Content

Security pro versus organization

It's refreshing to me that more and more organizations are starting to realize the value of having a CISO that is experienced and accountable for information security. Organizations make a significant investment in information technology that enables them to meet customer demands and business needs. More and more laws, rules and regulations are tightening to the point that no organization is safe when it comes to information security and controls/reporting. So why not seek to be compliant and have a good security program that can stand up to any regulation and help you be secure before you are forced to do so?

As a security pro, you are not very popular because the perception is that you are going to tell staff how they did their jobs wrong, even though you know and your manager knows that this is not the case.

You are instructed by senior management to provide an assessment of the current situation and provide priority and direction to an organization whose train is quickly moving down the tracks on a set path. It's either jump on and try to share a seat with someone or let the train go by. I say, don't be afraid to jump on that train. You have been doing security for a long time and you know the right way and the wrong way to do things.

To begin with, it's imperative to gain public support from the CIO, CEO or your C-level sponsor. The employees, partners and entire organization needs to understand that security is important to senior management, or it will never be important to anyone below the C-level, and your program will never achieve optimum success.

Next, align your assessment and approach to an industry standard as this gives a security pro something to measure against. As of Oct. 1, there is even ISO guidance for health care organizations.

It also makes sense to leverage as much as possible what has already been done in the organization. Find your supporters and champions and praise and include them.

As well, stick to the facts and do not personalize gaps. Remember, we can't fix everything, so pick the most important things that must be done. Base this on risk to the organization and regulations that govern your business. Set a clear direction of where the organization needs to align with regulations and standards you choose. Outline what steps it will take to “move the dial,” and work with management. Together you can prioritize the work.

It takes time for those in an IT security role to be trusted, and you must demonstrate you are a team member with the same goal as your peers in management to improve business securely.
Shannon Culp

I have over 30 (1994) years of Business Continuity and Information Security and Risk Management experience. I have been in an Information Security Officer (CISO) role for several large organizations. I have consulting experience and Management in “Big 4″​ environment as well as large private industry management experience. I have designed general computer controls for SOX and defined a PCI program for level 2 Merchant. I have performed computer forensics for many large and high profile cases. I have helped lead the development of E&Y’s Security Architecture Methodology. I have developed Governance Programs, Identity and Access Management Programs, Risk Management Programs and Vulnerability Management Programs.

I currently volunteer for the American Red Cross BEPA (Business Emergency Planning Association). I previously held the President/Chair Person Position for the Strategic Advisory Board for three years through the program inception. As of June 2006, I remain a board member. I participate in a CSO Roundtable in Cincinnati, and previously held Program Director position for ISSA. I am a member of ISSA, Homeland Security, CSI, Cincinnati Infragard and FBI Citizens Academy Alumni. I am also Vice President on the board for the FBI Citizens Academy Alumni Association of Cincinnati. I am Co-Director for GetWITit for Conference and Events. I am a member of the Site Based Decision Making Council at my child’s high school, an officer in the Band Boosters and assist in coaching Jr. High Volleyball.

Experience includes all aspects of Information Security. Successfully built an Information Security Program for TriHealth. Successfully led TriHealth Inc. PCI remediation and submitted compliant SAQ (Self Assessment Questionnaire). Successfully led TriHealth Security build for Epic. Successfully implemented a risk management and oversight program, including a Security Council consisting of senior leadership for TriHealth for security oversight. This is one of the best attended and high participatory level for senior leadership at TriHealth, Inc.

Specialties: Information Security, Risk Management, Governance and Compliance, Security Program and Strategy, Security Awareness, NIST, ISO 27001 and 27002 Controls, PCI, SOX, Incident Response and Computer Forensics programs.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds