Musings on Information Security :: Security Initiative

This Month

Month Archive

June 2006

Main Page

Photos

Simplified Security: Security 101

Quotable security quotes

BS7799

Guest Column

Interview

Secure Personal Computing

Security Awareness Training

Good Security Customer

Security Initiative

security

RSS Newsfeeds

Main Page RSS

Security Initiative RSS

This work is licensed under a Creative Commons Attribution 2.5 License.

Main Page » Security Initiative

Wednesday, June 14

Effective Security Initiative - Part 1

by RaviC on Wed 14 Jun 2006 06:57 PM PDT

Many of the IT managers that I interact with talk about the "expensive security consultant" (true, expert security consultant don't come cheap) that they hired for their security initiative and that they ended up only with a stack of recommendations.

Here are my tips for IT CIOs, VPs, Directors and Managers for increasing the effectiveness of their security initiative. I am assuming a mid-to-large sized businesses who are embarking on a brand new security initiative.

Phase 1 - Setup a Fertile Ground

0. Understand the ground reality - Where are you currently in terms of your company's security posture?

1. Identify your security end goal - What is that you are working toward? For example,

a. Legal compliance.

b. Making infrastructure secure from breaches.

c. Passing a security audit (ISO 27001) and more...

2. Understand the budget requirements. Make sure that the budget makes sense for your business.

3. Formulate your returns on the security investment. What do you get out of this investment? Try to quantify both in terms of tangibles and intangibles. For example,

a. $250,000 saved by preventing a single information breach.

b. By conforming with security best practices more customers want to do business i.e. enhanced revenue outlook.

c. Enhanced brand equity due to compliance and more...

4.. Make sure that you have a sponsor at the executive level within the company. Executive buy-in holds the key for the success for your security initiative else security consultant will end up working on getting the executive sponsor wasting consultant's valuable time.

5. Evaluate the budget requirements for your security initiative and make sure that your budget makes sense for your business.

6. Align your security initiative along with your business. In short security initiative should not be a friction to your business but a lubricant to enhance business growth.

7. Identify (or recruit) an internal security person who works with the security consultant. This security person is preferably a senior security person, but need not be an expert because we already have a consultant who is a security expert.

More to come in Part 2.

Leave Comment | Permanent Link | Cosmos

RSS Newsfeeds

Main Page RSS

Security Initiative RSS