Your first day of work for a new employer or in a new position can be exciting, terrifying, and more than a little overwhelming. In Information Technology, there are few things that amplify the feeling of being overwhelmed as much as inheriting an IT infrastructure and recognizing major gaps in security. If these are the problems you can see, what lies under the surface? What do you triage? What do you roadmap? How do you explain the situation to a superior without laying blame at the feet of your predecessor or new coworkers? What if lax security is just the modus operandi of your new employer? What have you gotten yourself into?!
If you’ve ever been in this situation and managed to survive: congratulations. If you’re in this situation right now or see it in your future, I’m here to help. I have worked with many people with this very problem, and after a small amount of coaching, they are out of deep water and breathing without the aid of a paper bag. That’s not to say that all the concerns can be easily resolved but there will be a plan.
Although I’m personally a huge fan of the scorched earth approach, it has been brought to my attention that no one outside of the I.T. Department is ever going support your initiatives if you try to undo decades of culture on your first day.
Where do you start with the daunting task of securing an insecure environment then? My advice:
- Make a list. If it is a security risk, real (like local admin privileges) or imaginary (camera taking pictures of displays through the skylight), put it on your list (which by now is probably a spreadsheet).
- Assign a pitchfork number. Assign 1-5 values to the variables on your list- like risk, cost in dollars, cost in time, technical difficulty, and effect on culture. (I call this the pitchfork number.) Is this scientific? Of course not, but it’s a good start to quantify the decisions you are making and you will be asked to quantify your decisions especially as the cost in dollars and cost in time increase.
- Build a roadmap. Using the same list, you can build a roadmap. Use realistic timeframes, even one or two years out, but make sure to include everything on the list in your roadmap. The roadmap will be one of your best tools for discussing cyber-security initiatives with executives and preparing them for any security related costs.
If you experience mirrors mine, you will find the c-suite to be strong advocates for improvement when they see you are working from a risk reduction to cost model.
Contributed by Josh Gembala, Enhanced Security Services Manager of ASK.
View the on-demand webinar “20 Cyber Security Practices for Your Workplace” with Josh.