You are now responsible for InfoSec — Where to start?
But first, some possible origin stories for you, which might influence your experience and where you should focus for personal development:
Former CISO in different company and/or industry
You know the ropes, but might have to get used to a different industry or company size. At the very least, there will likely be a different culture to your previous organisation and as we all know:
Former consultant from a more security management oriented background (e.g. Ex-Big4)
You spent the last years working on Information Security with Powerpoint and navigating a lot of Type-A personalities between your firm’s partners and clients who either don’t really know what they want/need or think they know exactly what they need but in the end is more an internal power play. You probably even have a technical background originally (such as computer science major) but the only code you have touched for years are complicated Excel VLOOKUPS (however, you are a little bit proud that your spreadsheets can crash an average laptop’s CPU). You have been trying to keep up on the technical InfoSec side by religiously reading Bruce Schneier, Brian Krebs, The Hacker News and Heisec (not to forget Taylor Swift) and feel like you could still totally get deep into all that stuff if you want to and you would spend the time. Queue the rude awakening of realising that you don’t really know all that much about how to actually run an InfoSec program on the real “battlefield” and that the mode of working is very different to what you’re used to (millions of things constantly raining down on you — maybe the clients didn’t lie after all, when they said that they have no time at all to answer your questions right in this instant).
Former technical InfoSec consultant, PenTester, SecOps member, incident responder, forensics specialist
You were the elite in what you did and especially in running offensive security operations, monitoring servers, controlling the bytes running through the network. After all, this is all you need to know to totally secure something — Security is a tech problem and has to be solved with tech, right? Who needs all that management crap? Well, welcome to the world of budgets and politics and the realities of divergent priorities and conflicting goals in complex organisations. How you structure and communicate highly complex technical and risk issues in a way that business departments and board members actually understand what you are talking about, does in fact matter in this world. Balancing all these different strings is inherently a people matter and really more an art than a science. You might even come to realise that security, more than most other IT-focused disciplines, is fundamentally a human problem and tech is only there to support it.
Former member of the organisation’s IT department in other role
Well, you know the company, the important players (of course all the business people are clueless about tech and only you know better) and you even already took care of security, when you where the Active Directory or network administrator. What can go wrong? Well, first try to accept as fast as possible that you are no longer a part of IT (even if you might formally still belong to that department). You now have to play a different role and parts of your objectives are diametrically opposed to IT’s. Also, be prepared to learn that what you thought about security is at best outdated (network firewalls and AV anyone?) and at worst completely wrong.
So, what should you do?
Stay tuned for part 2 of this article series, where I will give you some battle-tested tips structured around different time frames (e.g. what questions to ask before accepting that new gig, how to prepare before starting your new role, how to survive your first week/month/100 days/year, and how to build a strategic 3 year plan).