Security Basics mailing list archives
Re: InfoSec Importance
From: Mark Teicher <mht3 () earthlink net>
Date: Mon, 5 Jun 2006 15:19:23 -0400 (GMT-04:00)
This is similiar to a story I once heard, regardin a senior security consultant who convinced a telecom equipment reeller that they should build a security practice since he knew the business, he was the obvious choice as Corporate Security Officer. Then the press release was placed on the website: " In today's ever changing converged environment, companies must be able to protect both their voice and data networks. In order to continue to serve customers the best in service and support, <INSERT COMPANY NAME HERE> has created the <INSERT COMPANY NAME HERE> Security Team. "Our newly established <INSERT COMPANY NAME HERE> Security Group was created to provide the best in security practices and assessments in the area of Converged Security" said president and CEO of <INSERT COMPANY NAME HERE>. "<INSERT COMPANY NAME HERE> has brought on board leaders in the Converged Security space to create the premier Security Team for today and tomorrow." "As telephone communications move to the IP world, it will become increasingly easier to intercept and monitor telephone calls by anyone," said Chief Security Officer, <INSERT COMPANY NAME HERE>. "How businesses handle threats to their converged network will be crucial to their success." " A year later, they have paid the CSO a bucket load of money, two pen-tests for two customers, several giveaways, several "in your face" or "Security Scare" presos. After observing this type of scenario, over and over again, it is totally amazing, that every once in a while, a hired gun gets it right, but their ego scream out aloud "The World is Not Enough" and the CSO suddenly leaves after 11 months, or resigns from being the Director of Homeland Security and takes a job with Microsoft, and then 11 months later becomes a greeter at Wal-Mart. So to answer your question, bringing in a big-gun CSO type isn't where to start with your management, but security occurs when something goes wrong, and they start pointing fingers at the person who said "We need a CSO" :) -----Original Message-----
From: Chris Dalton <Chris.Dalton () capitalonebank com> Sent: Jun 2, 2006 3:57 PM To: Mohamad Mneimneh <mmneimneh () comium com>, Nick Owen <nickowen () mindspring com> Cc: security-basics () securityfocus com Subject: Re: InfoSec Importance Look at the ISACA website. Chris G. Dalton C.P.A. Corporate Audit Services Capital One Financial 1-504-533-6419 phone 1-504-533-2355 fax"Nick Owen" <nickowen () mindspring com> 06/02/06 1:28 PM >>>Mohamad Mneimneh wrote:Hi List, I am trying to convince my management of the importance of having a security officer in the enterprise. I have googled the topic, butnotmuch was found. I would really benefit from your suggestions on howtoapproach the management.Mohamad: I think a financial & risk management approach is best. I recommend you look at the value of the assets that need protection and the risks of exposure of those assets. Google 'average loss expectancy', ALE or Annual ALE. It may be that your company is not big enough to justify a security officer. There is a book called "Managing Cybersecurity Resources: A Cost-Benefit Analysis" from Gordon and Loeb that is a pretty good start. http://www.amazon.com/gp/product/0071452850/104-1775726-5941529?v=glance&n=283155 Is your firm covered by a regulation that might warrant a security officer, such as (in the US), GLB, HIPAA, SarBox, etc? You might argue that your firm is 'required' to have such a position or you might get counsel to argue your case for you. HTH, Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication https://www.linkedin.com/in/nickowen
Current thread:
- Re: InfoSec Importance Mark Teicher (Jun 02)
- <Possible follow-ups>
- Re: InfoSec Importance Mark Teicher (Jun 05)