First of all, congratulations on becoming a security manager! Well done! It can be a terrific, challenging job,...
though sometimes filled with frustration and moments when you wonder if you can ever be successful. However, I do compliment you for at least being aware of the culture you are working in; hopefully, it is an exaggeration and not the truth.
So, your challenge is not only to do your job as the security manager, but also to commence information security program development and foster a culture of security. Here are some thoughts on how you might want to proceed:
- Meet with the CIO, internal audit manager, CFO and even the CEO to better understand their concerns and interests in the area of compliance and audits. Try to ascertain if they are truly only focused on passing during the audit or if there are other barriers or reasons behind this perception. Perhaps they may see the compliance work as being too expensive. Therefore, you may be able to make a case for being continuously compliant to keep costs level and perhaps even lower, especially if fines are involved.
- Establish a schedule of internal audits. Work with the internal audit department and select particular areas of compliance on which to perform monthly reviews. For example, if the company must be compliant with the Payment Card Industry Data Security Standard (PCI DSS), then you can take one area a month (i.e., one month per each of the twelve sections of PCI DSS) and perform a spot check or informal audit. Then, with the findings determined, work with the responsible department to help them make calm, focused corrections to their program and processes that have long-term impact rather than being a "pre-audit spike."
- Pay attention to your competition and other organizations in your industry. Observe the compliance problems they have and use what they've learned to help your company be prepared and compliant. Also, be sure to pass along the lessons you learn from these other companies to your executive management, so they can begin to better appreciate a security philosophy that can keep your company from becoming an object lesson.
Again, my congrats to you on this new opportunity, and remember to focus on your main job, which is protecting the data, and then on doing your best to keep compliance at the forefront.
Dig Deeper on Security Awareness Training and Internal Threats-Information
Related Q&A from Ernie Hayden
In this Ask the Expert video, Ernie Hayden answers the question of what 'big data' is and outlines big data security issues in this video. Continue Reading
Every firm needs a security conscience, according to expert Ernie Hayden, who says it is critical among key CISO responsibilities. Continue Reading
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.