Being involved in a security project requires lot of resources: a good measure of knowledge, a huge measure of experience, some amount of software and personnel.
Usually time is in short supply, so this is compensated by more computers or more people.
The first option is to use a computer and a piece of software. While there are a lot of automated tools that a security consultant can uses, these are not really smart.
- For penetration tests - most vulnerability scanning systems are 'loud' as hell and will be immediately detected by any IPS/IDS system. Also, such systems are very rarely successful at any penetration unless properly tweaked and configured by a human operator.
- For procedural assessment, that software is just a set of questions forming a checklist. The problem is that every organization has specifics in their security organization, and the actual procedural posture of security needs to be understood by an expert operator in order to properly answer the questions in a checklist.
The second option is to hire a freelancer team. Presently, there are a very large number of people looking for a freelance gig as security analysts.
Some of them publish their expertise through social networking sites, others just use job search sites to look for an engagement.
But this is a nightmare in itself for at least two reasons:
- Unknown amount of expertise - when hiring someone for a security job, unless you know his/her previous work it is very difficult to know whether he/she will deliver the expertise. Please note that the CV of a person can say anything without much means of confirmation - references for previous security engagements are very rarely given by clients.
- Unknown agenda - even if he/she is a great expert, you will open the doors of a corporation to that person. Unless you are 100% certain of his/her professional agenda, you may find yourself in a lot of legal trouble if there is a disclosure of confidentiality or even malicious attack from someone in your freelancer team.
As Alan Weiss points out, you should only get into partnerships if you can multiply the profit by a hundred, not double it.
And in cases of security analysis, you can easily deplete your profit with a choice of a wrong team, let alone be stuck with some legal issues.
Cross-posted from Short Infosec