Sunday, May 30, 2004
"Should I hire a security consultant? What's a CISSP anyway?"
Do you need a security consultant? The wimpy answer is "it depends". The honest answer, if you're the small business or home user I'm writing for, is "probably not".
If you have a low profile, you'll only be attacked by relatively dumb automatic programs that look for common vulnerabilities. All you need to do is have a cheap firewall, updated antivirus software and a freshly patched operating system. Then you're like the hiker who put on running shoes when the bear attacked. He couldn't outrun the bear, but it was enough to outrun the other hikers. If you take basic precautions then the automatic "doorknob-twisting" attack programs will move on and infect your neighbor instead.
You may want to pay someone to help develop a disaster recovery plan for your small business. It'll have to be a cheap and basic plan, because paying for it is like paying your fire insurance premium: doesn't help you meet payroll or serve customers. A disaster plan is a service that you should expect a security consultant ot be able to provide.
Medical records, financial records and customer credit card numbers require some special care. Unless you have an IT staff with spare time to study the regulations, it makes sense to bring someone in to guide you through the statutory and technological maze.
You probably need a consultant if you have a big business partner who demands that you use some unfamiliar technology when you talk to them.
How do you pick a security consultant? First of course you'll ask around and look for referrals. Then all the candidates will start talking alphabet soup at you. Here's a quick guide to what different credentials mean.
The CISSP (Certified Information Systems Security Professional) certification is for generalists. The CISSP exam covers phsyical security, management procedures, and disaster recovery as well as technical expertise. A CISSP should be qualified to give you a broad security analysis. That's important and valuable: what good is your firewall if someone can get your business secrets by going through your dumpster?
The GIAC (Global Information Assurance Certification) certifications are deeper and more technical. Those are credentials to look for when you're hiring people to build secure network devices.
Vendor-specific certifications come in handy after you've decided how much security you need and how you're going to get it. Cisco's CCNA, CCIE and other credentials help protect you from paying somebody by the hour while they learn to use your equipment.
Above all look for someone willing to understand your business and make compromises between being "secure" and meeting your budget.
|
If you have a low profile, you'll only be attacked by relatively dumb automatic programs that look for common vulnerabilities. All you need to do is have a cheap firewall, updated antivirus software and a freshly patched operating system. Then you're like the hiker who put on running shoes when the bear attacked. He couldn't outrun the bear, but it was enough to outrun the other hikers. If you take basic precautions then the automatic "doorknob-twisting" attack programs will move on and infect your neighbor instead.
You may want to pay someone to help develop a disaster recovery plan for your small business. It'll have to be a cheap and basic plan, because paying for it is like paying your fire insurance premium: doesn't help you meet payroll or serve customers. A disaster plan is a service that you should expect a security consultant ot be able to provide.
Medical records, financial records and customer credit card numbers require some special care. Unless you have an IT staff with spare time to study the regulations, it makes sense to bring someone in to guide you through the statutory and technological maze.
You probably need a consultant if you have a big business partner who demands that you use some unfamiliar technology when you talk to them.
How do you pick a security consultant? First of course you'll ask around and look for referrals. Then all the candidates will start talking alphabet soup at you. Here's a quick guide to what different credentials mean.
The CISSP (Certified Information Systems Security Professional) certification is for generalists. The CISSP exam covers phsyical security, management procedures, and disaster recovery as well as technical expertise. A CISSP should be qualified to give you a broad security analysis. That's important and valuable: what good is your firewall if someone can get your business secrets by going through your dumpster?
The GIAC (Global Information Assurance Certification) certifications are deeper and more technical. Those are credentials to look for when you're hiring people to build secure network devices.
Vendor-specific certifications come in handy after you've decided how much security you need and how you're going to get it. Cisco's CCNA, CCIE and other credentials help protect you from paying somebody by the hour while they learn to use your equipment.
Above all look for someone willing to understand your business and make compromises between being "secure" and meeting your budget.
# posted by Frederick @ 10:44 AM Email to a friend:
Haloscan: they provide trackback