Note: I've been asked to post this from a reader that asked to remain anonymous but would like to inject some thoughts into our dialog here. If you have thoughts you would like to insert into the discussion feel free to contact us. -mj
Allow me to introduce myself. Or perhaps not.
I am a security rookie. While I have over 30 years of experience in IT, I have never touched security. But I asked my manager for a new challenge, and he responded by making me our organization’s security officer. Be careful what you wish for.
We have never had a security officer, and so have never had any formal security program. What we do have is a quality IT staff who are all security conscious. But without any formal policies and procedures, mistakes are made. Many mistakes.
My task is obvious. I need to clean up the mess that has come from two decades of ad-hoc work with no security direction, and at the same time create the policies and procedures that keep it cleaned up. Sounds simple enough. Or perhaps not.
By way of an introduction, that’s as far as I’m willing to go. I may be a rookie, but I’m smart enough to know that it’s not a great idea to broadcast to the world that this network has a novice in charge of security. I will be endeavoring to keep my identity secret. But my intention is to document our journey from our current haphazard security state to an organized, carefully planned and maintained state. Maybe this will be educational, if there are others like myself starting out (somewhat belatedly) on this journey. It might be amusing for the more seasoned security pros if they choose to read. There’s a chance it will be horrifying. I’m really not sure.
The problem with such a large project is always ‘Where do I start’. For me, the answer was obvious. I needed to go back to school. So I’ve enrolled in a two year, continuing education program in IT Security at a local university. I don’t believe that I could tackle this without some education.
For my manager, the answer was also obvious. He needed measurable progress to show his director that we are improving. And he can’t wait two years to show it.
To provide the baseline for measurement, we has an assessment done by a security consultancy. They came in and evaluated our existing practices against the Critical Security Controls published by CIS. These controls map to several security frameworks, including ISO 27001, NIST, and COBIT. The evaluation provided both our baseline score for senior management (45%), and a roadmap for me to prioritize our remediation.
Roadmap firmly in hand, the next task was to choose one of those frameworks to guide our efforts. I did a fair amount of reading on the various frameworks available, and the pros and cons of each, in an effort to determine the best fit for our organization. I’m still not sure, but we’ve chosen to go with NIST. The deciding factor; free fits our budget. Some realities are inescapable.
In my next post, I’ll go over some of the problems our assessment found, and how we’ve chosen to prioritize the remediation. I hope you’ll come back for it.