Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

An immature security program is an exciting challenge

Mathias Thurman | Sept. 30, 2014
After four years of building one company's security program, our manager feels the need to take on a new challenge.

I've embarked on a new adventure, in the form of a new job. Starting with this installment of my journal, I'll be telling you all about it.

I had good reasons to make a change, but it wasn't that I was dissatisfied with my previous job. After four years there, I had built a solid security program, established meaningful professional relationships and become familiar with the infrastructure, product, people, culture and overall company ecosystem. I had overcome some big challenges in the course of righting the company's security posture, but in the end, it was challenge that was lacking. I decided that I wanted to start over at a company that needed somebody to build a strong security program from the ground up.

It's always sad to leave a company where you've been happy, but I had the comfort of knowing that all I had done there would live on after my departure. Meanwhile, my new company seems ready to accept my advice and counsel in order to better protect itself from all the nasty stuff that could beset it. Let the adventure begin!

There are similarities between where my new company is right now with regards to security and where my old company was when I started there. But I don't expect this new job to be a repeat of the last four years. For one thing, I am starting with all the knowledge and experience that I gained over the past four years. In the course of that time, I have learned a lot about things like cloud computing, mobile devices, advanced malware, data handling and security awareness. And I expect to keep on learning, since new things that I can't even anticipate are sure to crop up.

Like the company I've just left, my new company has grown very rapidly. Wisely, its leadership has realized that it could be derailed by a compromise of the sort that has hit Target, Home Depot and UPS Store. They've also begun to focus on the need to be compliant with various regulations and wanted to find someone who could fully engage on issues of risk and compliance.

For now, this new company is too small to justify a true "chief" information security officer. In fact, I am the entire security operation. But for all intents and purposes, my role has the same scope, responsibilities and liabilities of a CISO.

Getting started
In my first two or three weeks, I need to act like a sponge and soak up as much information as I can. So far, I've been reviewing company policies, codes of conduct, marketing materials and relevant procedures, such as data handling. I have found them all extremely immature from a security perspective. Next I looked over the results of recent compliance audits, security assessments and other third-party security testing of the company's products and infrastructure.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.