Steve Manzuik, an independent IT security consultant, emphasizes experience, expertise, and reputation

IW: What qualifications do you think clients look for when hiring a security consultant?

SM: Most that I have dealt with really seem to concentrate on past experience with the technology or procedure that they are looking for the consultant to provide. Having a handful of good reference clients comes in very handy in this case.

IW: To what degree do you think professional certifications matter to your clients?

SM: To my specific clients -- that I have built a relationship with -- certifications do not matter to them. For new clients, they usually start out looking for a CISSP (Certified Information System Security Professional), but I am usually able to combat that with good reference clients, proven experience, and reputation. The larger the client, the more they want to see the certifications. Part of the client"s job is to sell the consultant he picks to upper management.

IW: Do you think a consultancy"s reputation plays a large role in a hiring manager"s decision?

SM: Absolutely. There are smaller, boutique consultant firms that have never had to advertise and rely on their reputation to win them work.

IW: What questions do you expect to be asked in an interview?

SM: The biggest ones are questions around the work that is to be performed. Most clients like to get a good feel of past experience and true expertise.

IW: Would you expect firms to be more or less likely to hire a consultant for security than for other IT issues?

SM: I don"t think a lot of firms put a lot of thought into this. I think they simply look at what projects they need to get done and what projects they cannot get done without outside help. Typical organizations are short-staffed across the board, from the IT help desk all the way up to the senior network and security guys.