Decision to move into Enterprise Security Governance?

Hey Guys,

There is an position that will be opening up over the next couple of weeks under the Information Security department particularly under "Network Security Governance". From what I've gathered from the discussion I had with the hiring manager, this is what understood as:

- Reviewing and managing whats in the Firewall Request Queue - BAU and Project requests (e.g. teams requesting to have X communication flows opened for their project or troubleshooting an issue ad hoc)

- Being tagged to projects that require a Network Security Governance resource to ensure that what their proposing for their project aligns with the Company's policy and risk tolerance form a network perspective; this can be short term or long term of a project

- Providing feedback to how to implement mitigating or compensating controls against the identified risk in the audit finding / vulnerability assessment on network i

- It's less of a technical role vs a business role but will still need a good grasp of the technology that you're dealing with i.e. NSX micro-segmentation

Have any of you folks been in this similar role (Enterprise Security Governance) and what did you think about it?

Context: I've been in my role for about a year and have my management's backing to head into Cybersecurity/Information Security department but just want to make sure that I'm making an informed decision (whether to jump now or to wait a little for when a more technical role pops up). Obviously there would be a varietal factors involved i.e. whether I would still like to trek down the technical path vs management or veer towards the business side of Information Security. But in all, I think I would like to deal with more of the technical vs the management side because I'm still early in my career. Thanks!

Cheers,
DZA_

Find more posts tagged with

Comments

jcundiff

A GRC role is where I started in InfoSec about 9 years ago, moved on to start up our Threat Intelligence team. GRC is is a big, big subsection of IS. Our role was much broader initially and included PCI/FFIEC/other compliance, external audit support, bc/dr, risk management and more. If your longterm goal is to sit in the big chair (CISO) someday, my old CSO says that more CISOs come out of the GRC side of the house than IR and others (makes sense because you have to learn to speak a lot more business than IR needs to) Worst case, you find out its not your cup of tea and you go back into a more technical role in 18 months or so.

From a career standpoint, its a solid move, even if you do go back into a more technical role, interfacing with the biz side of the house will give you experience you wouldnt get in the trenches

DZA_

@jcundiff - Thanks for the info! I was giving it a bit more thought and I think it's a pretty good opportunity because I can see all the projects that go into the Enterprise and to some extent to see those traffic flows play a part in the organization. Definitely I see the benefits on being exposed to the business.

Even if it's not technical to the degree that I want it to be, I can always supplement it with personal learning with a home lab or subscribe to CBT as I have done previously. Thanks !

jcundiff

kind of surprised @paul78 hasn't chimed in here as well.

@DZA_ glad to be able to help out

Azt7

I'm evaluating a somewhat similar position. Looks very interesting in terms of it merging business, GRC and technical knowledge.

There is a considerable demand to fill GRC postions in Canada and it's hard to find mid-level qualified employees.

DZA_

jcundiff said:

kind of surprised @paul78 hasn't chimed in here as well.

@DZA_ glad to be able to help out

I was looking for some of Paul's wisdom.

paul78

DZA_ said:

jcundiff said:

kind of surprised @paul78 hasn't chimed in here as well.

@DZA_ glad to be able to help out

I was looking for some of Paul's wisdom.

Dang - am I that predictable? Thanks for the kind words. I actually had some weird dejavu that I had commented on your question already. I think that the wacky Cloudflare errors that I'm seeing with TE is throwing me off.

So... a couple of thoughts and questions to thing about...

Depending on the company, this can be a really tough job. And to do it well, you really need to really understand the business drivers and what the risk tolerance would be.
One of the more rewarding things about this type of role is that you have to find compromises all the time and figure out how to propose and do things that would not add too much friction to the business. It really requires a bit of creativity sometimes.
Are you going to be on the business side or enterprise side of the company? I.e. who would you be reporting to or is there some sort of dotted-line structure. That can be a neat can of worms. But in some places - it can work very well because it really aligns a business unit with the rest of the corporate risk structure.
Is the company pretty big with multiple lines-of-business? And are you supporting one or more businesses? As you may recall, my background is primarily in financial services. I had a similar role but I always had worked on the business side. So if your company is structured the same way and you are on the enterprise side, you may have to deal with whoever heads information security at the business. In financial services, that role on the business side is sometimes called a DISO (Divisional ISO) or BISO (Business ISO). And there is usually equivalent CIO and CTO that reports into the line of business. If your company places the risk acceptance and security accountability on the business side, your role could be kinda boring if you are on the enterprise side. Primarily because your role could be one like an account manager of a security service provider to the business.

Either way - I do think that this sounds like an interesting role and could be a good way to get into risk/security management. It's probably a lot less technical and hands-on. But it can be a great stepping stone. I think too often people with solely technical security backgrounds forget that the business needs to be able to operate and be agile to be competitive and successful. And getting that type of experience can be invaluable regardless of where you want to take your career in the future.

DZA_

@Azt7 - I hope we're not applying for the same position.

Glad to know that the market is opened up for those types of roles.

Thanks for the reply Paul!

To drive a thoughtful conversation, my organization is also in the financial sector. It'll be quite the challenge based on the historical conversations I have with the current team, understanding the business outcome (from a business perspective) and come to a common ground for both technical and business requirements. My view of the current team is aligned under the technical division of the Enterprise rather than the business. There is a dedicated team for Business Technology Risk Management team as we like to call it here that interfaces with the lines of businesses directly, this is purely a business role with very little technical background.

For example of the Network GRC Role: A line of business is implementing a new project and that project gets worked with the architecture and design team to come up with a solution. Once the implementation phase starts to roll in, that's where the Network GRC team would step in to review the firewall rules. Based on the Org's security policies, we would assess whether the rule would be implemented or not. If it isn't there would need to be a validation of why it wouldn't be implemented and would undergo a Risk Assessment by the Business Technology Risk Management group. Based on that feedback, we would take their feedback under consideration for a reassessment. A second scenario would be placing on a project to provide consultation and advisement on how the project should be rolled out from a network compliance perspective as well.

The Lines of Businesses that I would be supporting would be across the Enterprise and not a selected group. The layout of the reporting structure would roughly be the following:

GRC Position >> Senior Manager >> Associate Vice President >> Vice President >> CISO >> CIO >> GROUP HEAD >> CEO

"If your company places the risk acceptance and security accountability on the business side, your role could be kinda boring if you are on the enterprise side. Primarily because your role could be one like an account manager of a security service provider to the business." I sincerely hope not, haha. Your last piece of comment reinforces all the material that I've been reading on security management and becoming a CISO.

Cheers,

DZA_

UnixGuy

After spending so long in the technical world, I second Jcundiff and Paul. It's not everyone's cup of tea, but I found it has better prospects....Good luck!

jcundiff

DZA_ said:

The layout of the reporting structure would roughly be the following:

GRC Position >> Senior Manager >> Associate Vice President >> Vice President >> CISO >> CIO >> GROUP HEAD >> CEO

Cheers,
DZA_

Can definitely see BANK here with that org structure, or a financial services company that was spun out of one :O Only place I have ever seen the AVP title

CISO reporting to CIO is never a good thing though

We were like that when I initially joined our CSO's (has infosec and physec ownership) org) We lost a great CSO because the CIO tied his hands and wouldn't let him do what needed to be done. We all smiled when the new CSO came into the company as a peer to the CIO, not a direct report. The new CSO then proceeded to do about 95% of what the ousted one told the CIO he needed to do

DZA_

I think the whole AVP (associate vice president) is common against the Canadian financial sector which is mainly a title game to be completely honest. People need their egos fed. The typical reporting structure that the CSO/CISO reports into the CIO is inefficient in so many ways.

paul78

Having a CSO/CISO reporting to a CIO isn't necessarily bad if the CSO/CISO has some level of autonomy or authority. If the CSO/CISO cannot influence the business or lacks authority, it doesn't really matter who that individual reports to.

In a previous role where I reported to the CIO as the individual accountable for infosec, I had a high degree of autonomy and authority. I owned my own budget and I set my own goals. The reality is that for anyone that has a security or risk leadership role, being able to set agenda and influence that agenda in the context of the business is extremely critical. Soft-skills really do matter. Ultimately, a lot of it depends on the business's willingness to absorb risks and it's the person in a GRC or security leadership role that needs to be able to make that judgement call on whether to do some activity or not. And if the business is willing to accept that risk, the person in that seat needs to figure out some creative way to reduce or compensate for that risk.