Comment by MattPalmer1086
3 years ago
I would distinguish between consulting and audit.
Nobody thinks most auditors are experts. I have met a few, but mostly their job is to perform very standardised assessments, to meet compliance requirements. Internal audit is no different in this respect.
Consulting, on the other hand, I agree is hugely oversold. I have experience of being invaded by a swarm of big-name consulting firm graduate "security experts".
They didn't do a bad job in the end. They gathered the requirements, listened to the staff, and recommended pretty much what we would have recommended. Someone somewhere with more experience must have reviewed it at some point I guess.
In this case, the senior management was really paying for the "big firm" seal of approval on a big spend, not for any earth shattering security insight.
i was always under the impression that when consulting for a company with a competent developer team, the best a consultant can do is to confirm what the internal team already recommended.
if the company is doing a risky project, having a second opinion may be well worth the money.