Open Letter to New Security Manager
Posted June 27th, 2007 by rybolovLet me be one of the first to congratulate you. Whether your title is CISO, ISSO, Manager, or Consultant, being a security manager is an accomplishment.
Now for the bad news: You need to go into the job knowing that you will always be short on people, time, and money. Good people are hard to come by, and as soon as you get them trained up, they’ll change jobs because they outgrew what you hired them to do. Time is critical because effective security requires cooperation with all the other business disciplines which takes time and effort. Security is seen as a cost center, so any good business will try to limit security spending in order to maximize their profit.
My friends at ISM-Community have developed an Information Security Management Top 10 document with some very solid practical advice for how to survive in today’s security environment. Think of it as a list of meta-themes that all successful security managers and programs have in common.
The ISM Top 10 doesn’t solve all of your people, time, and money problems, but it can help you to recognize trends and set a long-term strategy to winning.
Similar Posts:
Posted in ISM-Community, Risk Management, What Works | 2 Comments »
July 5th, 2007 at 10:14 am
Your “bad news” does a good job of summing up the general issues. A quick glance at the “Top 10” list provides a good look at a new CISO’s upcoming challenges for him/herself and their organization.
Go forth and do good things,
Cutaway
July 5th, 2007 at 3:04 pm
Thanks cutaway
I think we can all see the problem, the question is what we do about it. That’s where you end up with the varying schools of thought: compliance clingers, SANS ultra-technicians, pragmatic CSOs, ISMS ala 27001, and the “forget it all, let’s go back to 3×5 index cards”.
I’ll leave it up to you to decide where I fit somewhere along this taxonomy. =)