After reflecting on much of my career, and more specifically, my last job, I have decided to write a series of articles about starting a security program. I have set foot in pretty much every industry type and every organization size and from small banks, to law firms, to large Fortune 500 energy companies, across the board, there are always companies who turn a blind eye to security. Why? Some, like law firms, think they are not targets. I have all too often heard the same thing from law firms. “Everything we have here is on the public record, so it doesn’t matter if someone steals our data.” Trouble is, not ALL of your stuff is on the public record, things like medical records of clients, credit reports, payment info, the evidence you have on a case that, while you will ultimately have to turn over to the opposition before trial, you may not want to show your hand now, etc. Some are just young naive companies who grew into a Fortune 500 overnight and have no idea how they got there or what they need to do to ensure their survivability. These types seem to be intimidated by the idea of security and prefer to stick their heads in the sand and pretend there is nothing to worry about. Trouble is, when you stick your head in the sand, guess which part of your body is sticking up in the air!
But I digress, this series of articles is about the hows of starting a security program, not the whys. Keeping the various sizes and roles of companies I have either worked for or with in mind, I am going to give some pointers on how to get the ball rolling on this daunting task.
First, let’s talk about what security is, and isn’t. It isn’t just having a policy and then turning to network defense appliances and washing your hands of the idea, mission accomplished. If your security program isn’t mandated by the board, mapped to all business lines, legal and regulatory requirements, and threat agents, it isn’t complete. It also isn’t enough to guard the perimeter while leaving the internal network in shambles. Likewise, if you don’t have data classification, you can’t move forward in a security program. After all, what is it you’re protecting and why? How can you have a risk assessment if there isn’t a metric for what is at risk?”If you don’t eat your meat, you can’t have any pudding! HOW can you have any pudding if you don’t eat your meat?!” Wait, I’ve gone off topic again. Anyway…
Let’s agree we need security and doing the above things simply isn’t cutting it. What are the first steps to getting your business security focused? Dive in and start applying patches? Install that much needed IPS? Write policies? No. Our first steps are crucial and should happen in rapid succession.
The board, CEO, and so forth, all must be on board with this. If there is no mandate coming down from the top, hang it up, go home, forget about it, game over man… game over.
First and foremost, let’s agree we need qualified people architecting it. I know most people may laugh, but I have tragically seen unqualified people put in the position of managing security. This is NOT a job to be given to someone because they have seniority. You will FAIL. This director must report directly to the CEO and board. It is not in the best interest of security to report to the CIO, CTO, network director, etc. It is not in their best interest to have anything negative reported by the security department and it will therefore not be. A security team is not a political football to be used to give the board and CEO false hopes of a safe network by the network director all the while not letting them do their job because he may look bad. You will FAIL. It is not a department that needs to be a clapping monkey doing cheap tricks to impress upper management with “quick wins.” If anyone ever thinks about uttering the words “quick win” toss them out ASAP. You will FAIL. That’s another thing, if someone says you won’t fail, toss them out. You WILL FAIL. The difference is, how graceful you fail. Did you fail and know within seconds? Hours? Days? Years? Did you ever find out?
So for our first step, and end to this first installment, we need sign on from the board and CEO. We need qualified people in place to architect this program, we need the team to report directly to the board and CEO. If this is going to be a political football and for some reason, no one can put on the big boy pants and enforce the program, I would venture to say your best bet is to outsource the entire program.
Contact Shades of Gray Security to find out how we can help grow your security department.
[...] our first installment, we decided who needs to be involved in the program and an idea of how it is structured and to whom [...]