19:20

Yes. I'm not an IT admin or anything.

I dont see how there is a risk if you firewall, block ports and lock it down tight enough to pass PCI-DSS scanning for the banks approval and the other measures I mentoned above. With that lot I fail to see where the risk is, without physically breaking into the premises.

J.B · 27 Jan 2012 at 19:26

Well having a good password policy is dandy but how do you know for certain that people are following that for every account? Sa accounts and BESadmin accounts are an obvious example.

Wireless deployments are a tricky one as there are lots of different ways of deploying them. It requires a knowledge of understanding risk, client needs and being able to have a sound knowledge of all the possible solutions.

As for external ports,yeah turn off-good idea. What about internal ports? Malicious insider is a huge threat and often the attacks are layered and require a human to chain them together. My favourite example is weak sa password>SQL running as admin and stored procedures on>XP_cmdshell to create local admin>extract SAM file>break hashes>find domain account, normally admin>log on to DC>extract AD database>crack more password>make some stupid hacking phrase up like all pwds are pwned>??????>profit!

TRNC · 27 Jan 2012 at 19:34

Yeah well most of that went straight over my head

However thankfully I dont have to worry about malicious insiders on my network, I am within 10m of all my employees and know every single one of them, in fact 3 of my employees cant even use a computer so the risk really is quite low for us.

DJMK4 · 27 Jan 2012 at 20:07

Trust me there is a lot more to network security than meets the eye

If you have in mind of hiring a network security consultant, then you obviously have it in mind that you want things done properly.

TRNC · 27 Jan 2012 at 20:23

Thats all well and good, but taking this thread off track from the OP a little i'm trying to find out, for sake of intrigue, what it is that a network security consultant would look at and do.

I dont see justification of £1000 a day as "doing it properly" - you can do it properly for £0 if you understand what is being done, equally you can spank £1K a day and gain nothing more than you already have.

SoundsGood · 27 Jan 2012 at 20:26

TRNC said:
I dont see justification of £1000 a day as "doing it properly" - you can do it properly for £0 if you understand what is being done, equally you can spank £1K a day and gain nothing more than you already have.

If you understand everything being done you'd be out there earning £1k a day yourself!

NiCkNaMe · 27 Jan 2012 at 20:32

TRNC said:
Thats all well and good, but taking this thread off track from the OP a little i'm trying to find out, for sake of intrigue, what it is that a network security consultant would look at and do.

I dont see justification of £1000 a day as "doing it properly" - you can do it properly for £0 if you understand what is being done, equally you can spank £1K a day and gain nothing more than you already have.

1000 a day is industry standard for any decent subject matter expert :confused:

You seem to be arguing against because of the day rate, go do a google and you'll find out all about network security. If you are a company who relies heavily on their IP and data then having someone who knows how to protect this is crucial and could be the difference in you staying in business or going bust.

TRNC · 27 Jan 2012 at 20:38

SoundsGood said:
If you understand everything being done you'd be out there earning £1k a day yourself!

No, I run a sucessful business, I have no need to try and be something i'm not and least of all an IT "consultant" - its not an area I ever wish to go near!

NiCkNaMe said:
1000 a day is industry standard for any decent subject matter expert

You seem to be arguing against because of the day rate, go do a google and you'll find out all about network security. If you are a company who relies heavily on their IP and data then having someone who knows how to protect this is crucial and could be the difference in you staying in business or going bust.

We rely heavily on our IP and in 19 years we've had no breaches, no problems and never employed a security consultant so i'm genuinely curious as to what they do. People saying "its not that simple" etc. doesnt answer the question, just makes me more curious!

DJMK4 · 27 Jan 2012 at 20:45

TRNC said:
Thats all well and good, but taking this thread off track from the OP a little i'm trying to find out, for sake of intrigue, what it is that a network security consultant would look at and do.

I dont see justification of £1000 a day as "doing it properly" - you can do it properly for £0 if you understand what is being done, equally you can spank £1K a day and gain nothing more than you already have.

Well for a start, the OP hasnt specified weather this is for a business of 20 users, 200 users, or 1000 users with an in house data centre with a DR data room 100 meters from site.

If they are looking for a security auditor to come in to oversee and give feedback, then clearly they want to ensure everything is secure.

What you got to remember that most proper network's will have enhanced routers, hardware firewalls with sometimes complex firewall rules, NAT policies, routing tables, IPSec site to site VPN's, remote dial in VPN's, internal threat, wireless threat, brute force and firewall exploitation, data exploitation and security.

If you don't understand any of that then you can by all means learn however that will cost time, if you are even questioning your abilities in this field, then you shouldnt even concider it especially if it could put the business in jepordy.

Why do you think so many businesses outsource their network infrastructure to specialist companies who do this for a living and know how to manage and keep a network secure unless of course they hire network specialists themselves.

Thats my line of work. I deal with companies on a day to day basis, our customers mostly have their own dedicated IT Teams, however they outsource their network management and security to us, as we are a network security company who know how to secure networks properly and we manage them remotely, putting the client at ease so they can concentrate on other things and have some peace of mind.

If said company had their own network specialist then I guess they could do it themselves.

But in the OP's case, clearly they don't.

NiCkNaMe · 27 Jan 2012 at 20:46

TRNC said:
We rely heavily on our IP and in 19 years we've had no breaches, no problems and never employed a security consultant so i'm genuinely curious as to what they do. People saying "its not that simple" etc. doesnt answer the question, just makes me more curious!

Starting to de-rail the thread now, so if you want to discuss further then perhaps worth making your own thread.

They analyse your existing security structure, find weaknesses and suggest improvements. What more do you want to know? Specifics?

One example where security is a must is if you are processing card payments, there are a number of compliance measures you need to meet, e.g. PCI DSS. It's not just about stopping intruders (although that is still probably the most prevalent!)

TRNC · 27 Jan 2012 at 20:55

Not really de-railing the thread, the Op's question was answered long before I popped in!

I know all about PCI-DSS, we are scanned reguarly for both our office network and our websites

DJMK4 - thanks for explaining a bit more, thats all I was after really. I'm not questioning my abilities in this field, I dont have any more than most idiots who have played with computers for 30 years. I did however set up our router, firewall, IPSEC VPN, NAT and routing table - all work ok and have not caused a problem yet and pass the PCI-DSS scans we get so I guess are secure too :confused:

As a small business we couldnt even contemplate spending £1000 on a consultant for a day so its not something I know about. We dont have an IT department or even an IT expert - it all falls to me, the boss, as the person who deals with it whilst my staff do what I pay them for. I guess in many businesses like mine (size wise) the MD is a jack of all trades, we have to turn our hands to all sorts. I do the books but have an accountant to do my returns, I handle the HR and staff, deal with customers, run the business and manage the IT....I even mop the floors on occasion!

My experience of large business in the past as an employee in a company with 2500 people was the IT department was a pain in the backside, 100 people who played games and put red tape in the way of everyone else trying to do their jobs properly!