Public Relations in the Age of New-Media!

PR on Ulitzer

Subscribe to PR on Ulitzer: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get PR on Ulitzer: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

PR Authors: Nina Moon

Related Topics: PR on Ulitzer

PR: Article

Building a Secure Corporate Environment

Viable business units can make positive contributions to the business

This article is an excerpt from Larstan's The Black Book on Corporate Security. This new book is available in bookstores and the first chapter is available for free at Printed with permission from Larstan Publishing, Inc. All rights reserved. Copyright 2005.

Your company needs a secure data infrastructure, but how, exactly, do you set one up from scratch? Here, a former FBI agent who now serves as an information security officer reveals the best methods for creating a system that takes control of your information.

I'm a battle-hardened veteran of DMZ skirmishes. No, I'm not talking about the "demilitarized zone" imposed between North and South Korea following the Korean War in the early 1950s. Among information security officers such as myself, a DMZ is the euphemism for a computer host or small network inserted as a neutral buffer that separates a company's private network and the outside public network. It stops outside users from obtaining direct access to a server that contains company data. As you attempt to tailor a secure network to a company's overall business strategy, crucial and sometimes controversial issues such as DMZs emerge and they must be dealt with in a forthright manner. That's why building a secure corporate environment starts with communication.

Building a new information security team is no easy task and will be fraught with many obstacles. The building effort begins during the CISO's interview process, which will provide him or her with a window into senior management's philosophy on information security. The support they provide is essential to your success (see Figure 1).

The first order of business in building any new program is the discovery phase. The CISO must get out of his office and meet other business managers face to face. Reaching out and developing a personal relationship is vital to your success. Today, too many managers rely exclusively on conference calls and e-mail. The information security team should also educate key managers within the company as to how security can partner with them to help enable their business solutions. CISOs should continually demonstrate to the business that the information security team is an integral part of the business process.

For example: Business unit XYZ requests that a risk assessment be conducted for a new DMZ they want to build. This DMZ will be used for outsourcing services to their external customers. The initial security assessment reveals numerous high-risk exposures. The business unit becomes very defensive, insisting that the security team is creating obstacles that will prevent them from being successful and meeting their deadlines. At this point some important hand-holding is definitely required. This should include detailed discussions explaining what the security team is trying to accomplish and how it will eventually enable their business goals. It should be made clear that the DMZ is going to be certified for operation and the security team is going to help them overcome any imposed security requirements. Once they understand that the security team is a full partner in the solution, attitudes will quickly change and compromises will become realities. A success story in the making.

It is imperative for anyone creating a security program to understand the needs of their internal and external customers. The CISO must understand the background and history of the company as well as each viable business unit. What are the company's products and services? What are the business environments they compete in? Who are their competitors? What are the company's strategic plans? How can information security be a value added and a market differentiator?

CISOs must also understand that the information security team does not own the computer systems, but are internal security consultants to the businesses who provide an important but supportive role. CISOs should also understand the industry their company is competing in as well as the company's proprietary products and processes. How does the company work with its customers and contractors in this industry? Many of your information systems may be dependent on these proprietary processes and the level of protection that is required. Understanding the critical assets of the company is another key goal and will drive the allocation of limited funding. Finally, you should identify industry peers that you can call on to leverage experience and ideas.

Insider Notes: It is imperative for anyone creating a security program to understand the needs of their internal and external customers. They must learn the background and history of the organization as well as each business unit.

Independent Assessment
A good way to obtain an independent view of your organization's information security posture is to conduct a full-scale security review (such as ISO- 17799) by a third-party security consultant as soon as possible. Also review prior assessments, internal IT audits, and SAS 70s for a comprehensive understanding of your company's IT security environment. By identifying the company's risk exposures and deficiencies, you can begin to develop your new information security "road map" for success.

Service Level Agreements
Another important step is to conduct a full-scale review of existing Service Level Agreements (SLA) and contracts for internal and external customers, as well as your security vendors. Ensure that they make good business sense and are in alignment with business strategies. Do your vendors provide a timely response? Are they giving your company the support it requires? Are your internal customers pleased with support from your antivirus team? When viruses impact the network, are they detected and cleaned within agreed SLA time lines?

Setting Expectations
Ensure that your organization issues a corporate-wide communication announcing the new CISOs arrival, your role, reporting structure, and support by senior management. This communication is vital to your future success.

You should also define the organizational structure for your department. This will include:

  • Develop your vision statement
  • Develop your mission statement
  • Develop your organizational chart
  • Develop function work streams to meet you goals
  • Define expected roles, responsibilities and functions
  • Define information security processes
During the CISOs interview process he or she should have negotiated the reporting structure for this new and critical role. Current industry trends support the CISO reporting to the chief legal council, chief financial officer, and/or the chief auditor. This is an important step toward maintaining independence (eGovernance) between senior IT managers, who often have different project priorities and funding requirements.

Another area for discussion is whether physical security should report to the CISO. The decision to incorporate all security into one reporting line may be simply based on the company's culture. There are many pros and cons on this subject and as such should be discussed on its own.

In essence, these are the basic building blocks required to build an information security team. Remember that your organization exists to support the business and therefore your information security team should reflect all strategic and tactical goals of the business.

Building the Security Roadmap
Once you have compiled and digested all of this information, organizational planning can begin. Again it is imperative for this plan to be in sync with the long-term business strategy of the company as well as its short-term tactical needs. Use nimbus maps, or flow-charting, but somewhere you need to get it all on paper. You should also consider hiring a project manager to coordinate and plan these activities.

Develop a program that will allow your team to demonstrate immediate progress to senior management. This can be accomplished by developing a project plan that incorporates incremental steps to achieve your goals. Hit some home runs quickly. Your "road map" should also drive the information security budget plan, ensuring that all designated priorities are properly identified and funded.

Insider Notes: No other security program will hit a home run quicker then the Information Security Awareness program. By communicating to the global user community, this program will also help you brand your new organization.

Establish Achievable Goals
Remember that your security "road map" should never advance unrealistic goals and objectives. Do not promise something you cannot deliver in order to impress your new boss. Once you lose your credibility, it will be hard to recover. Credibility is central to your continued success, especially with senior management.

More Stories By Stephen Foster

Stephen W. Foster was Chief Information Security Officer at Avaya Inc. He joined Avaya after a distinguished 20-year career with the Federal Bureau of Investigation.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.