Warning: likely not much substance to my post, but I wanted to say that you
likely will get two veins of responses, paralleling your description of
operations vs higher-level.
I would prefer security to report to IT. Honestly, the future is in baking
security into IT projects from the start, so that is where it should be. If you
report to the CFO, you'll eventually turn into an audit/risk department and
likely lose the operational piece. You'll likely also be seen as the enemy by
IT, if you're under the CFO. (My guess only, not based on experience.)
For staffing, you need three layers, ideally. A strong operational team with
high skill in various technical areas; your grunts. You need a layer of
analysts, and then your top level leaders who can play the politick game at the
top levels of management. I pick these because each section has skills and
needs that the other section members likely do not have. Also, never skimp on
continued training and employee happiness. You want to build their skills and
not have them bolt once they learn more.
The department should look into business contionity and disaster recovery, data
protection (which means knowing the data and the company structure to assign
access, and assess risk on systems and vulnerabilities....yada yada.
I'm an operations guy, so my viewpoint is largely on that level, where you
can't fluff over tasks like log monitoring, traffic monitoring, access control
assessments, vulnerability scanning and verifications, firewall/IDS log
monitoring, and change management. These are often overlooked and very weak.
Monitor more than you need, because you can always ignore it, but can never
recreate it if you missed it.
Want a book? I enjoyed Andrew Jaquith's Security Metrics book. It applies to
all three levels I describe above, but most centrally on that analyst level.
<- snip ->
I have been tasked with a very unique opportunity. I have been
selected to be part of a 2 person team to rebuild the Enterprise
Security Division for a fairly large organization. I want to take
this task as far as I can, and I am going to use all of the resources
available to me to make this new division the best it can be.
My feeling toward the division is that it should be more of an
oversight group not operational in nature. The team would provide the
check and balance with in the IT department and the organization.
More detailed functions might include Internal Vulnerability
Auditing/scanning, Policy review, Firewall and IDS/IPS review, just to
touch on a few.
The organization currently has a Security team in place but it was
created for show and tell purposes. There is new management in place
and they want to see that change. The Junkyard dog is getting his
teeth.
Here is where you, the list members, come in. I would like to hear
how you might build you "dream" Security department. What functions
the department would carry out, who it would report to with in the
organization, staffing needs, etc.
