A while back I was engaged in a conversation on Twitter with @diami03 & @chriseng regarding (what I felt was) the need for someone to provide the perspective from within a medium-to-large enterprise, especially when there are so many folks in infosec who are fond of saying “why didn’t they just…?” in response to events like the Sony attack or the compromise of the senate.gov web servers.

Between consulting and full-time employment I’ve been in over 20 enterprises ranging from manufacturing to health care to global finance. Some of these shops built their own software, others used/customized COTS. Some have outsourced (to various degrees) IT operations and others were determined to keep all activity in-house. Each of them has had challenges in what many would say should be “easy” activities, such as patching, vulnerability management or ensuring teams were using good coding practices.

It’s pretty easy for a solitary penetration tester or industry pundit to lay down some snark and mock large companies for how they manage their environments. It’s quite another experience to try to manage risk across tens (or hundreds) of thousands of employees/contractors and an equal (or larger) number of workstations, combined with thousands of servers and applications plus hundreds (or thousands) of suppliers/partners.

While I would not attempt to defend all enterprise inadequacies, I will cherry-pick some of the top snarks & off-hand statements for this series and try to explain the difficulties an enterprise might have along with some suggestions on how to overcome them.

If you have a “why didn’t they just…?” you’d like answered drop me a note on Twitter or in the comments.