Poor management of IT Security Team and Program.

jonenojoneno Member Posts: 257 ■■■■□□□□□□
I recently got a job as a security analyst in the Payment Card Industry. I work in a team of four, the work environment is fast paced and somewhat stressful. After being here for a month I can definitely say the manager has no plan where he wants to see the department in the next 2 years or so. We are due for a PCI audit and I recently realized we don't have a security awareness program for corporate and field workers.

My question is: as a young security analyst I would love to change users mindset and knowledge concerning information security without stepping on toes. What security awareness program, CBT, or tools are out there for me to use?

Any information/suggestion is helpful.

Thanks
Neno

Comments

  • darkerosxxdarkerosxx Banned Posts: 1,343
    Edit: nm, you said a month

    How recently were you hired? My advice... Prove yourself and your skills before developing a campaign to alter any mindsets. Build the credibility you need to do so.
  • lsud00dlsud00d Member Posts: 1,571
    This seems like a top-down scenario for change...unfortunately more often than not this takes someone getting bit or trouble to brew before people wake up and put a plan to action.

    Hopefully in your case it doesn't involve an actual security breach but a poor audit scoring and/or fines would help bring the case to the forefront. I would brainstorm ideas that could help assuage issues that arise from both a high and low-level perspective. You'll be viewed as the 'idea guy!' which will make people seek your advice in the future.
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    Focus on learning your job first, don't worry about making waves until you know the true nature of your work environment.
  • jonenojoneno Member Posts: 257 ■■■■□□□□□□
    darkerosxx,
    I started a month ago.
  • xnxxnx Do they matter? UKMember Posts: 464 ■■■□□□□□□□
    Haha, focus on getting some level of job security before trying to do other people's work for them.

    This isn't going to end well with the approach you want to take..
    Getting There ...

    Lab Equipment: Using Cisco CSRs and 4 Switches currently
  • jonenojoneno Member Posts: 257 ■■■■□□□□□□
    This is partially part of my job. I'm was thrown into the wild with little knowledge of the environment. It's not my first security position and I'm not worried about job security. I was simply looking for ideas about an online security awareness solution if one is available.

    Thanks for the concerns though.
  • bobloblawbobloblaw Member Posts: 228
    You can get security awareness training modules from plenty of 3rd party vendors, or make one yourself.

    Like lsud00d said, this a top down issue. You need management support before you move any further.
  • jonenojoneno Member Posts: 257 ■■■■□□□□□□
    Maybe I was bad communicating the issues we have. The Management buying in is obviously needed, that's why I'm researching solutions to fix the mess. If the management approval was not given I won't even bother with it. The VP of technology and my manager agreed we need one, there is money approved for it now. I was simply asking if you guys have any idea for me.

    Again, my job security is not in question here. You can always learn an environment and accomplish goals at the same time....trust me guys, the environment is a good place to work and learn new techs from a security standpoint. They just don't plan ahead for common stuff, we(the new employees) are simply trying to change attitudes.
  • bobloblawbobloblaw Member Posts: 228
    Gotcha. Find some vendors, get some demos, and request quotes for the ones you find sufficient.

    Also, you'd be amazed what regular email reminders can actually accomplish once a quarter. Writing a 2-3 page pdf with visuals in it with best practices discouraging piggy backing, locking your pc every time you leave your area, badge display, etc., go a long way.
Sign In or Register to comment.