This is a new one that I wouldn’t have placed here years ago. In the last few years the importance of securing the Enterprise and protecting intellectual property and all other confidential information has risen to a top-level. I’ve written about this a lot lately with posts here, here, here and here. And of course, you can read about it all over the internet and consultants will line up to tell you about it.
When I started in this job, it was barely on the radar and things like 3rd party penetration tests were the time of the year when you thought about these topics. In the last few years, this has risen to a topic that I seem to think about every single day.
Here are some recommendations on what should be done at the start of a new assignment:
- Get a security assessment from your own team and look over any recent 3rd party assessments. If your team is not doing a regular health check of some kind, you can know that you are in trouble. Your team should be doing a regular security assessment and developing actions plans and budgets based on the results. If you have nothing like this, then get it started.
- Identify and meet with your security team. Listen to them. Ask what they need and find out what they are worried about.
- Talk to your auditors and get their input on risks and concerns from recent audits.
- Develop an action plan including people, projects and budgets.
- Discuss with your boss and the organization leadership team. If this has been a high priority item prior to your arrival, then there should be no surprises. If it hasn’t been on the front burner, then talk to your leadership team about moving it to the front.
We do a Health Check where I work and we update it yearly. In the Health Check we identify every known risk group and then we self asses how we are doing in each area. The list of risks is just added to as we learn of new risks or threats over time so it gets longer and deeper every year. We create a scorecard to grade how we are doing in each risk group and develop go forward action plans. The Health Check is reviewed with and is shared with the IT Leadership team. All of the IT leadership team (and every employee) is responsible for security.
I think the senior IT security person should report to the CIO. He needs to be part of your staff and all your discussions. He needs access to you and you and he need to talk often.
You’ve got to secure the Enterprise given whatever spending and people constraints you have in place. You can’t be perfect, but you need to make it a priority.
This is post 4 in a series.