recap of a scope call
It’s been some time, but I just had one those scope calls from out of left field. University, mid size, private, budget sensitive, one security engineer and he is relatively new.
He is unsure of the state of his domain.
Me: Have any security assessments ever been performed?
Client: No.
Me: pause Do you trust the integrity of your servers?
Client: No.
Me: pause You are processing credit cards?
Client: Yes.
Calls like this one ensue brain freeze in me. I get so hung up on them I mumble for a bit until I catch a clear thought.
On cue, this question soon followed: “I was thinking of starting with vulnerability assessments, but where do you recommend I start?”
Is this not a scenario security aficionados are to love?
I dread them now. I’m being tasked with teaching everything a functioning adult is to know on a phone call. Don’t get me wrong, I do love the flood of ideas this scenario stimulates, but I’m weary of working for clients so far behind in the game. My experience with like clients is they come to the play with little budget, support, and with even fewer resources.
But in the spirit of the holidays, I’m going to draft a list of tasks I’d recommend he do and I’ll share it here.
