Last week I published the first part about things to consider when managing a security program, and here I follow up with 5 more things.
1. How motivated is your company for security work?
In many organisations, you and your team might in the beginning be seen as trouble makers that delay development and they might think that you are chasing ghosts. Sometimes that might even be true. If the issue is not solved, your program will have low progress and no friends. We all know how it is to have no friends. So how can you solve this? You must find the people out there who listen to you and use them as examples. They will help you to get your way better accepted. Combine this with some small incentives for trying to do it your way. Put in an hour of example training on the fly, it will help you moving forward. This will be like an airline bonus system – if you join you will be treated better.
2. How do you want to be perceived within your company?
The nice guy, the tough guy, the no, no guy? Or the guy that has locked him in behind a door that no one else has access to?
This is your choice from day one. You can set the standard for your team directly. Sit close to the important internal customers so that you are visible for at least some of them. Make sure that people can talk to you and get answers if they try to find you. To be accessible F2F is important; do not only be accessible on email while you are in meetings. My recommendation is to be the organisation that helps people and give them advice on how to do things. Be part of their team meetings etc. Be also aware that some people out there are skilled in your area; so do not think that security idiots surround you.
3. Which things must not be stolen or tampered with from the company perspective?
Has anyone done that homework? Who’s responsibility is it?
The first question is to try to define those things that are top secret, because all things are not on that level. An advertisement published yesterday for hiring people is not the thing that you should protect with most of your budget. You must also try to do the maths about the cost of protecting something. If the cost for protecting is higher than the value, should you then protect it? This is an interesting exercise to do. I can guarantee you will get many valuable reflections out of it.
4. What is your responsibility today and tomorrow?
One thing is sure in life – things change. Your company changes, and the customers of the company changes with it.
Do you try to follow how the company is doing? Are there any changes in revenue? Is the company slowing down or accelerating? Is your manager strong and are people listening to that manager?
You need to mentally prepare yourself for change. Reorganisations come often. In good times it’s done to accommodate all new people coming in. However, when things go south it’s done to let employees and managers go. How would that affect your business? You should try to write some simple scenarios for yourself and your team. It could be like 25% less budget or 25% increased budget. Even worse, consider 25% more work but 15 % cut in budget. How would you act?
5. How can you know how hackers and attackers act?
As these guys are doing things from a strange passion perspective or for money reasons, they are dangerous and fast. How will you keep up?
Surprisingly enough, old school vulnerabilities from 20 years ago are still hurting some companies. These companies have not done their basic homework. But you have naturally that under control… There are also other things to consider like passwords, opening documents from untrusted sources etc. But for these things there are a lot on the Internet to read about.
To understand what hackers are doing and how they are acting is important for your way of working and for your budget. Make sure to read up on articles, follow Black Hat, White Hat, and go to conferences where other companies in your area are attending. Remember that fixing a problem early is maybe 1000 times less costly than to get it out of the fan.