Building a Security Org From Scratch

Coming in as the security guru in a company with no infosec program at all is an opportunity. Doing it twice is even better.

I have the rare good fortune of being in a position to help build an information security organization from scratch. I'm especially lucky because I've done it before.

At my previous job, I spent six years building an information security program where none had existed. How many of us get to do that?

It may sound daunting, but let me tell you, it was immensely rewarding. I was able to start with a clean slate, building a mature security environment without the distraction of dealing with any existing processes or infrastructure.

This time around, I have experience to lean on. For example, I learned in my old job that one of the biggest challenges to success is negativity, so I'm trying to head off resistance and negative attitudes while racking up some significant, visible wins early on. Security efforts can't bear fruit without the cooperation of a large number of people from organizations all across the enterprise, each of which has its own priorities far removed from what I want to accomplish.

Dealing with software vulnerabilities is my first big challenge in this company. Determining which systems need patching and then following up with the patches themselves isn't very difficult, of course. The challenge arises because I don't have the authority to command that this be done. Instead, I need to convince various departments' technical specialists and business owners how important it is to patch the systems they rely on, and make it clear why they should spend a significant amount of time and money to make this happen. I'm sure you've seen this before -- the security guru who is responsible for fixing a problem but lacks the authority to go out and patch.

So this week, I took the security show on the road. I've elected to put myself out in front of the people who need to support and fund this effort and help them understand what needs to be done and why.

Taking a top-down approach, I spent this week meeting with six senior managers of various business units. These are the people who should be demanding that their systems be patched regularly, so I'm raising their awareness of the need for vulnerability management, showing them reports on the security health of their systems and helping them understand the risks associated with unpatched systems.

Patch Catch-up

We have a lot of catching up to do because most of our critical systems (yes, even the Internet-facing ones) haven't been patched at all in years. So right now, although I'm focused on catching up, it's going to be just as important to implement a regular patching cycle so that we never fall behind again.

I've had great results so far with my education-and-advocacy tour. I'm trying to keep my message positive, stressing the benefits, improvements and returns to be gained with regular patching, while avoiding the use of FUD to scare people into submission. Even though I could tell them plenty of stories about how our systems are being constantly attacked, I've seen no need to take that route. In fact, people have been suggesting that we patch everything as soon as we can, applications included, but my focus right now is on patching the basic operating systems and not the applications that run on them.

I'm wary of turning up the throttle too quickly and biting off more than our company can chew right now. One battle at a time, please. I know from experience that we have a long road to travel, and I'm settling in for the long haul.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at

Join in. To join in the discussions about security, go to


Copyright © 2008 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon