The New Information Security Manager First 30 Days
The InfoSec Consulting Series #2
By Jay Pope
Congratulations, you are the new Information Security Manager. Now it’s time to get on with the job in hand. As with any new role there will be a lot of work to do. So where should you focus in your first 30 days to ensure you set yourself up for success?
As an Information Security Manager, you oversee all aspects of securing the integrity and safeguarding of your Organisation’s information assets. From establishing the systems, to maintaining them, the Information Security Manager is required to uncover any potential risks to department-held information and IT systems. You lead the team in identifying risks, working with them to create, implement and maintain the necessary protocols to control those risks. The Information Security Manager also advises on the required standards for information security systems, ensuring complete compliance throughout the organisation.
Settling into the Role as a New Information Security Manager
There are many different routes to becoming an Information Security Manager, or an Information Security Leader: the majority will have worked their way up through the broad range of information security disciplines, many have an engineering and network security background, but others enter the profession via an alternative route, such as audit, legal, or recommendation from corporate colleagues. Wherever you come from, it’s rare to reach the role of Information Security Manager without some preconceptions built up during your career.
People are most comfortable with what they know, but a more helpful approach can be to focus primarily on those areas with which you are least familiar. A good starting point is to drill down into your own weakest areas and seek to make the necessary improvements, before applying the same process to the staff in your department. Brushing up on your management skills is another important aspect in ensuring that you can fulfil the role to the very best of your ability.
As you find your feet, you should take time to assess the current strategies and systems in place for information security in your organisation. It’s impossible to underestimate the importance of going through every aspect of the company’s information security policy. You’ll need a deep understanding of the systems in place if you are going to be able to discuss them confidently with other members of your team – and with Senior business Stakeholders across the Organisation.
Assessing Management & Stakeholders
Take time to get to know everyone in the Organisation, as it’s only by getting to grips with their personalities, concerns, pain points, and their goals that you will come to understand the way in which they work. Such knowledge is an important factor in ensuring that you communicate with them to best effect, which is important if you are going to achieve the success that you hope for in the position. But it’s not just the people in your department with whom you will be interacting. You will need to make sure that you constantly foster good relationships with everyone with whom you come into contact, from managers to stakeholders and members of the public too.
Effectiveness starts with being able to assess the ways in which people contribute to the Organisations business. It is essential that you immediately assess the organisation’s commitment to Information Security. One indication, which is also a question for the interview stage, is what you’re your scope of influence be? How will you be expected to execute your role? It can depend on the type of organisation but your direction of execution, and potential of effectiveness will depend on your level of empowerment, and who you report to. Assessing your other stakeholders allows you to plan more effectively, encouraging people to act in the way that best suits their approach towards the project under discussion.
Priorities for Your First 30 Days
During your first 30 days you should make sure that you validate your assessment on the commitment and style of your own management. Are managers prepared to invest in technology, and are they willing to hold people accountable for the work that they do? Your answers to these questions should steer you in the right direction in dealing with the overall management style of the organisation.
If you find yourself in a delivery focused, high tech debt environment that increases the risk of failures of systems of internal control, then you find yourself in one of the most difficult of situations. You can choose to voice your concerns, or you can take steps to encourage disinterested parties into accepting the need for better control of information security issues. This is not an easy process, and you may well find that you must spend time educating and encouraging colleagues to come around to your point of view regarding the importance of your role, so it will probably matter who you report to.
Keep in mind that most members of management are not experienced as to how information security systems work, nor the benefits to the company of ensuring that systems are developed and maintained to preserve data integrity throughout the organisation. Indeed many wrongly attribute technical debt to security, so you must strive to encourage them to improve their understanding by communicating your concerns in a way that aligns with their concerns, which is why it’s important for you to assess their pain points and goals and present your ideas as a means to facilitate those goals. This process can only be achieved with excellent communication skills, but more than that, you will need to understand everyone’s personality and goals, which involves time, care, and some diplomacy on your part.
If management commitment is strong, with security embedded as a golden thread throughout the organisation then you are in an enviable position, because you can simply execute your plans. If there is a lack of commitment, then this will extend your plans, and you may need to have closer influence at the tactical levels and work upwards, whilst simultaneously working to educate colleagues.
Get to know your areas of responsibility in enough detail to allow you to communicate effectively and knowledgeably with members of your team. This will also give you the opportunity to assess their behavioural styles, as well as determining whether the systems and personnel are appropriate for the company’s needs. Remember that your role is to coach and empower your team members.
Most importantly, schedule meetings as quickly as possible with your key business stakeholders, auditors, account managers of your testing services, and certification authorities. Be prepared for any that may have a sceptical view of the organisation and be ready to strike the right balance in your attitude from the outset. Identifying challenges at an early stage allows you to plan appropriately. Remember that you need to create a positive first impression, so set out your stall as soon as you can, maintaining a firm but fair outlook for the best results.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.