To throw in my two cents:
I just finished rolling out Qualys for one of the big 3 auto manufacturers, and I have been fairly impressed so far. The major advantage for a lot of people is the control interface. It is all web based, you can slice and dice the results as needed, setup a wide variety of scans that are as passive or invasive as you think you'd need, all of the updateing and maintenance is handled by Qualys, and is has a very nifty built in reporting module that can kick off surprisingly polished executive reports. It brings a lot of value to global operations, but I'm not sure you're going to get the same bang for your buck for smaller networks. The major bonus of consolidated control and reporting is not going to be as much of a factor if you have dozens of security folks rather than thousands. Depending on your agreement with IBM, I just don't know if you are going to get much in the way of dollar savings by switching to the Q. Nessus is obviously the best dollar value choice if you go with the free version, but that is only the case if you can handle not having updated signatures. Even then, if you have a small enough shop you can get the paid version for about $1200. That is only for a single user, though, and you still don't have the full enterprise command and control interface.
There are not a lot of specific recommendations people are going to be able to give you without having more info on your environment, but I'd recommend not posting much more info than you already have. I'm probably preaching to the choir, but I'd avoid posting too much data into an open forum. PM some of the more senior members of the group if you want more detailed advice.
Last edited by pseud0
on Thu Nov 29, 2007 9:39 am, edited 1 time in total.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER