• We wanted a consultancy for whom security was a core business activity -- we spoke to a number of IT services companies and VARs in the Hartford / Springfield / New Haven area  who could have provided us with the services of "their security guy". We instead choose to engage a firm where all members of the technical staff are security professionals.
• Along the same lines, we wanted a firm whose staff objectively demonstrated their competence by holding current security-industry certifications. For lack of a better frame of reference I fell  back upon my previous life and employed the DoD's ranking of certifications in the Information Assurance Workforce (<http://iase.disa.mil/iawip/Pages/index.aspx>) in evaluating potential consultants. That ranking is:
  

  • Level III (the highest):

    • CISA
    • GCED
    • CISSP
    • CASP
    • GCIH
  • Level II:
    • GSEC
    • Security+
    • SSCP
    • CCNA-Security
  • Level I:
    
    • A+
    • Network+
    • SSCP
    • CCNA-Security

The details of the alphabet soup aren't what's important. What is relevant is that GreyCastle's staff hold many of the higher level certifications on that list while the other firms that we interviewed had few if any. A lack of formal certification was the basis for immediate elimination from further consideration.

•  We wanted an assessment that was responsive to our needs. Standard security assessments are becoming a "commodity" service. We were looking for a consult who would be able to "dig a little deeper" and provide us with additional value beyond just confirming the results of the assessments that we have already performed in-house.