An immature security program is an exciting challenge

An immature security program is an exciting challenge

After four years of building one company's security program, our manager feels the need to take on a new challenge.

I've embarked on a new adventure, in the form of a new job. Starting with this installment of my journal, I'll be telling you all about it.

I had good reasons to make a change, but it wasn't that I was dissatisfied with my previous job. After four years there, I had built a solid security program, established meaningful professional relationships and become familiar with the infrastructure, product, people, culture and overall company ecosystem. I had overcome some big challenges in the course of righting the company's security posture, but in the end, it was challenge that was lacking. I decided that I wanted to start over at a company that needed somebody to build a strong security program from the ground up.

It's always sad to leave a company where you've been happy, but I had the comfort of knowing that all I had done there would live on after my departure. Meanwhile, my new company seems ready to accept my advice and counsel in order to better protect itself from all the nasty stuff that could beset it. Let the adventure begin!

There are similarities between where my new company is right now with regards to security and where my old company was when I started there. But I don't expect this new job to be a repeat of the last four years. For one thing, I am starting with all the knowledge and experience that I gained over the past four years. In the course of that time, I have learned a lot about things like cloud computing, mobile devices, advanced malware, data handling and security awareness. And I expect to keep on learning, since new things that I can't even anticipate are sure to crop up.

Like the company I've just left, my new company has grown very rapidly. Wisely, its leadership has realized that it could be derailed by a compromise of the sort that has hit Target, Home Depot and UPS Store. They've also begun to focus on the need to be compliant with various regulations and wanted to find someone who could fully engage on issues of risk and compliance.

For now, this new company is too small to justify a true "chief" information security officer. In fact, I am the entire security operation. But for all intents and purposes, my role has the same scope, responsibilities and liabilities of a CISO.

Getting started

In my first two or three weeks, I need to act like a sponge and soak up as much information as I can. So far, I've been reviewing company policies, codes of conduct, marketing materials and relevant procedures, such as data handling. I have found them all extremely immature from a security perspective. Next I looked over the results of recent compliance audits, security assessments and other third-party security testing of the company's products and infrastructure.

I also obtained a copy of the company's organization chart to identify the people I will want to partner with. Those people include the heads of sales, marketing, professional services, engineering, customer support, IT, education and training, finance and HR, but I'll also hold one-on-one introductory meetings with other people on those teams -- it's amazing what people will divulge in that sort of situation.

Of course, as a new employee, I've gotten a firsthand look at the new-hire onboarding process, and I've paid close attention to things like PC provisioning, initial password issuance, Wi-Fi access, mobile device support and physical security controls such as badges, cameras and guards. When I booted up my PC for the first time, I could see which antivirus tool was in use, whether I had local admin access, what policies were being enforced, what third-party tools were installed, how patches were being pushed and whether the company uses centralized management and encryption.

Opening my browser, I checked to see whether I could access risky websites, and I took a look at our internal sites to see if they contained sensitive data and whether proper permissions were configured.

Besides all that, I signed up for company-sponsored webinars so I could become familiar with the company's products and services. I've arranged to shadow our sales, customer support and professional services teams to see how they interact with customers. Eventually, I will become familiar enough with our products and services to let me make engineering recommendations that will enhance product security. For now, I'm in total observation mode, taking notes the entire time.

The goal of all this exploration, investigation, observation, interviewing and testing is to come up with an initial assessment and assert a three-year road map, prioritizing the most critical security issues. In addition to compliance risks, I'm going to initially focus on risks that align with the Kill Chain Analysis, which was developed by Lockheed Martin to help information security professionals proactively remediate and mitigate threats.

I've got a long road ahead of me, but building things is what I enjoy. I look forward to sharing the adventure with you, my readers.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join in the discussions about security!

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the CIO newsletter!

Error: Please check your email address.

Tags security

More about Home DepotLockheed Martin

Show Comments