You got that promotion. You are now in charge.
And now you are finally getting around to thinking about it….
Yup, now that you are in charge, you are starting to wonder, just how secure are we?
Where do I start?
Well, let’s start with the fundamentals?
When the situation calls for a back to basics approach, a good place to consider starting is with a framework, such as SANS/CIS 20 Critical Security Controls, NIST/FISMA, etc. A framework will give you a structure and plan. Using these gives you one which has been thoroughly vetted and validated by a team of security researchers. It will also help you break down your security goals into achievable parts.
Once that is completed, prioritize. Determine the importance of the pieces of that framework and how they live, (or worse, don’t exist), within your organization. Do an honest analysis to find out what you don’t know, and determine where you need to make changes and improvements
Now the fun will really start, or as I like to say, here’s where all the experts emerge. You will be pulled in a thousand directions – people will fight you on prioritization of solving your gap issues, and you will need to defend your position against their questions. Have a conversation with your executives early on, in a way they can understand, stressing that you’re focusing on first things first – in other words, what protects the business most.
How mature is your environment.
Have an honest assessment of your current situation, as you would find in the CIS/SANS 20 CSC (which is prescriptive and in prioritized order), and determine what items you can take on. This can greatly increase your chances of achieving the results you set out to do.
Evaluating your team’s skills, bandwidth and capabilities now could save you a lot of headache down the road. Master what you can handle now before you move to the next level. The technology you take on may be sound, but failure may be on the people and process part of your security equation, which isn’t good for anyone. In other words, don’t take on more than you can handle.
Still not sure what to do or where to start? It’s time to get educated, and don’t feel like you’re alone. Consider leveraging trusted advisors and/or trusted resources. Explain what you’re trying to solve. It’s good to find those who challenge your thinking, or wisdom, and who help you solve problems in ways you may not have thought of before.
Once you get a detailed closer look at what you’re trying to build, it may not seem as daunting. Look at it as a process that can be broken down into achievable, fundamental parts.
Build one floor at a time, beginning with a solid foundation.