In Depth
Excerpt: What Should Your Security Strategies Be?
Identifying business needs, documenting policies and driving change - former IBM security director Timothy Giles says these are keys to success for security leadership. From his new book, How to Develop and Implement a Security Master Plan.
By Timothy Giles
February 06, 2009 — CSO —
Before you begin the process of defining or redefining the security organization's strategies, you must first gain an understanding of the strategies of their business. You do this by interviewing the appropriate executives of the company: the CFO, COO, and so on. You need to know for the next five years:
" What growth do they anticipate? " Do they expect any product or service changes? " Is the expansion or reduction limited to the existing facilities or will new ones be added? " Do they expect any overseas expansions or mergers? " Are there any major layoffs or outsourcing activities planned?
Some of this information will be considered to be highly confidential, especially any mergers or layoff activity, but you need to understand these directional moves if you are to plan how they will deal with them from a security standpoint. It is not necessary for you to know all of the details; for example, you do not need to know who they plan to merge with or who they plan to outsource work to; however, you will need to know what countries are involved if your client will have any stake or ownership in the relationship. If the person performing this master plan activity is an outside consultant, the executives may prefer to only share this information with the in-house director of security or chief security officer. If there is no in-house staff, the consultant will need to discover as much of this information as possible and may need to sign a confidential disclosure agreement (CDA). (I believe a CDA should always be part of the contract with the consultant.)
The security organization's strategies deal with all aspects of the program from policies and procedures to technology and staffing. Their strategies should be documented so that they reflect where they are now and where they are going. You have probably heard this before but I believe strongly in the saying, "If you don't know where you are going, you won't like where you are when you arrive!" In order to implement new security strategies, CSOs or directors of security should first address the process of change. They would prefer that everything just stay as it is. So the question the CSOs should be asking of themselves is this: "Is change a friend or foe?" The answer to this question is really quite simple: "It's up to them!" Change is a topic that is discussed continuously in the business world. But, as the adage says, "Talk is cheap!"
timothy giles
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
