On a recent drive to Spartanburg, SC to visit a new account I was re-listening to the book 7 Habits of Highly Effective People. When I got to Habit 5, Seek First to Understand, then to be Understood, I started thinking of how many consultants don’t do this. How can a security consultant not listen first? How can an IT person not listen to management or end users? As I always say, security is a process and not a purchase. To create a secure environment we need to listen to all parties and make sure we have a complete understanding of the business and how information flows. Then and only then can we implement process to create a secure environment. I have never once been able to walk into an account and use a predisposed solution and send an invoice.
Want to know something really scary? I have lost more than one job because I wouldn’t send a solution for security before we met in person. Just goes to show you that with some companies security isn’t a big deal, they just want to say they are secure.