On a recent drive to Spartanburg, SC to visit a new account I was re-listening to the book 7 Habits of Highly Effective People.  When I got to Habit 5, Seek First to Understand, then to be Understood, I started thinking of how many consultants don’t do this.    How can a security consultant not listen first?  How can an IT person not listen to management or end users? As I always say, security is a process and not a purchase.  To create a secure environment we need to listen to all parties and make sure we have a complete understanding of the business and how information flows.  Then and only then can we implement process to create a secure environment.  I have never once been able to walk into an account and use a predisposed solution and send an invoice.

Want to know something really scary?  I have lost more than one job because I wouldn’t send a solution for security before we met in person.  Just goes to show you that with some companies security isn’t a big deal, they just want to say they are secure.