Building the Program

So what do you do if your company doesn't have a mature security posture? Find a new job? Ok so that link was an extreme example, but it's a question that I have asked myself frequently over the past several years. I'm lucky from the point that most of the day-to-day operational security stuff is already handled by the helpdesk staff and operations and seemed like a no brainer to the network team when I started running a "security team."

Ideally the IT director, Vice President of IT, or some other title equivalent will back you up and get buy-in from the rest of the executive committee. Then it would be up to you Dear Security Professional, to execute the proper strategic security initiatives. However if this doesn't happen you've got more opportunities than you'd probably like to have.

A few years ago when I was in this similar position, I started by focusing on the education of my fellow IT staff, and by formalizing the IT processes and procedures that dealt with security. Virus containment and virus cleanup were two easy processes. It was an easy jump off point because I wasn't trying to force anyone to do something differently and I could avoid talking to executives for a couple of years. There's probably a thousand different ways to start a program, but this one has worked out for me and my company so far.