SystemExperts^TM is different from other security consulting firms. One difference is that we don't hire "consultants." We hire experts who have established long term successful track records actually doing IT work, not just talking about it. For some, that meant designing and developing sophisticated middleware technologies or applications. For others, it meant planning, implementing, and managing large production data centers. The differences, which you will immediately recognize, fall into two broad categories: how SystemExperts is different as a company and how our methodologies are different.

How we are different as a company

We focus on what is important

In the world of security, not all problems are equal. Based on our understanding of our clients' businesses, we distill problems to their root causes. We help them to prioritize and to focus on solving the problems that could jeopardize the business itself. Most security consulting firms get themselves mired in the technical trivia and are unable to help their clients to see the big picture.

We respect our customers

In large companies and in small, we invariably find one or more members of the technical staff who genuinely know what they are doing. Unlike so many firms, our methodology enables us to build on the client's strengths. Once we have a sense of the client's level of technical skill, we tailor our recommendations so that they will be successful in improving their security.

We have no junior staff

We shift the burden away from the client and onto ourselves. We make sure we can handle this burden by hiring only experts. That allows us to produce outstanding results with little preparation. We believe that security is more than just technology and that security cannot be separated from the business. That's why we have assembled a team of consultants that are well-rounded business people and experienced project leaders who are also outstanding technologists.

We play for the long term

Our business is characterized by long-term relationships with our clients. We are privately held and have no outside investors imposing external revenue or profitability goals. This gives us the freedom to do what is best for our clients. They appreciate the difference of working with genuine experts who are committed to earning a long-term partnership with them by over-delivering and providing unmatched personal attention.

We are independent

Unlike most consultants, we are not afraid to tell our clients what they need to know but don't necessarily want to hear. We have no vested interest in any software company, hardware company, services company, or any particular solution. We recommend what's appropriate for you.

Our contracts and Statements of Work are short, simple, and straightforward

We make it easy for clients to hire us by using a one and a half page contract. Like our technical reports, it contains all the essential elements but without the legal hand waving. Then, we write Statements of Work that make it crystal clear exactly what measurable work product clients will get for the professional fees they pay.

How our methodologies are different

Business requirements drive security and not the other way around

Too many security consulting firms come in with a standard set of predetermined recommendations and they fail to take into account what actually drives any particular client's business. Our methodology starts by focusing on our client's business. Only when you understand how the systems and networks are used, the value and sensitivity of the information on them, and the client's budget and time constraints, can you even begin to make meaningful technical recommendations.

Clients need easily consumed advice; long reports are yet another burden on people who are too busy already

Our reports are typically eight to fifteen pages. They provide straight answers to the important questions and concrete prioritized recommendations. We challenge ourselves to produce findings and recommendations that are concise, easy to understand, and straightforward to implement - and our clients appreciate it.

Our methodologies avoid the classic "audit" problems

The very name "Security Audit" sets the wrong tone for most security projects. Audits generally focus on finding and cataloging symptoms, not causes and are first and foremost about assessing blame. Also, inherent in that name is an adversarial relationship that undermines rather than supports problem resolution. All of our methodologies are structured to ensure that we work as a partner with our clients to make things better.

Clients are always too busy to prepare and technical documents are always obsolete

Our methodologies are designed to minimize the burden they put on our clients. Invariably, whenever clients hand us detailed system or network diagrams, that is a prelude to hours spent discussing how one part or another has subsequently changed or was never implemented the way the diagram indicated. We find that if we have the right people in a room, they can draw whatever diagrams we need on a whiteboard to a sufficient level to explore the security issues. Similarly, relying on clients to provide detailed information by filling out questionnaires is usually not productive. Too often they just don't know the answers to the critical questions and we find many of the other answers they provide to be wrong. Given that reality, we don't waste our clients' time on that type of preparation.

Sequential interviewing inevitably generates conflicting input

We have conducted hundreds of projects where we met sequentially with key players to gather requirements, priorities, or even to learn how an existing system worked. In almost every case, people within an organization have conflicting views about essential matters (e.g., What is important and why? Who makes what decisions? How do things really work?). Unlike most consulting firms, we recognize the situation for what it is; the consultant knows less about the client's business than the client does and yet in most consulting methodologies, it is the consultant who chooses which conflicting point of view to accept. Our Workshop methodology enables our clients to efficiently recognize and resolve such conflicts in real time instead of merely pointing out where conflicts exist.

Every dollar a client spends should produce results, not consulting process

Our methodology produces insightful results quickly and economically. There are no administrative or external process-management staff involved. Consulting dollars are efficiently transformed into consulting findings and recommendations.