In Depth
How to Build a Security Management Team
How establishing a formal security management team can free you up to focus on strategy
By Anonymous
Meeting Regularly
Once the expectations are clear, the SET should meet regularly, based on the demands of the business. Our SET meets every month for two full business days. And, yes, once the SET begins to debate all the business at hand and also to review the implementation of past decisions, you will need to set aside an appropriate amount of time. Two days a month may sound like a lot, especially if your team is geographically dispersed, but the payoff is that the rest of the month, you can count on the members of the SET to take care of the day-to-day business.
As the leader, you must publish an agenda for each meeting. (I recommend that you not assign times for each agenda item, because this can stifle team input.) Topics for the agenda should reflect the input solicited from all members. This is important—and difficult, because it requires all members of the SET to put items on the agenda that they normally would have decided on their own or with their own team. In a way, members must make themselves vulnerable, because decisions that may affect only them or their own business area may be made contrary to their own perspective. But it goes to the core of the SET—that it is the one team that sets the direction for the security department and makes all the key decisions.
There are bound to be some bumps in the beginning. In our case, until we became comfortable with each other as a team, members sometimes would make decisions on key issues in between our monthly SET meetings. As the leader, I would have to hold them accountable for having bypassed or broken our team rules. This was no fun, but it reinforced the need for everyone to bring all issues in front of the SET.
In a sense, team members do sacrifice a degree of decision-making ability. The trade-off or incentive is their ability to participate in and influence the broader security business. Initially, the decision making around what is appropriate to bring before the SET is challenging, but as each team member engages the broader team on issues, it becomes apparent what does and does not apply. Team members will even tell other team members in our SET meetings, “Thanks for bringing that up, but you can make that decision and let us know the results.” At this point, it is all about trusting each other to bring things to the table for the greater good, sacrificing some of your personal power in your own particular area and participating more significantly on the department level.
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- FISMA Prescriptive Guide
- The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
- Beyond PCI Checklists: Securing Cardholder Data with Tripwire's Enhanced File Integrity Monitoring
- IDC White Paper: CCM for IT Compliance and Risk Management
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
