Page 24 - CISSO_Prep_ Guide
P. 24
and investigations going on in Security. The security manager
must be able to find liaisons within the departments of the
organization that can promote and report on security issues within
the user community and senior management. Outside experts will
often be needed to provide specialized skills - forensics,
interviewing, penetration testing, and audit. The security manager
is often faced with low budgets, lack of support, and unrealistic
expectations, but that is the challenge that makes a true leader
excel. A security manager develops the staff required, does not
rely on technical solutions to compensate for lack of procedures,
and ensures that the security department develops an attitude of
communication and accountability.
The security function is most often seen as a cost to the business,
and the perception by most managers is that it hinders the
operations of the company more than it helps. Additionally,
security is a cost imposed on the business, but that provides little
benefit. The security manager must demonstrate the value of IT
protection and be able to justify the security budget. This is done
through proper business case development and the use of project
planning standards to outline the security objectives. The security
manager must demonstrate how the purposes of security are
aligned with business strategy, objectives, and goals, and how
investment in safety will provide measurable results. The security
manager should seek the approval of senior management of the
security strategy. This is obtained through the communication of
security requirements, legal requirements, best practices, gap
analysis, and outlining a clear roadmap. The roadmap will
provide milestones and deliverables that will track and report on
the progress and status of the security program.
The security strategy must not be based on past events or a
perception that future requirements will be an extension of the
