crowmoor.se

Today I had a chat with one of my favourite security consultants in UK. He told me this amusing story about a company where he was supposed to implement Encase Enterprise Edition. When having a meeting with the network guys for pushing out the software as any other software the network guys immediately said: ‘No, our network cannot handle that amount of data.’ End of discussion one would think? No, my friend, who is very resourceful, just simply told them: ‘I have already pushed this out to 10% of your computers without you even noticing it so I think your data of network load is flawed.’

This of course made a few nervous laughs around the table and the matter was never brought up again but the story points at a very specific point: Knowledge. It is so common that security decisions are based upon none or, even worse, bad data. Just take something as simple as a risk analysis. Not even that is done at many companies before investing in a big IAM system. Not to mention that many PCI DSS engagements don´t incorporate a risk analysis and what the cost would be in case of a breach. This information alone would help govern towards a better implementation of PCI DSS.

So make sure you have the data, that you create your risk analysis and that you have measured your environment. Otherwise you will be spending money on something that is not a risk and vice versa.