Website Chat from Envolve

July 31, 2010

Posts Comments

You are here: Home / Blog / Strike Up the Band: Building Security from Scratch

Strike Up the Band: Building Security from Scratch

December 30, 2009 By Dennis Kuntz

concertby Dennis Kuntz

“Individual commitment to a group effort — that is what makes a team work, a company work, a society work, a civilization work.” – Vince Lombardi

When faced with creating a new security program – Building Security from Scratch – it can be like George Taylor in The Planet of the Apes: you awaken to find your ship has crashed and you have little more than the clothes on your back. You have to figure things out and make use of what’s around you.

When in this situation, it is important to establish your bearings quickly. There are a lot of things to digest in order to start making a difference. As fate would have it, this seems to be a specialty of mine; I have accepted the challenge of creating a new role at least a half-dozen times in my career.

In my new position I have the honor and challenge of building a security program from scratch (hence the name of this column). Over the next year, I am going to share my plans, insights, and lessons-learned to contribute to a dialogue where we all can improve the way we protect our organizations.

Based on my experience, there are three steps to take when starting from scratch:

1. Getting Together: Who’s on Your Team?

The first question focuses on the team: “What will my team look like?” This is key whether you’re a “one man band” or you have (or get to build) a team. Understanding who is “on the team” puts you on a path to create a plan to determine how to be most effective tactically, and how to achieve strategic success. And the answer is more than just having people report directly to you.

This is not set in stone – more time generally yields a clearer picture, but starting with a picture is key.

2. Assess the Situation: How Will this Work?

With a snapshot of the team in place, it is time to assess the resources. This includes existing resources (personnel as well as software, etc.) and potential resources (budgeted items, management’s flexibility for unplanned spending, etc.).

As you identify resources – and the gaps between them – you’ll start to get a vision of your current situation, and your company’s overall posture. As this picture develops, you will more easily be able to map out how to address the gaps using those resources.

3. Get to know the family

Just as important though, is to figure out who the right people are in your “sister” departments, such as Human Resources, Legal, and as you might guess, IT.

Human Resources is essential because it manages the relationship between a company and its employees. While there are many non-risk functions an HR department performs, one of the most important is in managing situations involving employee misconduct, terminations, and other delicate issues. There will often be an overlap between HR’s responsibilities regarding any kind of internal employee issue and Information Security’s role in protecting internal assets. You will definitely need HR’s help in proceeding in any kind of internal investigations as it relates to employees, and they can definitely benefit from your expertise when addressing certain kinds of employee issues – and they may not even know it.

The Legal team in an organization normally helps to protect company assets by dealing with anything from relationships with external entities (via contracts, NDA’s, etc.), alongside HR with internal employee matters, managing the company’s posture when dealing with legal issues/requests that arise from “outside” the company (discovery requests for pending litigation, law enforcement requests, etc.), as well as compliance matters (PCI-DSS, HIPAA, SOX, etc.).

As an information security professional, you probably already have at least some familiarity with the functions of both of these groups. It should be pretty easy to see how cultivating relationships with these departments – and those like them, such as Document Management and Compliance departments – can help in your efforts to build your program. And that’s whether it’s a tip-to-tail effort, or something more concentrated like penetration testing. Less likely and possibly more beneficial to you, is that these departments may not be fully aware of the benefits you bring to their efforts.

Turning the One Man Band into a Symphony

Information Security is about managing risk.

In creating a security program, it pays to realize that even when alone, it requires a team. Showing other groups how their jobs can be easier while helping to manage risk and protect the company’s assets can effectively extend the security “team” beyond whatever may be listed on paper.

What are you doing as a one-man-band to make a difference? What challenges are you tackling? Drop a note in the comments and we’ll take it from there…

Filed Under: Blog Tagged With: catalyst, risk, security, SMB

About Dennis Kuntz
Dennis Kuntz, CEH, has been in technology for 15 years in various roles. While starting life a programmer, more recently he has spent his time in managerial and technical roles dealing with architecture and security. These includes such responsibilities as web application penetration testing, making and assisting with strategic security decisions, and providing technological guidance, education, and prototyping/PoC projects for IT and business units. Currently he holds the title of Senior Director of Architecture and Security for Market America, in Greensboro, NC.