I recently ended up in the assessee’s chair. I’m fairly familiar with it by this time, since every project that I host or support has to be tested every year or so. Let’s just say I host auditors at least every couple of months. Only this time it’s different, let me explain.

Back in the halcyon days of 2003, I was on a Security Test and Evaluation Team traveling to a wide variety of contractor sites. We would go assess their security posture and make recommendations to the government. After that I would usually get out of the way as the two battled over the costs associated with fixes.

Now the fun thing was that my company offers some of the same services as the people that we were assessing. At some points, we had to subcontract the work to a different company where we were in direct competition for a contract. At some times we would end up having these surreal discussions where we would play “200 questions” where the answer was almost always “stuff” or something equally non-helpful.

So now for the situation I’m in: that of the business partner and competitor. For the past three weeks I’ve had people running all over my operations group learning how we do things so that they could partner with us for a big contract. And yet you wonder, deep down inside, how much are you training the people who will come “eat your lunch” later? It’s not my favorite place to be in.

Anyway, associated lessons learned from doing ST&E work:

• Nobody is completely objective.
• Conflict of interest exists, you just have to identify it and react to it.
• Paper versions of documents are OK. Electronic versions are too easy to copy verbatim.
• An assessor can say the exact things to your boss’s boss’s boss that you’ve been saying to them for years, but it suddenly carries more weight.

• Everybody Else Is Doing It So Why Can’t We?
• My Lunchtime Hobby: Collecting Badges
• How I Became the Owner of Two Rogue WiFi APs
• Blog Statistics and Search Strings
• How I Do the “FISMA Thang”