Six executives fill the boardroom chairs and you seem to have chosen the only chair that lets loose a metallic shriek upon any movement. Ugh. But there is work to do. You are all here to solve a problem. A big problem. One of your organization’s IT solutions desperately needs replacement and you are here to provide a “security lens” on the discussions about to be had.

Things start out well enough. They go over the list of features that are required in the replacement product: what are deal-breakers? what could be left behind if required? pay tiers? support models? deployment plans and timelines? Things like that. The requirements are high level and you spend your time listening to the discussion but not really participating. Then the discussion turns towards compliance and security. Your ears perk up.

They start asking your type of questions: “What type of information do we need to store and how are we going to protect it?”, and the like — in not-so-many-words but you pick up the subtext. “Do we need to think about compliance?”
All eyes turn to you.

Continue reading →