If these consultants were brought in because of their expertise, it would seem wasteful not to take advantage of that expertise. Often such engagements will include not just the list of holes but the recommendations for plugging them. Most of these security consultants rely on their audit results to generate additional opportunities for them to provide further consulting services for implementation of security measures.
Additionally, every audit I have been a party to has consisted of a preliminary findings report to which the IT staff was given a chance to add their comments/rebutal prior to the presentation of the final report to upper management. Such a report would be considered incomplete without the addition of the environment specific context added by the company's own IT department.
Don't look at the consultants as the enemy, instead realize that they present you with an opportunity. They are resources temporarily available to you which will have the attention of upper management. Work with them to shape the outcome into something positive for your IT department. The discovery of security holes is not a stick to beat yourself over the head with but a lever with which you can finally get that leviathan that is upper management in motion to fund some of your IT initiatives. Use it!
Slashdot Mirror
If these consultants were brought in because of their expertise, it would seem wasteful not to take advantage of that expertise. Often such engagements will include not just the list of holes but the recommendations for plugging them. Most of these security consultants rely on their audit results to generate additional opportunities for them to provide further consulting services for implementation of security measures.
Additionally, every audit I have been a party to has consisted of a preliminary findings report to which the IT staff was given a chance to add their comments/rebutal prior to the presentation of the final report to upper management. Such a report would be considered incomplete without the addition of the environment specific context added by the company's own IT department.
Don't look at the consultants as the enemy, instead realize that they present you with an opportunity. They are resources temporarily available to you which will have the attention of upper management. Work with them to shape the outcome into something positive for your IT department. The discovery of security holes is not a stick to beat yourself over the head with but a lever with which you can finally get that leviathan that is upper management in motion to fund some of your IT initiatives. Use it!