Re: InfoSec Importance

[Mark Teicher <mht3 () earthlink net>]

This is similiar to a story I once heard, regardin a senior security consultant who convinced a telecom equipment 
reeller that they should build a security practice since he knew the business, he was the obvious choice as Corporate 
Security Officer.  Then the press release was placed on the website: " In today's ever changing converged environment, 
companies must be able to protect both their voice and data networks. In order to continue to serve customers the best 
in service and support, <INSERT COMPANY NAME HERE> has created the <INSERT COMPANY NAME HERE> Security Team. "Our newly 
established <INSERT COMPANY NAME HERE> Security Group was created to provide the best in security practices and 
assessments in the area of Converged Security" said president and CEO of <INSERT COMPANY NAME HERE>. "<INSERT COMPANY 
NAME HERE> has brought on board leaders in the Converged Security space to create the premier Security Team for today 
and tomorrow." 

"As telephone communications move to the IP world, it will become increasingly easier to intercept and monitor 
telephone calls by anyone," said Chief Security Officer, <INSERT COMPANY NAME HERE>. "How businesses handle threats to 
their converged network will be crucial to their success." 

"
A year later, they have paid the CSO a bucket load of money, two pen-tests for two customers, several giveaways, 
several "in your face" or "Security Scare" presos.  

After observing this type of scenario, over and over again, it is totally amazing, that every once in a while, a hired 
gun gets it right, but their ego scream out aloud "The World is Not Enough" and the CSO suddenly leaves after 11 
months, or resigns from being the Director of Homeland Security and takes a job with Microsoft, and then 11 months 
later becomes a greeter at Wal-Mart.

So to answer your question, bringing in a big-gun CSO type isn't where to start with your management, but security 
occurs when something goes wrong, and they start pointing fingers at the person who said "We need a CSO"

:)
-----Original Message-----
> From: Chris Dalton <Chris.Dalton () capitalonebank com>
> Sent: Jun 2, 2006 3:57 PM
> To: Mohamad Mneimneh <mmneimneh () comium com>, Nick Owen <nickowen () mindspring com>
> Cc: security-basics () securityfocus com
> Subject: Re: InfoSec Importance
>
> Look at the ISACA website.
>
> Chris G. Dalton C.P.A.
> Corporate Audit Services
> Capital One Financial
> 1-504-533-6419 phone
> 1-504-533-2355 fax
>
> > > > "Nick Owen" <nickowen () mindspring com> 06/02/06 1:28 PM >>>
> Mohamad Mneimneh wrote:
> > Hi List,
> >
> > I am trying to convince my management of the importance of having a
> > security officer in the enterprise. I have googled the topic, but
> not
> > much was found. I would really benefit from your suggestions on how
> to
> > approach the management.
>
> Mohamad:
>
> I think a financial & risk management approach is best.  I recommend
> you
> look at the value of the assets that need protection and the risks of
> exposure of those assets. Google 'average loss expectancy', ALE or
> Annual ALE.  It may be that your company is not big enough to justify
> a
> security officer.
>
> There is a book called "Managing Cybersecurity Resources: A
> Cost-Benefit
> Analysis" from Gordon and Loeb that is a pretty good start.
> http://www.amazon.com/gp/product/0071452850/104-1775726-5941529?v=glance&n=283155
>
>
> Is your firm covered by a regulation that might warrant a security
> officer, such as (in the US), GLB, HIPAA, SarBox, etc?  You might
> argue
> that your firm is 'required' to have such a position or you might get
> counsel to argue your case for you.
>
> HTH,
>
> Nick
>
>
> -- 
> Nick Owen
> WiKID Systems, Inc.
> 404.962.8983
> http://www.wikidsystems.com 
> Commercial/Open Source Two-Factor Authentication
> https://www.linkedin.com/in/nickowen