What makes a good information security professional? I think it's starting at the bottom and working your way up, occupying various positions along the way and obtaining skills in every one of them. It's understanding the business and having the ability to influence others. It's having a breadth of knowledge in various business sectors.
At issue: Our manager has a new job, in which he will be heading up information security at a SaaS provider.
Action plan: Get up to speed quickly, and make connections with all the departments that can affect the company's security.
I've been thinking about all of this because I've taken a new position, leaving a company I worked at for more than five years. Did I hate my job? No. Did the company make me do risky things? Never. Did I hate my boss, or the people I worked with? Not at all. Was I kept from succeeding? No, in fact, there were no negatives driving me to leave.
Admittedly, my new job comes with a promotion and a pay raise, but that's not what clinched it for me. It was a chance for a new challenge, to work in a different technology sector and to build something -- all those things that go into making a good security pro.
I gave two weeks' notice and spent that time closing some open items, such as the Sarbanes-Oxley review and a firewall rule audit, and I created a transition plan. I think one thing a good security manager does is make sure that his successor steps into a mature environment, with a clear understanding of the burning issues. I created a spreadsheet listing significant areas of the company's security profile, prioritizing them, providing the names of the best contacts for each issue, and describing the details.
Today was my third day on the new job. My main goal in these first days is to map out the company's current security landscape. I'll then spend the next few weeks assessing it and prioritizing actions. Meanwhile, of course, there are all those things that anyone encounters in a new job: learning names and terminology, understanding a new business model and becoming familiar with the products and services that the company sells.
Upon arrival at my new company, I found that my predecessor had in turn left me with an eight-page transition plan. I've only gotten through two pages so far, but already I know that some burning issues will need to be addressed quickly. The first is hiring a security analyst to take charge of an event-monitoring project that is under way. If I don't do it before the end of the year, I'll lose the budget.
New Security Horizons
My new company has, over the past couple of years, moved from selling software that customers run on-premises to offering software as a service. It has also embraced cloud technologies to run the business. So I will be going well beyond my previous cloud experience, which consisted of assessing vendors, to help build the security of a company whose customers rely on it to keep data secure in the cloud.
To do this, I will need to work with the IT department in building a robust security program and ensuring that the security infrastructure is sound, that appropriate policies and processes are in place and that those policies are being followed. I will also connect with the company's marketing, sales and legal departments to help build marketing collateral and to offer my assistance whenever our customers have questions about the security of our infrastructure. Then I'll want to check in with product development to review the security of our product offerings.
I said I wanted a new challenge, and it looks like I have one. I look forward to sharing my new experiences with my readers.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in the discussions about security! computerworld.com/blogs/security