Skip to content ↓ | Skip to navigation ↓

In January’s entry Dealing With Unrealistic Security Expectations from the Executive Office, I outlined six steps to  better alignment with senior management, along with a plan to execute. Time to dive into the details, starting with the first and second steps in that plan by understanding where you are today and what is important.

As a project management professional, I am fond of metrics, baselines, and anything that can tell me where I am today,  so I can trumpet the teams success when tomorrow comes.

After all, the main reason projects are approved is to improve business outcomes, and security projects are just that. And proving your success goes a long way to establishing credibility, both yours and the security programs.

Having said that, building interpersonal relationships is just as important as metrics and baselines. Successful interpersonal relationships establish a base for future projects and initiatives, and build ally’s across the organization. We will accomplish both with the approach below. On to the plan.

Step 1:  Perform an Internal Audit

Our goal here is to objectively identify the policies and activities you have today, and start the identification of the gaps you want to address tomorrow. This isn’t a blame game, in fact often times the worse off you are the better, as there is more opportunity for improvement!

It’s important to do this first with your security or IT department, before reaching out to the broader organization in Step 2, so that you have a base level of credibility when you start your interviews.

The Sans org has an audit template that is an excellent place to start:

Step 2:  Perform an external audit / penetration test

Next up is perform and external audit and penetration test.  This is fairly straightforward, and can be done at multiple levels.  I’d suggest the following approach:

First, signup for one of the automated vulnerability scanning solutions. Tripwire (yes I’m plugging this) happens to have a state of the art one that I am personally familiar with (I’m the SaaS Ops manager):

Also available is the newly released Tripwire SecureScan™, a free, cloud-based vulnerability management service  for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management – a widely recognized security best practice among large corporations – easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.

To sign up for Tripwire SecureScan, please visit:

Next, engage a professional IT security company to attempt to compromise your system, both technically and socially. This is a more thorough, and of course more expensive, operation, but well worth it.

These companies not only perform the standard hacker tests, they also “social hack”, attempting to solicit sensitive information from your employees. Note that you may want to inform key executives / personnel before engaging this step, though keep to the bare minimum.

Results of these efforts ALWAYS engage the executives, especially when you find that some of your employees share their passwords, help strangers with network access, etc…  Anecdotal evidence is key here.

Step 3:  Reach out to your stakeholders to understand priorities and mandates

Many articles will suggest performing an automated or web survey to get initial feedback on what’s important. I’m not a huge fan of this for a number of reasons, one of which is that it is too impersonal for such a challenging effort as corporate security.

You won’t get the level of engagement you need, and building allies / relationships through a survey is impossible. So reach out!  Schedule one on ones, or small group sessions of two or three stakeholders at the most. Start with managers first, then executives.  Even if you only get 30 minutes, it’s an excellent start.

The IT Governance Institute has a great presentation that can give you a good starting point for the conversation:

Step 4:  Consolidate findings and start planning your Governance Team

Finally, consolidate results and do a first pass at prioritization. I would recommend forced rank ordering the items so that not everything is a priority 1 (which would just result in paralysis).

From there, the next step is to start shaping a Core Team and Governance Team. I will get to that in the next blog post.

Final Thoughts

All of the above efforts should only take four or five weeks at the most. Don’t try and gold plate this, the important point is to get a solid baseline, not be perfect, and KEEP MOVING FORWARD. Perfect is the enemy of the good enough here.


Related Articles:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


picDefinitive Guide to Attack Surface Analytics

Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.


Title image courtesy of ShutterStock