The CSO's First Security Assessment

The first security assessment at my new employer wasnt supposed to be personal. It just ended up that way.

When I signed on with the company where I am CSO, I promised that I would provide an initial 100-day plan. Within a week, I did just that. A key item was to deliver an assessment of the overall security posture, something never done before at this firm. The plan was welcomed with open arms by the executive to whom I report, and by his boss, the CIO. From what I knew about the three previous security officers—the last of whom, I had been told, was fired for incompetence—none of them were up to the task, and I felt confident that I was the man for the job. Fresh off a rebuilding and turnaround effort at a much larger and seemingly more bureaucratic organization, I was ready to attack this task with the tenacity of a Zulu tribesman at Rorke's Drift.

Basing my approach on some industry standards—ISO 17799, a NIST standard and Carnegie Mellon's Capability Maturity Model—I put together an integrated risk assessment process. Then I set out on my quest to gather any and all information related to the company's organizational and strategic risk. My goal was to get as much information as possible without disturbing the operational environment. The final product would be a complete report of the company's physical and information security posture, along with a prioritized road map of remediation strategies.

Unfortunately, I was in for a lot of surprises—not only about a number of serious risks and vulnerabilities at my new employer, but also about the hazards of delivering bad news at a "no bad news" type of organization that would rather fix blame than fix problems.

Turning Over Stones

The first order of business was filling out questionnaires about the security environment, doing vulnerability scans on the operating systems, and conducting physical walk-throughs of the facilities. The results were not encouraging. There was no formal approach to patch management, which meant the operating systems had many critical vulnerabilities. In addition, the physical environment was so poorly protected that I was able to enter the building after hours, without an ID card or keys, and get physical access to sensitive computer devices in rooms that had been left unlocked. I immediately put together a status update that included digital pictures of my unauthorized nighttime adventure.

My manager was fine with the results, but he offered some good suggestions about the best way to present the information to the CIO. He wanted me to hone the information and more explicitly state the threat of having a given vulnerability. I revised the preliminary report, removing technical jargon and relating the threats and vulnerabilities to specific business impacts and regulatory concerns. I shrunk the report to only a couple of pages. My manager seemed giddy with excitement about the new report. He said that it was great stuff—that I was finding out what the company's problems were, something they hadn't known before. He gave me permission to deliver an executive summary to the CIO in person.