I have 20 years of software engineering and infosec experience can fill a few hours talking about all the crazy risks I find in a day of looking around most any company I interact with.
The status quo for security in our industry is abysmally bad. Not washing hands while working in a hospital WTF bad, everywhere.
Bringing it all up as I go can burn everyone out on interacting with me or trusting me at all if I am not careful, because survivors bias is a hell of a drug.
Two weeks to collect information and context is about right. I just usually do it as a contract security auditor now and provide a detailed report at the end.
I have 20 years of software engineering and infosec experience can fill a few hours talking about all the crazy risks I find in a day of looking around most any company I interact with.
The status quo for security in our industry is abysmally bad. Not washing hands while working in a hospital WTF bad, everywhere.
Bringing it all up as I go can burn everyone out on interacting with me or trusting me at all if I am not careful, because survivors bias is a hell of a drug.
Two weeks to collect information and context is about right. I just usually do it as a contract security auditor now and provide a detailed report at the end.