Building the Program

So what do you do if your company doesn't have a mature security posture? Find a new job? Ok so that link was an extreme example, but it's a question that I have asked myself frequently over the past several years. I'm lucky from the point that most of the day-to-day operational security stuff is already handled by the helpdesk staff and operations and seemed like a no brainer to the network team when I started running a "security team."

Ideally the IT director, Vice President of IT, or some other title equivalent will back you up and get buy-in from the rest of the executive committee. Then it would be up to you Dear Security Professional, to execute the proper strategic security initiatives. However if this doesn't happen you've got more opportunities than you'd probably like to have.

A few years ago when I was in this similar position, I started by focusing on the education of my fellow IT staff, and by formalizing the IT processes and procedures that dealt with security. Virus containment and virus cleanup were two easy processes. It was an easy jump off point because I wasn't trying to force anyone to do something differently and I could avoid talking to executives for a couple of years. There's probably a thousand different ways to start a program, but this one has worked out for me and my company so far.

The premise

I've recently returned from the RSA 2007 conference. It was my first time at this particular conference and I came away impressed by nearly everything. The speakers, attendees, moscone center, downtown San Francisco (or whatever part you'd say that the Westin and Moscone center are in), the weather, and even the vendors.

In particular I was at a peer to peer session titled, "More than Just a Job: Building a rewarding and successful career in Security" this topic was led by Mike Murray. One of the things that were discussed is personal branding. The idea of setting yourself apart from others through the medium of blogging (among other things I suspect). But that got me thinking about my own situation.

I've been in IT since roughly 1995 when I discovered that it was more fun to understand how my computer worked instead of using Excel to build commissions reports at my temp job. I've taken the slow and winding road from temp help desk flunky to net admin in a small law firm then stepping back from that into help desk flunky, then senior help desk flunky, sidestepping into web server admin with a bit of developing and now full-time into security (which I've been doing for about 50% of the time for the past 3 years).

I've always been a jack of all trades master of none. I'm convinced that security is the most interesting aspect of working with Technology, but there are so many disciplines within security that it's hard to focus. It's always a struggle to determine if what I'm working on is really worth it for my company.

So I've decided to start this blog, that will attempt to follow my transition from IT net admin into Security Analyst or Information Security Manager or whatever my new title is selected to be. Even though it's not yet 100% that I will get to transition full time to security. Comments on the particular title would be of great help.

As of now I don't have approval from my company to do this, but I plan on seeking approval very soon. Regardless, I'll be keeping a certain amount of anonymity throughout. And I plan on following the tenets put forth here.