This is excellent advice. Contract out the service to professional penetration testers. It takes years of practice to become a good penetration tester (I've been doing it off and on for nearly 12 years).
In the mean time, this will get you pointed in the right direction:
Also, make sure you understand the difference between:
* Vulnerability assessments.
* Penetration tests.
* Security audits.
The goal of a vulnerability assessment is to identify all vulnerabilities (or as many as possible). It will typically include a vulnerability scan (with a tool like Nessus) of a sample of the network. Make sure you interpret the results of the vulnerability scan into something meaningful for the customer.
The goal of a penetration test should be to provide the organization with an understanding of how (and how easy) the organization can be compromised. In this scenario, you are playing the bad guy. The goal isn't to identify all vulnerabilities, but to gain access. It is typically segmented into external, internal, phishing, social engineering, and physical tests (just follow an employee into the office when they come back from lunch. They will hold the door open for you).
A security audit will be based on the standards that the customer is interested in. Typically, there are a standard set of questions that you have to ask the customer. The customer will then need to explain what they are doing to address the question and show proof. To demonstrate proof that they are following the standards, they can provide evidence. Additionally, you will select a sample of the systems, and have the customer show that the security control is implemented on your randomly selected sample.
Good luck on your new career :)