Richard,
What are you comfortable with? Security management is a very broad field. It incompasses security architecture, policy development, design, assessment, selection, administrative controls, technical controls, physical controls, application controls, disaster recovery, business continuity planning, security awareness programs, cost benefit analysis, auditing, risk assessment, etc. Then you can add on the technical knowledge required to plan, implement, maintain and assess the controls you have implemented at the operating system, router, firewall, application, desktop, etc. It adds up to a pretty significant set of knowledge that is required to maintain a secure environment for your organization. It's obvious that you have developed some expertise in some of these areas. Being realistic, which areas do you need help with? These are good candidates for outside consultants.
I'm not sure that there is any one consenses on what works best. I know organizations that do everything in house, others that farm everything out and others that farm portions out. With the current shortage of IT professionals, in-house is getting much harder to maintain. I'd suggest two things:
1. Determine what you believe should be your company's strategy based on your knowledge of the business and management structure.
2. Know your audience and do the best job you can at selling your program.
Responsibility for security always rests with the management of an organization but few senior managers understand the role of information security in the organization. It's your job to help them understand. (Welcome to the PR role of security management.)
To management, security is a cost center, you need to be able to demonstrate that security saves money. For example, how much would it have cost your company if you'd been hit by the "I LOVE YOU" worm, and how your excellent e-mail security design prevented that. Presents your ideas and conclusions in dollars and cents.
To management security is a worry. Their concerns are based on what they read or hear in the news, emphasize your accomplishments and goals and relate them to the latest exploits and attacks. Be realistic, find a good balance between what you can do and what consultants can help you with and present that plan to them.
Good luck!
Bill Stackpole, CISSP
| "Richard Ginski" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 05/24/00 07:40 AM
|
To: <[EMAIL PROTECTED]> cc: Subject: Security Professionals: Inside the Org? Outside the Org? Or Both? |
I apologize for discussing this topic on this list. I felt that this is the most appropriate list to discuss this subject:
I have been "un-officially" the security professional for our organization for a few years now. I have began to implement a security infrastructure for our organization. I soon expect to be officially assigned the title. I will be making a presentation to our Data Processing board in the next month regarding security in our organization and plan on addressing the following issue in my presentation:
I am aware that they want to hire outside consultants to perform the security tasks in our organization. Due to the size of our organization, the Data Processing board is not aware of what has already been implemented regarding security in our organization. I don't intend this to be a flame-war, however, I am seeking input as to what other organizations are doing regarding security professionals hired inside the organization versus hiring outside consultants to perform these tasks. I feel there should be some combination (balance) of inside security professionals developing and maintaining a security infrastructure and outside consultants doing period security audits. I am seeking input from my peers on the list as to how they feel about inside security professionals versus outside security professionals or some combination thereof. I am trying to gain a consensus on this subject. Your input and justification is greatly appreciated.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
