Recently I had lunch with the CFO of a medium-sized company in the Mid-Atlantic region. The CFO had been with the business for 6 months, and the account manager for my company was giving him an update on the progress of several IT projects that were being handled by my company.
We had been working with this client for about 3 years, so we were educating the CFO about decisions made before his arrival. Since he had just lost his IT manager, he wanted to know why he had four devices acting as firewalls on his network. The former IT manager had disregarded our warnings when we had noted this as a risk item two years before. My company’s consultants tell the CFO that the four firewalls are doing absolutely nothing, and are in fact acting as a “screen door” for security. The CFO shakes his head in amazement.
I explained to the CFO that security can be quite straightforward. In fact, if a business person can’t understand the security strategy and the tactics employed, then it is too complex. The more needless complexity you build into your infrastructure, the higher your costs.
On a napkin, I drew pictures of a firewall and 3rd parties to show him how a firewall manages external business relationships. I drew a representation of his current situation with four firewalls and then sketched out an optimized (and affordable) future state.
I provided the CFO with a multi-year Security, Identity, and Privacy (SIP) strategy blueprint, and he promised to keep his IT strategy front-and-center for the next two years. Read more about SIP strategy right here in my blog posts.