Building an InfoSec Organisation - Week 1 to 6
by Greg van der Gaast
Since starting at the University of Salford, I've been posting weekly updates on how I've been going about building the Information Security organisation (Programme, framework, staffing, etc.
Every week I get messaged by people asking me where they can find the other weeks' posts so I thought I would consolidate them and expand them over time (No 1300 character limit!) in this "article".
I may break them into separate articles (maybe a few weeks each?) if one gets too lengthy.
For now, here are weeks 1 through 6. Enjoy!
Setting up an InfoSec organisation - Week 1
Meeting and greeting everyone, in a positive and helpful way whenever possible. Listening to them, learning about the business, its ways, and its limitations... and thinking.
Letting it sink in, and working out how to help various departments make the things they care about fit together, so I can see and protect them as a cohesive whole. What are their pain points? How can I assist?
If you help the business be seamless, your security can be too. If the business or its ops are broken, so will be your security.
There's no point in getting caught up in the risk management rat race; fix the fundamentals that security needs as a foundation, otherwise you'll never be able to build working security.
Setting up an InfoSec organisation - Week 2
Continue to develop relationships and gain complimentary and contrasting perspectives alike. Work out the objective truth, issues, and avenues to address. Identified potential security champions in nearly all areas.
Most of the subtle organisational & cultural issues that will hamper security efforts found, starting to devise general mandate phrasing that will grant the authority to address them*. This to be presented through the use of an executive charter which will formally establish the security organisation and forthcoming framework next week.
*Success will still be determined by how little this authority needs to be leveraged.
Positive influence > force.
Future team structure and desired skills *and personalities* defined. A handful of candidates being looked at.
Budget for 1 senior resource, using it to hire 3 junior resources instead with 25% of the budget left over. Will train and mentor them myself and have them doing senior work within a month.
3-6-24 month priorities around security and compliance identified and budgeted. Workstreams to be defined by next week.
Onwards and upwards.
Setting up an InfoSec organisation - Week 3
This week was slow on progress primarily because of an audit, diverting time and effort from building something more proactive. Hopefully by the time we're done here audits will be limited to pointing the auditor to our documentation stack and sending them on their merry way, smiling.
Job roles for the initial team defined and I've found my star candidates for each. HR has been great trying to take some of the bureaucracy out of the process and hoping to have them working within a few weeks.
Investing in relationships in the early days is already reaping dividends with people stopping by my desk daily to mention things, giving me extra eyes and ears, and in some cases hands as well.
Getting involved in some of the tickets has also led to discovering additional areas that'll need work.
Next week we close off this audit and formally submit the Executive Charter and make progress on the framework overview doc.
One lesson learned this past week is that while there is management support for security, there is a lack of understanding as to the sheer complexity and required involvement of doing so proactively. I will start drip feeding awareness around this.
See you next week!
Setting up an InfoSec Organisation - Week 4
4 weeks already?!
First audit closed off. Already some benefits to the framework approach: although it's months from being finished, the fact that I organise everything in a self-contained framework and that it features document numbering, distribution, and review processes actually unexpectedly ticked off some audit deficiencies.
Executive Charter completed and to be presented for first management review by Friday, looking to complete draft of the full framework overview document (about 15 pages) to help management get a better understanding of the approach at a more detailed level and the work that will be involved.
Creating workstreams around budgeting and implementation schedules for tooling (business explanations and justifications).
Developing a great relationship with Information Governance team.
Hoping HR wraps up its role assessment processes soon so we can formally move on to hiring and ramp up business process discovery/mapping.
A million small things. Keep smiling, keep interacting, ask why things couldn't be done, ask how we can help.
Building an InfoSec Organisation - Week 5
This week I’ve been working on reframing senior management perceptions.
How many times have we heard security professionals complain about the lack of senior management support, getting frustrated, and eventually burning out because they are constantly fighting against the tide, exhausted, and getting nowhere?
These people have correctly identified the problem yet spent hundreds or thousands of hours fighting rather than spending a few days addressing it.
I have an Executive Charter to empower me to do what I need, but executives don’t have a solid grasp of what’s involved, the sheer breadth and scale of a programme, how many relationships and interaction points there are, how far into detail we must go, and just how many little issues we worry about.
To counteract this, I spent much of the week creating a Strategy Statement broadly detailing the hows and whys of how we will approach InfoSec, but filled with hints as to the breadth and depth of the work, to reframe it in their minds and boost their understanding and appreciation of it.
A carefully crafted one-page document that should save hundreds of hours of frustration.
Time well spent because, in the immortal words of Danny Glover, “I’m too old for this sh...”
Setting up an InfoSec Organisation - Week 6
Don't know where this one went but some milestones:
-Programme Executive Charter, Strategy Statement, and Framework overview presented to CIO.
-Agreement to present and get sign-off from the board/council in the next month.
-Recurring weekly InfoSec meeting with CIO set up.
-Plan to "bring home" ad hoc systems historically set up by various schools, place under formal IT management.
-Deployment of MFA, enhanced monitoring, and removable media/DLP controls to a significant part of the staff estate (solutions we already had as part of our 365 licensing).
-Framework development proceeding.
-Alleged progress from HR on approving 1st hire.
Next week we start Risk Management in earnest.
More to come, thanks for following and I hope it's useful!
About the Author
Greg van der Gaast – Head of Information Security, University of Salford. Greg has over two decades of technical and management experience in Information Security, starting as one of the most notorious hackers of the late 1990’s. A frequent speaker about bringing visibility, care, and accountability to the Information Security profession, he is an expert in building efficient InfoSec organisations and programmes by enabling leadership, addressing root causes, and harnessing human potential. He is currently the Head of Information Security at the University of Salford where he will also be lecturing on practical information Security management in the coming year. He also has his own consultancy, CMCG, to help others deliver effective and accountable information assurance.
The article has been originally published at: https://www.linkedin.com/pulse/building-infosec-organisation-week-1-5-greg/