How to convince employer to let you take over a security role which doesn't exist?

Nyblizzard

Lets say you work in a small IT department with a mostly cloud and virtualization infrastructure (Azure, XenApp/XenDesktop), where there is no one who primarily handles security related work. Everyone does a little of everything (Help Desk/Desktop/Server/Exchange/AD/Firewalls etc), with no one who is constantly monitoring security "things" (packets, logs, policies etc). With Azure and XenApp/XenDesktop, the servers and laptops are all virtualized, with security largely handled by the providers (Microsoft and Citrix).

In this scenario, what kind of security related "things" can one do, on their own, to convince an employer to let you take over security for a company? AD audits? Monthly reports on event logs? Write up Security Policies from scratch? Pick up Pentesting and try to hack your own stuff?

yoba222

You could try spreading FUD, but it probably won't work. More likely way the role will open up is when they get hacked hard. Successful ransomware infection that spreads on the internal network or successful phish campaign because there's no 2 factor and finance routing info got accessed/changed. Sorry if I sound pessimistic. In my experience, companies reluctant to take security seriously won't ever do so until they get bit.

DZA_

Can I suggest that you can ask your manager if they have any pain points on security, e.g. too many endpoint agents on the local desktop/mobile device and looking to streamline or improving on a security processes. I find that when asking a manager about their pain points in security or asking to improve the security process that generally works out. If there are small security related tasks that you can try to take ownership, that is one step in moving in the right direction. Job shadowing on all the combined security related tasks or asking your manager if you can kick off your own small security project would demonstrate interests to your manager as well.

NetworkNewb

You'll need to find a list of security tasks the business considers a "need". Find issues that are potential big things that could go wrong, tell what would need to be done, and let them know that is something you can do. The problem is most companies don't consider security a "need" until after something goes wrong.

In your examples... When you do an AD audit do you find a lot of potential issues? Or can you find and show vulnerabilities through your Pentesting? Are the logs showing a bunch of errors that haven't been looked at or fixed in awhile? These are things they would need to see before they even think about creating a role imo. Gotta show value

yourtechcareer

I did this at my current employer about 5 years ago. I work at a small/mid-sized MSP and noticed a gap in our company structure. I asked our CEO if he would pay for a Information and Security Risk Management certification which was a 3 quarter series at the local Univeristy. He was game and since I had a bunch of certs under my belt, he knew I’d finish the program. It was a good investment for him because I’ve grown into the lead for our security and cybersecurity needs of our 200 clients.
I’d recommend going to local cybersecurity meetings with the Cloud Security Alliance (CSA) and your local ISSA chapter. These meetings will help you build the network you need as a cybersecurity professional and generate ideas you can bring back to your team.
Express interest to your management about the roll of a cybersecurity lead and come to the table with projects you could start rolling out now like a cybersecurity awareness training program, a formalized cybersecurity policy, or helping to achieve the company’s compliance needs.

Nyblizzard

Awesome advice guys!

UnixGuy

setup a SEIM , aggregate your logs, create security alerts, analyse packet captures, champion vulnerability assessments and patching, setup Nessus and automate vulnerability scans, look into physical security, fine tune the firewalls, create SOEs, do User Access Revalidation, ... study for security certifications on your own, get the challenging ones like OSCP, eCPPT, CISSP, ..go to a SANS event, register for Work-study in SANS.

Share security news with your team

LordQarlyn

The best way, that is, the method most likely to convince your bosses, is to make a business case for information security. Explain to them, in presentation if you must, why implementing industry standard security practices along with having a dedicated security professional is good for the company's bottom line. Don't use FUD as others pointed out, but to emphasize legal and regulatory compliance as part of your business case. Crunch numbers when you can.