crowmoor.se

Sitting at a local coffee shop discussing security architecture with a client is sometimes hilarious and sometimes very intriguing. Today I had two meetings regarding possible assignments for creating a security architecture. Both my clients are well aware of what security architecture is and what you need to do to create one but in one of the cases their management has no clue at all. In my first meeting we discussed how to create a security architecture to manage both their PCI DSS and legal requirements. During our meeting his CEO calls and tells him that he had found a free product that scans the whole network and produce a view of all systems and security mechanisms. If you give it full administrative access they even have a free service for managing the systems.

Do I need to say that we both did a unison face palm and redrew our project to include a risk analysis and education for the top management?

My other meeting was a lot more intriguing as the management is far more involved. Not only did they understand that we needed to conduct a risk analysis to get an understanding of the risks we need to mitigate, they also understood the connection to BCM and client satisfaction. In the end I was asked to propose a security architecture project to make their outsourcing services PCI DSS compliant and ‘Secure by default’. Most importantly is why the management formulated this assignment. Because they saw a clear cost cutting possibility by streamlining security services and at the same time minimise the down-cost due changes by unaligned security changes.