When you ask who could help, think about what security means to you. The clear definition of your security objectives in light of your business trust environment is key. Without this, IT security becomes a minefield of salesman claiming their product as the wonder palliative to the latest publicised threats.

Many consultancies sell products, with their staff being little more than product installers. Other advisers (often auditors) will happily derive a risk assessment and security policy with no experience of the operational costs or risks of developing the implied security architecture. Often they run through elaborate security risk methods which obscure the reasoning. This also makes the assessment difficult to cater with changes in the objectives, threats or vulnerabilities.

Thus, to review information security or conduct a re-useable risk assessment and devise the security architecture requires:

• Operational and technical development experience
• Security evaluation experience
• Policy and risk assessment experience in government or commercial fields
• Unbiased advice