Poor management of IT Security Team and Program.

joneno

I recently got a job as a security analyst in the Payment Card Industry. I work in a team of four, the work environment is fast paced and somewhat stressful. After being here for a month I can definitely say the manager has no plan where he wants to see the department in the next 2 years or so. We are due for a PCI audit and I recently realized we don't have a security awareness program for corporate and field workers.

My question is: as a young security analyst I would love to change users mindset and knowledge concerning information security without stepping on toes. What security awareness program, CBT, or tools are out there for me to use?

Any information/suggestion is helpful.

Thanks
Neno

darkerosxx

Edit: nm, you said a month

How recently were you hired? My advice... Prove yourself and your skills before developing a campaign to alter any mindsets. Build the credibility you need to do so.

lsud00d

This seems like a top-down scenario for change...unfortunately more often than not this takes someone getting bit or trouble to brew before people wake up and put a plan to action.

Hopefully in your case it doesn't involve an actual security breach but a poor audit scoring and/or fines would help bring the case to the forefront. I would brainstorm ideas that could help assuage issues that arise from both a high and low-level perspective. You'll be viewed as the 'idea guy!' which will make people seek your advice in the future.

tpatt100

Focus on learning your job first, don't worry about making waves until you know the true nature of your work environment.

joneno

darkerosxx,
I started a month ago.

xnx

Haha, focus on getting some level of job security before trying to do other people's work for them.

This isn't going to end well with the approach you want to take..

joneno

This is partially part of my job. I'm was thrown into the wild with little knowledge of the environment. It's not my first security position and I'm not worried about job security. I was simply looking for ideas about an online security awareness solution if one is available.

Thanks for the concerns though.

bobloblaw

You can get security awareness training modules from plenty of 3rd party vendors, or make one yourself.

Like lsud00d said, this a top down issue. You need management support before you move any further.

joneno

Maybe I was bad communicating the issues we have. The Management buying in is obviously needed, that's why I'm researching solutions to fix the mess. If the management approval was not given I won't even bother with it. The VP of technology and my manager agreed we need one, there is money approved for it now. I was simply asking if you guys have any idea for me.

Again, my job security is not in question here. You can always learn an environment and accomplish goals at the same time....trust me guys, the environment is a good place to work and learn new techs from a security standpoint. They just don't plan ahead for common stuff, we(the new employees) are simply trying to change attitudes.

bobloblaw

Gotcha. Find some vendors, get some demos, and request quotes for the ones you find sufficient.

Also, you'd be amazed what regular email reminders can actually accomplish once a quarter. Writing a 2-3 page pdf with visuals in it with best practices discouraging piggy backing, locking your pc every time you leave your area, badge display, etc., go a long way.