Re: Starting a New Security Department/Division

[krymson () gmail com]

Warning: likely not much substance to my post, but I wanted to say that you likely will get two veins of responses, 
paralleling your description of operations vs higher-level. 

I would prefer security to report to IT. Honestly, the future is in baking security into IT projects from the start, so 
that is where it should be. If you report to the CFO, you'll eventually turn into an audit/risk department and likely 
lose the operational piece. You'll likely also be seen as the enemy by IT, if you're under the CFO. (My guess only, not 
based on experience.)

For staffing, you need three layers, ideally. A strong operational team with high skill in various technical areas; 
your grunts. You need a layer of analysts, and then your top level leaders who can play the politick game at the top 
levels of management. I pick these because each section has skills and needs that the other section members likely do 
not have. Also, never skimp on continued training and employee happiness. You want to build their skills and not have 
them bolt once they learn more.

The department should look into business contionity and disaster recovery, data protection (which means knowing the 
data and the company structure to assign access, and assess risk on systems and vulnerabilities....yada yada.

I'm an operations guy, so my viewpoint is largely on that level, where you can't fluff over tasks like log monitoring, 
traffic monitoring, access control assessments, vulnerability scanning and verifications, firewall/IDS log monitoring, 
and change management. These are often overlooked and very weak. Monitor more than you need, because you can always 
ignore it, but can never recreate it if you missed it.

Want a book? I enjoyed Andrew Jaquith's Security Metrics book. It applies to all three levels I describe above, but 
most centrally on that analyst level.


<- snip ->

I have been tasked with a very unique opportunity. I have been
selected to be part of a 2 person team to rebuild the Enterprise
Security Division for a fairly large organization. I want to take
this task as far as I can, and I am going to use all of the resources
available to me to make this new division the best it can be.

My feeling toward the division is that it should be more of an
oversight group not operational in nature. The team would provide the
check and balance with in the IT department and the organization.
More detailed functions might include Internal Vulnerability
Auditing/scanning, Policy review, Firewall and IDS/IPS review, just to
touch on a few.

The organization currently has a Security team in place but it was
created for show and tell purposes. There is new management in place
and they want to see that change. The Junkyard dog is getting his
teeth.

Here is where you, the list members, come in. I would like to hear
how you might build you "dream" Security department. What functions
the department would carry out, who it would report to with in the
organization, staffing needs, etc.