So much for my 'series of posts' about getting back to basics that I promised last week. I hadn't realised quite how much my new position would take out of me in the first few weeks. I had a customer meeting yesterday with one of the UK's largest internet banks, they are being pressured by their acquirer to become PCI compliant by the end of next year, but don't want to fail any audits this year. In the meantime another customer has announced a complete security budget freeze because they think they can show they are making progress on their PCI compliance when the auditors come round. This is a big mistake in my opinion, but I expect they will get away with it, because they are a very large retailer - that doesn't mean they won't be breached.
So I'm back in the land of the customer, and REALLY enjoying talking about security again. I'd forgotten what it feels like to have a room full of people asking questions that I actually know the answers to. I guess some time in product management has taught me how to think on my feet, or rather like a product manager when faced with the inevitable 'when are you releasing an agent in Fortran77?', 'what is the enryption overhead on my z/OS/COBOL/AS400 mainframe likely to cost me in terms of network latency?' type curveballs.
The thing which is impressing me about these initial meetings is how much MORE people seem to know about security these days. There were 6 people around the table, 4 customers, 1 reseller and 1 me. Reseller and I listened with 2 ears and 1 mouth, the 4 customers asked some very intelligent questions - all the ones I had prepared to be asked, and some I had hoped wouldn't come up.
The thing which struck me was that although this was a meeting about addressing PCI compliance, they knew about security, and asked about security. The ONLY compliance question I was asked was 'do you have a list of the PCI boxes this ticks?' Which of course we do, but we do a hell of a lot more than that, and the customer knew it. They asked about future proofing, key management for distributed heterogenous systems, separation of duties, application integration, the works.
I'm disappointed for compliance, but tend to think of this as a victory for common sense and security. I rather think it's natural selection. Maybe because this is such a large bank they can afford the bright sparks, but these weren't security guys, they were DBAs, Project Managers and Technical Business management. This makes me pleased, and encourages me to keep spreading the good word.
I have been having some exciting conversations over the past week with a couple of guys who will already be familiar to many of you. Without giving the game away too much, there is a new project in the pipeline which I hope to be able to give more news on in a couple of weeks time. As always, watch this space.