Security Basics: Re: Starting a New Security Department/Division

["WALI" <hkhasgiwale () gmail com>]

I agree with krymson on most aspects except on the aspect where he states 
security should be gelled within operations and not report to CFO/CEO or any 
other.
Krymson you have a point where you state that when security functions report 
to CFO they morph into more of an Auditing function and I agree, but equally 
bad is the scenario when security reports to operations manager or CIO. 
Operations by definition are service centric and servicing business takes 
utmost priority, usually nothing stands between when any business/data owner 
needs some change / project to be undertaken and made functional NOW!!
Then, security risk asessment, study, controls etc., all fly out of the 
windows.
That's service culture of IT.

If security reports to IT operations manager, it  at best remains a sleeping 
dog, I speak of my little experience.
Security personnel should sit with the IT guys, if possible on the same hall 
and related cubicles, not in their own silos on a higher pedestal, for they 
need to be friends and confidantes of operational network/system admin and 
not act like some higher level experts always trying to hammer security 
sense into daily routines or else, they will easily be left to rot by these 
system/network admins and IT manager/CIOs etc, for being a nuisance to 
operations. While reporting to CFO/CEO etc., they should also carry 
authority (policy docs signed) by someone at the CEO level.
Security manager/officer and operations manager, should both report to 
CFO/CEO..I repeat, Security should report to the SAME ENTITY where CIO/IT 
Manager does, or else there would be little sense in the org structure.
My three yens!!

----- Original Message ----- 
From: <krymson () gmail com>
To: <security-basics () securityfocus com>
Sent: Saturday, July 28, 2007 12:18 AM
Subject: Re: Starting a New Security Department/Division


> Warning: likely not much substance to my post, but I wanted to say that 
> you likely will get two veins of responses, paralleling your description 
> of operations vs higher-level.
>
> I would prefer security to report to IT. Honestly, the future is in baking 
> security into IT projects from the start, so that is where it should be. 
> If you report to the CFO, you'll eventually turn into an audit/risk 
> department and likely lose the operational piece. You'll likely also be 
> seen as the enemy by IT, if you're under the CFO. (My guess only, not 
> based on experience.)
>
> For staffing, you need three layers, ideally. A strong operational team 
> with high skill in various technical areas; your grunts. You need a layer 
> of analysts, and then your top level leaders who can play the politick 
> game at the top levels of management. I pick these because each section 
> has skills and needs that the other section members likely do not have. 
> Also, never skimp on continued training and employee happiness. You want 
> to build their skills and not have them bolt once they learn more.
>
> The department should look into business contionity and disaster recovery, 
> data protection (which means knowing the data and the company structure to 
> assign access, and assess risk on systems and vulnerabilities....yada 
> yada.
>
> I'm an operations guy, so my viewpoint is largely on that level, where you 
> can't fluff over tasks like log monitoring, traffic monitoring, access 
> control assessments, vulnerability scanning and verifications, 
> firewall/IDS log monitoring, and change management. These are often 
> overlooked and very weak. Monitor more than you need, because you can 
> always ignore it, but can never recreate it if you missed it.
>
> Want a book? I enjoyed Andrew Jaquith's Security Metrics book. It applies 
> to all three levels I describe above, but most centrally on that analyst 
> level.
>
>
> <- snip ->
>
>
> I have been tasked with a very unique opportunity. I have been
>
> selected to be part of a 2 person team to rebuild the Enterprise
>
> Security Division for a fairly large organization. I want to take
>
> this task as far as I can, and I am going to use all of the resources
>
> available to me to make this new division the best it can be.
>
>
> My feeling toward the division is that it should be more of an
>
> oversight group not operational in nature. The team would provide the
>
> check and balance with in the IT department and the organization.
>
> More detailed functions might include Internal Vulnerability
>
> Auditing/scanning, Policy review, Firewall and IDS/IPS review, just to
>
> touch on a few.
>
>
> The organization currently has a Security team in place but it was
>
> created for show and tell purposes. There is new management in place
>
> and they want to see that change. The Junkyard dog is getting his
>
> teeth.
>
>
> Here is where you, the list members, come in. I would like to hear
>
> how you might build you "dream" Security department. What functions
>
> the department would carry out, who it would report to with in the
>
> organization, staffing needs, etc.