Ask where somebody working in IT security at a small company got started, and there is a good chance it had nothing to do with IT security at all.
Considering the management infrastructure of the typical small organization, IT security is usually handed off to somebody who knows little about it, usually somebody from the IT group or even an office administrator.
So, if you are new to the field, how do you measure success? What are you supposed to tell your manager to satisfy concerns that you are effectively doing your job?
What you want to be able to say is this: “We haven’t detected any website or network perimeter attacks recently, our machines are free of viruses and malware, our communications are secure, and our systems and data are available and operating securely.”
How do you maintain this state of IT security equilibrium? More than anything, it requires diligence and discipline:
- Don’t let good stuff out – Maintain and actively monitor external communications using Data Loss Prevention tools (i.e., firewalls, web proxies, email content filtering, encryption, etc.) to identify and prevent the external communication of sensitive data.
- Protect against user issues – Maintain and actively monitor the deployed anti-virus solutions, by making sure all systems are appropriately patched and running the latest virus engine and definitions in order to quickly identify and quarantine/clean any viruses, malware, and potential ransomware.
- Protect the internal systems – Maintain, patch, and actively monitor the configurations of all systems, appliances, servers, desktops, laptops, and applications, so any unauthorized changes can be quickly detected and addressed.
Once you’ve established the baseline and monitoring is in place, start testing/hacking/scanning the environment to see how well you are doing. For example, if you can hack yourself, your systems are not secure. If you can’t detect the hack in a timely manner, your monitoring is insufficient. Keep a careful record of security testing reports so you can keep track of progress and communicate how successful you are to management.
Just remember, a smart way of approaching IT security is to constantly be thinking about how the “bad guys” operate. Identify the weak spots they might be able to take advantage of, and then take corrective measures to protect against them. If you follow these steps, you will be able to effectively maintain an IT security equilibrium for your organization.
Based in the Philadelphia area, Jeff VanSickel is a seasoned Information Security Professional with over 20 years’ experience in the areas of Information Security, Information Technology, Audit Compliance, Risk and Project Management. Jeff, being a Payment Card Industry (PCI) Qualified Security Assessor (QSA), a certified CISSP and CISM, he is highly knowledgeable about US Federal and State Law (including SOX, HIPAA, GLBA and Breach Law), US Regulations, ISO-27001/2, NIST, and PCI-DSS.