Security Basics mailing list archives

Re: First day and week as CISO?

From: "Franck Vervial" <vervial () gmail com>
Date: Mon, 1 Dec 2008 22:04:11 +0100

I am not a CISO but if I was one, my first day / first week job would be :

1) have a company presentation :
    - organization chart
    - assets and which are the more important for the business
    - infractructures of SI (international see)
    - managers : main, security, legal department
    - budgets allocated for security

2) see the security team(s) et see how there are organized

3) have a look at the last security audits results, technical and organizational
If there is lack at this level I will plan to have one as soon as possible

4) If I have the results of technical security audits, and if big flaws exist :
I will ask to security employees if something has be done to counter this.
I will ask for a document which explains the counter-measures.

5) If I get the result of security organization Audit, I will see if there is
security organization lacks, in order to do that, i will use a Security
Implementation Normalization like ISO27001.

I think this is enough work for just one week !
My first idea in one week is to see if important security risks exist,
in order to know this I have to know some people, understand company
organization and have the results of recent security audits.
And take measures if necessary.

I could think that such a big company with Web business and so much
firewalls is at a good security level, but sometimes
big companies have big security flaws, principaly in the organization.

Bigger the company is, more the needs in security organization are
important instead of technical security.
(time to install security patches, procedures
to limit the risks of production incident due to a change, etc).

Hope this could help

Regards,

Franck

PS : sorry for possible language mistakes

2008/11/30 cisohelp () googlemail com <cisohelp () googlemail com>


throw away wrote:


Scenario....

Going to be interviewing soon for a CISO..

One of the questions were going to be asking is the theroy question below:

What would you do in the first day and week on the job?

The company is multi-million $ company, web based, sites all over the globe. 100's of users, 100's of servers, and a 
hell of alot of firewall's.

Any thoughts?




--
PGP Key ID: 02ADEE48, FPR: B359 F8A6 270A 9114 104B 9E98 0CF2 516E 02AD EE48

Current thread:

Re: First day and week as CISO? cisohelp () googlemail com (Dec 01)
- RE: First day and week as CISO? Ryan Helfter (Dec 02)
- RE: First day and week as CISO? Robertson, Seth (JSC-IM) (Dec 02)
- Re: First day and week as CISO? Franck Vervial (Dec 02)
  - Re: First day and week as CISO? Ardian Silvano (Dec 03)
- <Possible follow-ups>
- Re: Re: First day and week as CISO? infosec . manager (Dec 02)
- Re: Re: First day and week as CISO? bill_smith_66 (Dec 02)