Which consulting firm?
My company is looking to use a consulting firm for some security work we need to have done (I have too much work to do!) some security reviews and a couple of pen tests out at some sites. My CFO is all about using a "big 4" firm (PWC, E&Y, D&T, KPMG) which I have never worked with before (but he signs the checks so I need to at least investigate). So, are they any better then the smaller firms (ISS, Black hat etc...) or a bunch of accountants? We have had some of their guys in for presentations and they have lots of nice powerpoints and talk a good game, but how do they shape up in practice?
Using one of the big 4 consulting firms is a lot like buying Bose sound equipment. Your paying as much for the name as for the quality. I'm not knocking Bose, I'm making a factual statement. I've been told that they put as much as 60% of the revenue from each sale into advertising and 'brand recognition'. But those little no-name speakers at Listen-Up, that sound like the Voice Of God? You aren't paying for brand-name there...just quality.
I have some experience with more security-focused firms, and I happen to work for one now, so I am a bit jaded. But I know for a fact that you can get as good or even better quality assessment from Qualys, VeriSign, and many others. If you want an exhaustive list, check out the companies approved by Visa to perform PCI audits. It's a long list, and most are pretty decent consulting firms, I'd guess, or Visa wouldn't do business with them.