Security Basics mailing list archives
Re: First day and week as CISO?
From: "Franck Vervial" <vervial () gmail com>
Date: Mon, 1 Dec 2008 22:04:11 +0100
I am not a CISO but if I was one, my first day / first week job would be : 1) have a company presentation : - organization chart - assets and which are the more important for the business - infractructures of SI (international see) - managers : main, security, legal department - budgets allocated for security 2) see the security team(s) et see how there are organized 3) have a look at the last security audits results, technical and organizational If there is lack at this level I will plan to have one as soon as possible 4) If I have the results of technical security audits, and if big flaws exist : I will ask to security employees if something has be done to counter this. I will ask for a document which explains the counter-measures. 5) If I get the result of security organization Audit, I will see if there is security organization lacks, in order to do that, i will use a Security Implementation Normalization like ISO27001. I think this is enough work for just one week ! My first idea in one week is to see if important security risks exist, in order to know this I have to know some people, understand company organization and have the results of recent security audits. And take measures if necessary. I could think that such a big company with Web business and so much firewalls is at a good security level, but sometimes big companies have big security flaws, principaly in the organization. Bigger the company is, more the needs in security organization are important instead of technical security. (time to install security patches, procedures to limit the risks of production incident due to a change, etc). Hope this could help Regards, Franck PS : sorry for possible language mistakes 2008/11/30 cisohelp () googlemail com <cisohelp () googlemail com>
throw away wrote:Scenario.... Going to be interviewing soon for a CISO.. One of the questions were going to be asking is the theroy question below: What would you do in the first day and week on the job? The company is multi-million $ company, web based, sites all over the globe. 100's of users, 100's of servers, and a hell of alot of firewall's. Any thoughts?
-- PGP Key ID: 02ADEE48, FPR: B359 F8A6 270A 9114 104B 9E98 0CF2 516E 02AD EE48
Current thread:
- Re: First day and week as CISO? cisohelp () googlemail com (Dec 01)
- RE: First day and week as CISO? Ryan Helfter (Dec 02)
- RE: First day and week as CISO? Robertson, Seth (JSC-IM) (Dec 02)
- Re: First day and week as CISO? Franck Vervial (Dec 02)
- Re: First day and week as CISO? Ardian Silvano (Dec 03)
- <Possible follow-ups>
- Re: Re: First day and week as CISO? infosec . manager (Dec 02)
- Re: Re: First day and week as CISO? bill_smith_66 (Dec 02)