Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

An immature security program is an exciting challenge

Mathias Thurman | Sept. 30, 2014
After four years of building one company's security program, our manager feels the need to take on a new challenge.

I also obtained a copy of the company's organization chart to identify the people I will want to partner with. Those people include the heads of sales, marketing, professional services, engineering, customer support, IT, education and training, finance and HR, but I'll also hold one-on-one introductory meetings with other people on those teams -- it's amazing what people will divulge in that sort of situation.

Of course, as a new employee, I've gotten a firsthand look at the new-hire onboarding process, and I've paid close attention to things like PC provisioning, initial password issuance, Wi-Fi access, mobile device support and physical security controls such as badges, cameras and guards. When I booted up my PC for the first time, I could see which antivirus tool was in use, whether I had local admin access, what policies were being enforced, what third-party tools were installed, how patches were being pushed and whether the company uses centralized management and encryption.

Opening my browser, I checked to see whether I could access risky websites, and I took a look at our internal sites to see if they contained sensitive data and whether proper permissions were configured.

Besides all that, I signed up for company-sponsored webinars so I could become familiar with the company's products and services. I've arranged to shadow our sales, customer support and professional services teams to see how they interact with customers. Eventually, I will become familiar enough with our products and services to let me make engineering recommendations that will enhance product security. For now, I'm in total observation mode, taking notes the entire time.

The goal of all this exploration, investigation, observation, interviewing and testing is to come up with an initial assessment and assert a three-year road map, prioritizing the most critical security issues. In addition to compliance risks, I'm going to initially focus on risks that align with the Kill Chain Analysis, which was developed by Lockheed Martin to help information security professionals proactively remediate and mitigate threats.

I've got a long road ahead of me, but building things is what I enjoy. I look forward to sharing the adventure with you, my readers.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.