Security Basics: RE: First day and week as CISO?

["Robertson, Seth (JSC-IM)" <Seth.Robertson-1 () nasa gov>]

Conduct a fresh organization-wide risk assessment to determine the
stregths and weaknesses of the information security controls and
practices; the existing security staff probably know a handful of
weaknesses off-hand (sore points which they have previously been
unsuccessful at better securing).  There are many benefits: you are able
to present management a fresh understanding of the security posture, you
are able to identify areas which they have de facto already accepted a
risk, whether they know it or not (and if an incident occurs as a result
of the existing security state you have CYA), and you are able to spin
off a justified list of projects to mitigate those risks on the horizon.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of cisohelp () googlemail com
Sent: Sunday, November 30, 2008 11:23 AM
To: security-basics () securityfocus com
Subject: Re: First day and week as CISO?

throw away wrote:
> Scenario....
>
> Going to be interviewing soon for a CISO..
>
> One of the questions were going to be asking is the theroy question
below:
> What would you do in the first day and week on the job?
>
> The company is multi-million $ company, web based, sites all over the 
> globe. 100's of users, 100's of servers, and a hell of alot of
firewall's.
> Any thoughts?