RE: First day and week as CISO?

[Ryan Helfter <Ryan.Helfter () ip-soft net>]

A soft question, eh?

Hopefully the answer is something along the lines of "how to work smarter and not harder".  This would also depend on 
what is already in place.  If this were me as the interviewee, then I would not want to re-invent the wheel.  What I 
would do is want to take a look at any past hardships the previous CISO had and prioritize those.  The others would be 
to put my trust in the InfoSec team that the business already hired and should trust, since they are the ammo to your 
WOMD, and calculate areas of inefficiency.  Thirdly, it would be the politics.  I have seen development prices increase 
by 10% when security is thought of last in an engagement.  There are your "nice to haves", your "need to knows", and 
your "business requirements".  Nobody starting up in a position wants to rock the boat or stir up the waters if you 
will, during their first days.  Spending money, especially in today's market, is frowned upon, however security is one 
of the most expensive costs, hence why it is .  The definition of Security is "inconvenience".  Inconvenience demotes 
production values, so the role of a CISO is to make the business aware of its threats.  It is a role of the business to 
decide if they want to accept the risk or mitigate it.

All in all, a very tricky question.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of cisohelp () googlemail com
Sent: Sunday, November 30, 2008 12:23 PM
To: security-basics () securityfocus com
Subject: Re: First day and week as CISO?

throw away wrote:
> Scenario....
>
> Going to be interviewing soon for a CISO..
>
> One of the questions were going to be asking is the theroy question below:
>
> What would you do in the first day and week on the job?
>
> The company is multi-million $ company, web based, sites all over the
> globe. 100's of users, 100's of servers, and a hell of alot of firewall's.
>
> Any thoughts?