So you’re in charge of cyber security
I do a fair bit of training, and often I find people have come along on a intro to cyber security course because they have suddenly found themselves responsible for security in their organisation. So regardless of whether you are new to security, or an experienced security person now in charge of security for a whole organisation, below are the things I’d do in the first few weeks in the job.
Know the business
What I really mean here is understand how the business operates, and not that you should go do market research into widget production. Knowing how people work – how they use the company data, who they share it with, and what their perspective is on the way the business operates in terms of security (is it onerous? have they never heard of it?) is key to protecting business data and systems. If I were feeling pompous I’d call this ‘understanding the operating environment’, but I’m not so I won’t. Just get to know who does what and how they do it.
Talk to the help desk
Or whoever is responsible for dealing with end users’ problems. They will know where the bodies are buried (hopefully not literally). Knowing what kinds of things get reported to help desks will tell you more about your operating environment (see above), give you an insight into the behaviours of people at the company (remember they might not tell you how they really do things – but the help desk will know), and let you start to get an idea of where your security problems might lie.
Talk to the system and network administrators
In a small company that might be the same as the people responsible for dealing with users, but in medium sized companies and up probably not. So talk to the sys admins. Do they seem on top of things? Can they tell you what they have installed where? Do they understand their network? If you ask about firewall rules, or patch levels, or a particular vulnerability, can they answer quickly and authoritatively?
Talk to the security team
If there is one. If not then you can skip this step. And ok yes it sounds obvious, but I have seen it not done. I know when you’re knew in a job you want to meet expectations and start to get things done, so there is temptation to get on and start implanting Security Measure X, and buying Expensive Tool Y. But hold off. Talk to the people who have been doing the job and see where they think the weakness are. Do they need better monitoring? Training? Do they think the business is laissez faire about a particular risk, or that the IT team don’t take their concerns seriously?
Doing the above steps should tell you enough about your operating environment (sorry) to make some sensible decisions about the risks to your organisation, and to decide what your priorities should be.
Some other points I’d note:
- Money is not everything. I’ve seen lots and lots of money thrown at security with little to show for it. Firstly, remember if you’re in charge of security for an organisation this means you need to care about everything, and not just the things that are in your budget. IT admin won’t come out of the security budget, but if they are understaffed, or otherwise lack investment, it is not good for security. Secondly good people can do a lot with surprisingly little budget. Having to make do can make people think creatively, get more out of the tools they all ready have, and make good use of open source products.
- Seriously, don’t forget the help desk, and your sys admins. As I said above they know the network and can be a great security resource. Also if you are building a new security team don’t forget to look internally.
- Finally it’s not all your problem. Effective cyber security involves everyone in the company, so make sure you get your fellow managers, and seniors, on board to do their bit.
As well as all that you can of course come to us for some training, or any other support and help you might need.
As always thanks for reading. Please do get in touch if you have questions. Use the contact form, or find us on twitter.
Rob