Where Do I Start? Please Help me! This is where you can start!
1. Gap Audit
Do a gap audit internally or pay for an external firm to do a gap audit. This will show you where your security practice currently is, where you will realistically be, and will include where your company aspires to be.
2. Corporate Security Policy – IT Security Management Framework
This is a hefty document and has a lot of legalese. It requires a tremendous amount of work as this is the security bible that the executives have to sign off. And this is the core from which you will build your security policies. This takes most time and it doesn’t have to be finished in order to secure your environment – you can kick off security projects before this is finished.
3. Five Year Roadmap
I created a 5 year roadmap that showed our executive team how to get from security immaturity to security maturity. This roadmap was used to spin off projects that when executed helped increase the security posture of our organisation. A roadmap is useful for many reasons: 1) for execs to show them where their money is going, 2) it is useful for ops/engineering/architecture to show them where we’re going and that we’re not being reactive – i.e there is a point to all this, 3) it also useful for recruiting potential talent into the firm.
4. Cultural Change
Security requires behavioral change. One of the ways to affect behavioral change is to enforce key performance indicators. Though, this isn’t always possible and leveraging social skills in order to influence people is a must. Great leaders inspire people!
5. Technology Security Policy
So, now you’ve got your Corporate Security Policy. This probably doesn’t make a lot of sense to IT people. The job of the security person is to translate the Corporate Security Policy into an implementable Technology Security Policy.