As vice president of technology and process at Arizona Tile, Shelly Barnes does not have a CSO to rely on. Barnes has to make the most of the SMB's resources to handle security.
How do you align your IT team with security? We structure it based on different areas of focus. We have nine areas that consist of the typical security layers: personnel layer, the physical portion, the network layer, storage, storage devices, platform, applications, file and data and then an overall umbrella of governance. There is someone who leads each team.
What does your network team cover in terms of security? One example: They are involved in physical security of the data center. We have security cameras at different facilities, and the data that passes through those are on the network. They are owners of the network layer from firewalls to DMZ, various devices and routers, encryption, the proxy servers, authentication.
Do you have an example of a recent security project that you rolled out and how the teams were involved? We're currently revamping our proxy server--going from Microsoft ISA 2004 to another vendor. We're making the move because Microsoft wasn't robust enough for our needs. Before we go live with the new proxy server, we're going to demo it in a test environment for a week to make sure we have the performance and throughput we need and that we're not throwing any unknowns to it. Then we'll work with our vendor to make sure it can co-exist with our firewall and other devices.
Why did you decide to break up your IT team this way instead of assigning one person to security? We're a small group. When I started, we had three people and a handful of outside contractors. We've grown the company and our IT staff--it makes sense from a cost standpoint. We can break up the responsibilities and manage it more effectively this way.
How have you proven that this structure saves money? I don't have one person dedicated to just security. We all have a role to play in it. I really feel it's difficult for any one person to maintain a very deep, strong level of the intricacies and complexities of the different security layers. It's just too much for one person.
As the company grows, do you think you'll find a need for a CSO? I think we are handling this effectively at this point. I don't see the need in this organization.
Read the full interview with Shelly Barnes at searchsecurity.com/ismag.