Get your assessment done!

It amazes me sometimes what people can accomplish when pain is the motivator. In this case, it is a customer of my company who we have been trying to convince to have an enterprise assessment performed. They are a financial company and are the target of quite a few attackers out there looking to make some dirty money, and we knew the shortcomings in their security (both network and application) just from talking to them. We even had the ear of the CIO and IT Director (both wanted the assessment done last year). But the board was being extremely stubborn about the project, citing cost and the fact that we had never done an assessment for them, so they weren't sure if we would do a good job (this is despite our references and sample deliverable that were provided).

So they went round and round, then finally decided to drop the scope of the assessment dramatically and also ask another security consulting company to do the same assessment. Then they were going to compare deliverables, see which one they liked the most, and then go with them for further assessment projects. That kinda makes sense, but they were going to spend roughly double because they were hiring two firms... whatever...

So they pulled the trigger on the project, and we scheduled someone to be there on a Monday. Well, they called us in a panic the Thursday before our guy was to be onsite. Turns out they got pwned via their web application. Someone got a BUNCH of customer financial data. Oops...

Now they have us in there for an extended engagement doing an enterprise assessment AND a web application assessment, spending considerably more than they would have on the first go round.

Now don't get me wrong. I always argue that management has to make business decisions. And that was what they were doing here. BUT, when your consultant points out problems that are apparent without having done an assessment, then you might want to consider getting checked out sooner rather than later.