Re: InfoSec Importance

[infosecadmin <infosecadmin () comcast net>]

Mohamad,

I'm presuming your looking form some assistance to justify a CSO, 
unfortunately, this is going to more difficult that justifying improving 
system security period!

A CSO in many organizations is going to provide the leadership for the 
direction of the organizations systems security, not unnecessarily 
correct the security issues themselves.  Regardless of how competent a 
CSO is, unless the staff responsible for correcting the problems have 
confidence in the person and the technical competency, the best CSO is 
going to look like a failure.

Maybe instead of trying to persuade senior management that a CSO is 
needed, maybe you might want to take on the initial task of pointing out 
where you see security failures in your organization and areas where, 
although not failing, could stand to be improved upon. You can support 
many of these areas by bringing in a third party to provide and audit 
and or pen-test.  Presuming your initial report is objective, there will 
be parallels in your report as well as the auditor/pen-tester's. Once 
your senior management is convinced there are issues, only then can you 
start to justify the need for another "leader". I'd venture to say their 
concern might be "why bring in someone to lead when there is nothing for 
them to lead?". 

Now, there are a number of highly competent CSOs in the industry, but 
not all of them are going to have hands-on with all areas that comprise 
the security realm.  Firewall configurations, OS configurations, process 
management, software development, physical security, code auditing, 
etc.  So if you are thinking that bringing in a CSO will instantly get 
things "fixed", I'd day you are fooling yourself, as well as your 
organizations team management

Remember, security is not an end result, it is a process, and the CSO is 
the individual that is going to lead the process. If they provide 
hands-on corrections to some of the problems, then you have someone that 
leads by example, which is always a plus.

Bill Martin
infosecadmin () comcast net

Mneimneh wrote:
> Hi List,
>
> I am trying to convince my management of the importance of having a
> security officer in the enterprise. I have googled the topic, but not
> much was found. I would really benefit from your suggestions on how to
> approach the management.
>
> -Mohamad.
> ***********************************************************************************************************************************
> No employee or agent is authorized to conclude any binding agreement on behalf of Comium with another party by e-mail 
> without expressed written confirmation by an officer of Comium. Any views expressed by an individual in this electronic 
> message do not necessarily reflect views of Comium or its subsidiaries and associates.
> This electronic message and its attachments are solely addressed to the addressee's, and contain confidential 
> information protected from disclosure belonging to Comium.
> If you are not the intended addressee of this electronic message and its attachments, kindly delete it immediately from 
> your system and notify the sender by electronic mail. You must not copy this message or attachment or disclose its 
> content to any other person.
> Comium does not guarantee the integrity of this electronic message and any of its attachments, or that they are free 
> from computer viruses or other defects.
> ************************************************************************************************************************************
>
>