100 people who played games and put red tape in the way of everyone else trying to do their jobs properly!
They only do that so they have more time to play games
How much would it cost me to hire a security analyst for a day or two
- Thread starter manic111
- Start date
They only do that so they have more time to play games
Not going to write a full blown essay again as I'm now on my iPhone, I guess the 1000 a day is what you should expect, but I guess there are some which will do a days work for a bit cheaper, however you need to also ensure they are reliable! As you could very well be wasting your money anyway if they are not.
I think what people are saying is don't expect a consultant for a couple hundred. I'd say between 600-1000+.
It also depends on area. London prices will be rather high for instance.
I think what people are saying is don't expect a consultant for a couple hundred. I'd say between 600-1000+.
It also depends on area. London prices will be rather high for instance.
We are finding it very tricky at the moment as there are lots of little companies and one or two man bands out there who are setting up and going in a stupidly low rates. Now Im not saying that they won't do as good a job as a big company. Just saying it's hard to stay competitive
http://www.gss.co.uk/ the company I worked for used them and they were so good they bought them 
Associate
I applied for a position with them, I guess they dont like blackhats... ;0
I had an interview recently with a specialist sec company and I got a frantic phone call an hour or so before the interview asking me to just confirm I had no convictions
Turns out they had a guy in earlier in the day who had been convicted of something or other, most of the companies won't touch you if you have.
Last edited:
Soldato
My experience of large business in the past as an employee in a company with 2500 people was the IT department was a pain in the backside, 100 people who played games and put red tape in the way of everyone else trying to do their jobs properly!
The backlash from an end-user for redtape is far less aggrieving than the backlash from an MD wondering why more hadn't been done in ensuring the data lost through a users incompetence was minimised
Associate
My experience of large business in the past as an employee in a company with 2500 people was the IT department was a pain in the backside, 100 people who played games and put red tape in the way of everyone else trying to do their jobs properly!
I wish IT Departments I worked in were staffed that well
What good is a secure firewall if the threat/vulnerabilty is internal?
Soldato
Not really de-railing the thread, the Op's question was answered long before I popped in!
I know all about PCI-DSS, we are scanned reguarly for both our office network and our websites
DJMK4 - thanks for explaining a bit more, thats all I was after really. I'm not questioning my abilities in this field, I dont have any more than most idiots who have played with computers for 30 years. I did however set up our router, firewall, IPSEC VPN, NAT and routing table - all work ok and have not caused a problem yet and pass the PCI-DSS scans we get so I guess are secure too
...
I'm sorry but if you think that PCI-DSS is all about just the network elements then you certainly don't know "all about" it.
Customer confidentially prevents me giving details (for obvious reasons) but areas such as (but not limited to) encryption of data at rest and being transferred (combined with application compatibility) and audit trailing with separation of responsibilities were a lot bigger headaches than those presented by the general network security requirements. PCI-DSS is not something that should be underestimated. In fact you complain about IT departments adding red tape, well most requirements I've seen require at least a basic form of ITIL change/etc management in order to audit trail what's happening to the system ... red tape is not necessarily a bad thing when you want a stable, secure systems.
£1000-1500 a day isn't that much for a knowledgeable consultant these days, hell I'm charged out at around that by the company I work for and I wouldn't say that I'm charged that highly compared with some.
OP, see if whoever you think about using can provide you with an anonymised example report of what they would produce and make sure that they are not one of these outfits which basically do a Nessus scan and then claim that the output is everything that is wrong (I've seen to many "consultants" which do that and not been able to analyse the results properly themselves in order to find the important elements). Don't assume that what the consultant says is absolutely right ... there are time when they are not (if you are running linux then not knowing about back-porting of RHEL patches is normally a big fail in most audit reports I've seen, i.e. you're running x.y but the audit says you should be running x.z ... but you're x.y actually has the security fix from x.z back-ported to its patch level but is still being reported as x.y for compatibility reasons)
Last edited:
This is one of my biggest bug bears to get right, blumin Red Hat back porting Apache patches!
Er, this thread is about network security, which happens to be covered by PCI-DSS scanning.
I never mentioned anything about the other points covered by PCI complaince as its not relevant to network security, I DO know all about it and the security of data, provisioning of backups and how they are stored, who has access, system access, paper printouts, yada yada but none are relevant to the question of network security.
Soldato
Actually the OP doesn't indicate that he want's the consult to just the network just someone to "audit our security" seeing as he has been asked to look at all aspects of that.
Most security audits will go beyond a single aspect, as they should as the securing of an environment should consider all elements in a joined up manner.
Most security audits will go beyond a single aspect, as they should as the securing of an environment should consider all elements in a joined up manner.
Wow guys, thanks for all the replies and sorry for not posting sooner. It's been a busy weekend.
So if I get back to the MD and say somewhere from £800-£1800 a day that's in and around the right figure? I know it's pretty broad but we're just after an idea.
EDIT: Just a bit more info if anyone's interested. We're a company of about 200 people, with an office in England and another in Mumbai, which has grown quite organically since it was founded (hence the lack of "proper" security implementations).
So if I get back to the MD and say somewhere from £800-£1800 a day that's in and around the right figure? I know it's pretty broad but we're just after an idea.
EDIT: Just a bit more info if anyone's interested. We're a company of about 200 people, with an office in England and another in Mumbai, which has grown quite organically since it was founded (hence the lack of "proper" security implementations).
Last edited:
We've had this too, management demand external security audits, we get a bunch of muppets in and they then charge a fortune for running a few off the shelf apps and hand us a 1000 page document containing nothing but garbage. Last one we had changed about £20K, we actually told then to go jump as there was actually no useful information.
There's a lot of people who are earning a lot of money for really doing not much... But then that's the story for a lot of jobs now in IT.
I guess every company has their retards, as you you eloquently put it
Why would you keep exposing yourself to them over and over again if you hold them with such disregard?
odd
Unfortunately some of us are not the final decision makers and do not hold the chequebooks! We have to leave that to so called management
I'd expect my management to value my opinion especially with valid experience with said company. A great way to increase your value within an orginisation is to look out and warn about bad decision making.
I've worked with GSS for two years now and they are one of my trusted partners, what they don't know about security is frankly not worth knowing, granted some of their pen testing is glammed up social sculpted email hacking but that's a customer hook not a demonstration of capability.
Maybe I've just been lucky and always get their compotent engineers