I was in the unusual position of being part of an interviewing panel who were evaluating tenders from the big consultancies firms for a piece of work.
The work was to provide a requirements definition for a fairly meaty government IT contract.
Of the four bidders, two of them didn’t refer to security once in their tender, one made me apoplectic as they discussed security as an optional extra in “phase 3”. WRONG.
One of my set questions during the interview was along the lines of asking what security challenges we might face.
All gave similar answers – making noises about firewalls, public access and so on. All very good but not exactly insightful.
What I was looking for is consideration of wider aspects – the old favourites of Confidentiality, Integrity and Availability, thinking about data aggregation issues and discussing risk, acceptable risk and mitigations/ controls to reduce risk.
If good security needs are not baked into requirements of projects, retro-fitting it is extremely expensive and difficult.