An immature security program is an exciting challenge

After four years of building one company's security program, our manager feels the need to take on a new challenge.

I've embarked on a new adventure, in the form of a new job. Starting with this installment of my journal, I'll be telling you all about it.

I had good reasons to make a change, but it wasn't that I was dissatisfied with my previous job. After four years there, I had built a solid security program, established meaningful professional relationships and become familiar with the infrastructure, product, people, culture and overall company ecosystem. I had overcome some big challenges in the course of righting the company's security posture, but in the end, it was challenge that was lacking. I decided that I wanted to start over at a company that needed somebody to build a strong security program from the ground up.

It's always sad to leave a company where you've been happy, but I had the comfort of knowing that all I had done there would live on after my departure. Meanwhile, my new company seems ready to accept my advice and counsel in order to better protect itself from all the nasty stuff that could beset it. Let the adventure begin!

There are similarities between where my new company is right now with regards to security and where my old company was when I started there. But I don't expect this new job to be a repeat of the last four years. For one thing, I am starting with all the knowledge and experience that I gained over the past four years. In the course of that time, I have learned a lot about things like cloud computing, mobile devices, advanced malware, data handling and security awareness. And I expect to keep on learning, since new things that I can't even anticipate are sure to crop up.

Like the company I've just left, my new company has grown very rapidly. Wisely, its leadership has realized that it could be derailed by a compromise of the sort that has hit Target, Home Depot and UPS Store. They've also begun to focus on the need to be compliant with various regulations and wanted to find someone who could fully engage on issues of risk and compliance.

For now, this new company is too small to justify a true "chief" information security officer. In fact, I am the entire security operation. But for all intents and purposes, my role has the same scope, responsibilities and liabilities of a CISO.

Getting started

In my first two or three weeks, I need to act like a sponge and soak up as much information as I can. So far, I've been reviewing company policies, codes of conduct, marketing materials and relevant procedures, such as data handling. I have found them all extremely immature from a security perspective. Next I looked over the results of recent compliance audits, security assessments and other third-party security testing of the company's products and infrastructure.

I also obtained a copy of the company's organization chart to identify the people I will want to partner with. Those people include the heads of sales, marketing, professional services, engineering, customer support, IT, education and training, finance and HR, but I'll also hold one-on-one introductory meetings with other people on those teams -- it's amazing what people will divulge in that sort of situation.

Of course, as a new employee, I've gotten a firsthand look at the new-hire onboarding process, and I've paid close attention to things like PC provisioning, initial password issuance, Wi-Fi access, mobile device support and physical security controls such as badges, cameras and guards. When I booted up my PC for the first time, I could see which antivirus tool was in use, whether I had local admin access, what policies were being enforced, what third-party tools were installed, how patches were being pushed and whether the company uses centralized management and encryption.

Opening my browser, I checked to see whether I could access risky websites, and I took a look at our internal sites to see if they contained sensitive data and whether proper permissions were configured.

Besides all that, I signed up for company-sponsored webinars so I could become familiar with the company's products and services. I've arranged to shadow our sales, customer support and professional services teams to see how they interact with customers. Eventually, I will become familiar enough with our products and services to let me make engineering recommendations that will enhance product security. For now, I'm in total observation mode, taking notes the entire time.

The goal of all this exploration, investigation, observation, interviewing and testing is to come up with an initial assessment and assert a three-year road map, prioritizing the most critical security issues. In addition to compliance risks, I'm going to initially focus on risks that align with the Kill Chain Analysis, which was developed by Lockheed Martin to help information security professionals proactively remediate and mitigate threats.

I've got a long road ahead of me, but building things is what I enjoy. I look forward to sharing the adventure with you, my readers.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join in the discussions about security!

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Home DepotLockheed Martin

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place