[Interesting study by the UK Department of Trade and Industry. I would at least have a look at point 5.1 see below WEN]
5.1 Damage caused by Information Security Services 19. Incompetence or misbehaviour by consultants or providers of consultancy services can result in significant damage to an organisation for a wide range of provided services. No evidence emerged that the risk of such damage is any different where information security services are being provided. Where contributors mentioned that potential damage could have been done this was almost always caught through good internal monitoring – and almost invariably involved information security consultants or providers hired to carry out tasks for which their experience was inappropriate. Such problems usually arose because of misunderstanding between buyer and provider on what was required – often with the information security consultants doing the work not having the capability expected by the buyer, or not delivering what the buyer expected. 20. This finding may reflect the fact that, currently, information security services are mainly procured by large organisations. As noted elsewhere, greater numbers of unsophisticated buyers are procuring information security services, but often cannot define clearly what services they need, or judge adequately whether the delivered result meets the real need. Providers can offer such buyers security services that appear to meet the defined need, but actually do not address the real security issues. This appears to be due more to lack of experience from the provider in defining the scope of consultancy services offered than deliberate misrepresentation. ***************************************************** http://www.dti.gov.uk/cii/datasecurity/psiact/psirep.pdf Study Report Information Security Consultancy A Study for The Department of Trade and Industry Prepared by Chris Sundt Independent Security Consultant May 2002 Executive Summary This Report was commissioned by the DTI to look at existing and emerging issues impacting on the confidence users may have in the supply of information security services. This was occasioned by the public debate surrounding the issue of whether the implementation of the Private Security Industries Act should encompass information security consultants. The report addresses the entire range of information security services. It finds that the information security skills are part of a much broader picture. The commonly held view that information security specialists are simply computer security experts underestimates the increasing complexity and importance of modern information systems. Information security is essential to many business models and has to be seen as an integral part of the risk management process. Thus many disciplines offered as a service in the business environment will demand some degree of information security knowledge. This means that, although there are some service providers who could be classified as being solely providers of information security advice, there are a great many more advisors who integrate such advice into a wide range of information-centric services. In relation to those providers who focus on information security issues, the key finding of the report is that there are no perceived problems with the integrity of such providers in the UK. They are generally seen as being on a par with other suppliers of consultancy services in this regard. There is, however, evidence that users of such services need to be better informed on the scope of such services and how best to procure them. This is particularly true of smaller organisations. The report therefore makes a number of recommendations on focusing the demand for such services by raising the information security literacy of users. It also looks at the supply side and makes recommendations on how existing initiatives to demonstrate the competence of suppliers might be improved or extended. IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk