GNSC Blog

Bill Brenner from CSO Magazine recently wrote the following:

“In the wake of a data breach, the company’s top brass may go looking for someone to blame. If you are the security chief, chances are it’s going to be you.

It doesn’t matter that you warned executives repeatedly that certain technological or cultural flaws were putting the company at risk, or that you had to maintain security with a shoestring budget and little or no staff. Chances are you’ll take the fall whether you deserve it or not, says George Moraetes, a Chicago-based security contractor and executive board advisor for security event management firm IdentityLogix.

He has watched as some of his CSO acquaintances were blamed for a security failure or dismissed for trying to blow the whistle over the company’s security holes.

One friend of mine, the CISO of a credit bureau, blew the whistle on a security auditor who wasn’t following best practices and was making reporting discrepancies,” says Moraetes, an independent consultant. “The auditor was a friend of the top brass, and the CISO was let go. I know of three others in Georgia who were fired or demoted for similar reasons.”

The moral of the story…If you’re in charge of security at your company, whether you have 5 employees or 5000, you should have a documented best practices policy and procedures manual that is audited for compliance.  Your job is at risk as the precident has already been established.

Best practices are free.   You just need to follow them.  What are they?  Well a good place to start is the SANS Institute  www.sans.org.  This group puts out quality material, much of it available to the general public.  They have some good starter guides if you want to get started with best practices.

Also, the NIST Manual from our July 23 posting is another good manual with good measurement metrics.

You can also use security comsultants with CISSP or GIA certifications to help establish and audit them.