Moving into the InfoSec role

pts.
Tags:
Access control
Application security
backdoors
Biometrics
Browsers
Compliance
configuration
CRM
Current threats
Database
Digital certificates
Disaster Recovery
Encryption
filtering
Firewalls
Forensics
Hacking
human factors
Identity & Access Management
Incident response
Instant Messaging
Intrusion management
Microsoft Exchange
Network security
patching
PEN testing
Platform Security
Policies
provisioning
Risk management
Secure Coding
Security
Security Program Management
Security tokens
Servers
Single sign-on
Spyware
SSL/TLS
Trojans
Viruses
VPN
vulnerability management
Web security
Wireless
worms
I work at a company that currently does not have a position dedicated to information security. I come from a background in networking with a good portion of my focus on firewalls and other security related technologies. I am interested in positioning myself into the role of InfoSec Admin at my compnay and was hoping that i could get some advice on how to sell the position to a reluctant management team. I know where most of our security issues currently are, but I need a more general description of the role and its value in order to justify dedicating a good percentage of my time to it. Any advice and help would be appreciated.

Answer Wiki

Thanks. We'll let you know when a new response is added.

You can take a look at the gov’t model which has become widely accepted in many industries.
It is based on FISMA, a public statute which governs all federal IT operations.
NIST is responsible for publishing the policies and guidlines: http://csrc.nist.gov/sec-cert/

The umbrella for all IT security operations is Information Risk Managment.

After that, find examples from trade magazines and other info sites regarding industries like yours who have created IT security positions like CISO, ISO, ISSO, etc. . .
Good luck! tg

Discuss This Question: 5  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Sonyfreek
    Also consider that you might be required to comply with federal regulations such as Gramm-Leach-Bliley, HIPAA, and/or SOX. If you're a publicly traded company, you must be compliant with SOX for your accounting records. GLB applies to financial corporations and HIPAA applies to Healthcare organizations. Below are some useful links for these regulations: http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act (Public company accounting) http://en.wikipedia.org/wiki/Gramm-Leach-Bliley_Act (Financial organizations) http://en.wikipedia.org/wiki/HIPAA (Healthcare organizations) They are not a silver bullet, as most of them have a lot of gray areas, but it might be just what you need to get started. SF
    0 pointsBadges:
    report
  • Solutions1
    One approach is don't sell a "position," instead sell a project that in turn may institutionalize into a position. For example, if there are various sorts of security work to be done (and there always is) repackage that work as a coherent set of activities. Look for commonalities and synergies across differing needs, especially commonalities of methodology and expertise.
    0 pointsBadges:
    report
  • InfoSafety
    First of all, consider what's in it for your management. What are the consequences to your management and/or organization of security breaches? Are there criminal or civil liability consequences? Costly down time? Also, be aware that, in addition to guarding against outsiders getting in, you need to be prepared to prevent inappropriate insider use of confidential and/or proprietary information. Statistically, more damage is done by untrained, malicious, and greedy insiders than is done by outsiders. Dealing with all of these issues requires both technical and policy expertise. It's ok if you just have the technical expertise, as long as you realize that you will need to work with policy people to cover the waterfront. Hopefully, armed with this knowledge, you will be able to make a good business case for an information security position. Good luck. Craig Herberg Info-Safety, LLC http://info-safety.com
    75 pointsBadges:
    report
  • Magner
    I agree with the comments on regulatory requirements such as GLB or SOx. Also management makes decisions based on profit and impact to bottom line. You may be effective at bringing the need for a security position home if you can present an analysis which address potential $$ value risk and cost to the organization if the network or systems are down for an extended period of time. You have the advantage of being on the inside already, talk to the accounting team, get some real estimates of impact and then determine if management would rather incur the loss than invest in having the right proactive measures in place. Good luck and believe in the cause, eventually they should take notice.
    0 pointsBadges:
    report
  • Ssarnath3
    You have some great postings above, two key things is mentioned by some above is that ONE - you need to sell the project, in other words the value needs to be seen and that can be shown with clear problem statements, etc. TWO - Certifications are key to success. Somethings I have noticed with this role is that, this is a very interesting role and that this role will eventually mould three roles into one - Audit, Infosec and Change Management (though this is part of the two, it will find its own significance). Ofcourse you can separate it but I see the value in putting this together. This is very interesting and challenging position as it brings value to the organization but has to force the change into some reluctant groups. Also do remember that if you were managing a group of people directly this role need not necessarily have the same, i.e. zero direct reports, this change is difficult for some but not impossible. THis role could become demanding and lacking recognition at times, however the value is always seen with the final execution. This role is not about having control but effecting change through influencing people. All said, this role is a great role from both organization and personal development perspective sense. Wish you luck. Sri
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following