The purpose of this presentation is to discuss the current state of security assessments and how their success is inhibited by improper scoping due to poor regulations, loose controls, misinterpretations of them and most importantly, consulting firms not acting as experienced and trusted advisors. Scoping is something that is learned throughout one's career and should be an open dialogue between the client and the consultant. It is truly an "art form" that must be learned and practiced.
<p>Too often an engagement is driven by the wrong means and consultants don't take the opportunity to educate their prospective client on where improvements could be made. In the end, a lackluster service is executed and the client is left with a false sense of security. This is either because the consultant lacked the experience to effectively perform one, or the client doesn't understand the benefits of having an improved approach. This discussion will review some of those common pitfalls in consulting and provide solutions on how to improve project scopes, overall security services, and reporting. This will not only develop stronger relationships between the client and the consultants, but start to weed out those commodity based firms and begin to highlight those that stand out as pioneers in today's Infosec market.</p>