Well, perhaps Ben is wrong. I landed yesterday in one of those countries wishing to enter the European Union for some security work and today, amongst the many meetings, one is with a gentleman about the same age as my father who is responsible for security in division of a medium-sized state-owned company.
We have an interesting chat and as he warms up he starts talking using sentences which start with the fabled "What keeps me awake at night is..." which is so common in paranoid security analysts. Not only, he is also very conscious of the security issues surrounding the EU privacy directive.
Towards the end of our conversation he whips out his security policy and asks me candidly if, from the height of my experience, I have anything to add to it. It takes me a few seconds to recover from the shock of being handed a security policy where none was expected (if only companies within the EU bothered to have one...) and then on reading it I am hit by a second shock: it is also well written.
Of course there are faults but I actually have to think about it rather than just blurt the usual "what about e-mail attachments" or some other obvious, to a security analyst, issue.
To be perfectly honest there were only three issues:
My only hope is that I managed to convey my true admiration for his work and that this will reinforce his desire to improve the security of his company. What is more I could sense that what had started as a "I had better cover my back" was now turning into a true desire to do something about security.
Posted by arrigo at November 28, 2002 07:46 PM