Security Basics mailing list archives
Re: Starting a New Security Department/Division
From: krymson () gmail com
Date: 27 Jul 2007 20:18:52 -0000
Warning: likely not much substance to my post, but I wanted to say that you likely will get two veins of responses, paralleling your description of operations vs higher-level. I would prefer security to report to IT. Honestly, the future is in baking security into IT projects from the start, so that is where it should be. If you report to the CFO, you'll eventually turn into an audit/risk department and likely lose the operational piece. You'll likely also be seen as the enemy by IT, if you're under the CFO. (My guess only, not based on experience.) For staffing, you need three layers, ideally. A strong operational team with high skill in various technical areas; your grunts. You need a layer of analysts, and then your top level leaders who can play the politick game at the top levels of management. I pick these because each section has skills and needs that the other section members likely do not have. Also, never skimp on continued training and employee happiness. You want to build their skills and not have them bolt once they learn more. The department should look into business contionity and disaster recovery, data protection (which means knowing the data and the company structure to assign access, and assess risk on systems and vulnerabilities....yada yada. I'm an operations guy, so my viewpoint is largely on that level, where you can't fluff over tasks like log monitoring, traffic monitoring, access control assessments, vulnerability scanning and verifications, firewall/IDS log monitoring, and change management. These are often overlooked and very weak. Monitor more than you need, because you can always ignore it, but can never recreate it if you missed it. Want a book? I enjoyed Andrew Jaquith's Security Metrics book. It applies to all three levels I describe above, but most centrally on that analyst level. <- snip -> I have been tasked with a very unique opportunity. I have been selected to be part of a 2 person team to rebuild the Enterprise Security Division for a fairly large organization. I want to take this task as far as I can, and I am going to use all of the resources available to me to make this new division the best it can be. My feeling toward the division is that it should be more of an oversight group not operational in nature. The team would provide the check and balance with in the IT department and the organization. More detailed functions might include Internal Vulnerability Auditing/scanning, Policy review, Firewall and IDS/IPS review, just to touch on a few. The organization currently has a Security team in place but it was created for show and tell purposes. There is new management in place and they want to see that change. The Junkyard dog is getting his teeth. Here is where you, the list members, come in. I would like to hear how you might build you "dream" Security department. What functions the department would carry out, who it would report to with in the organization, staffing needs, etc.
Current thread:
- Starting a New Security Department/Division Chris Barber (Jul 27)
- <Possible follow-ups>
- Re: Starting a New Security Department/Division krymson (Jul 27)
- Re: Starting a New Security Department/Division WALI (Jul 30)