Starting a Information Security Lead role

arthedain_brandywine

I am onboarding to a role with very small start-up company engage in Virtual assistance business model for small-medium size insurance companies, as an Information Security Lead
I've had 9 years of relative IT and Security experience  started as SOC analyst and made my way up to be  Senior, then to SOC Lead / Supervisor.
I do not have experiences as an engineer or as an architect. but I've basically rolled out and operated Security tools from my previous tenures. And this this new role was kind of  a big break, and the firm's top management and CEO had put their full trust on me.
The role involves, managing Security solution for company based on NIST framework and put up a team, to setup everything from FW, proxy, SOC team, compliance and governance.
Any advice good advice moving forward? and what necessary certification i need to undergo to prep me on this endeavor.

Thanks.

JDMurray

Speaking as someone who is a manager of a SOC team, IT certification won't give you the knowledge you need to create design, implementation, and operations teams within an organization. That knowledge and skillset(s) is very specific to each organization. Most IT certifications and academic degrees are only an abstraction of knowledge that can be generally applied across many different types of organizations (e.g., CISSP and MBA).

If I were in your position and my organization did not have the in-house expertise to create and run the necessary teams, I would seek the aide of an external consulting service that specializes in auditing and improving the security of business organizations. I would immediately start having business discussions with CEO about the set-up and operations budget the org expects to commit for its increased security. (The top three priorities of any business project are cost, budget, and expenses.) I would also question why the CEO of my org put his "full trust" only on one person who has never done this before (that is, "me") rather than create a team of internal business and technical people for this project. You said it's a small start-up, so I'm guess the C-level doesn't realize what it's asking for (i.e., the "Build me a rocket ship to go to the Moon" scenario).

arthedain_brandywine

Thanks. yes. its indeed a start up. about over 3 years of operation. and has grown from 70 headcount to about 500 headcount.
there was IT in the beginning, an IT manager, network specialist and a team of servicedesk.
they are adding Security, the company has grown, and clients have requirements and US gov't have compliance.
The IT manager remains full oversight of the projects and tools. but they needed to bring in an IT security lead to spearhead the Security part.
eventually the Security will have to grow with appropriate people, i believe the pipeline will be to get enough people with the right skill set.

JDMurray

It sounds like the first thing you will need is a project manager and an architect with prior experience building InfoSec into organizations that will have compliance necessary for Federal contracts (FISMA, FedRAMP, FIPS, NIST, etc.). Unless you plan on hiring people who have already build some such, you'll have to go with a consulting firm to audit your existing organization and architect a plan for building what you need to meet compliance regulations, implement your technical infrastructure, and create policies and playbooks for your day-to-day operations. It may take years to get to where your org wants to be, but it'll be worth it when, in five years, you look back on what you learned and what you achieved. Do you have a budget for the architectural phase of this project yet?

scasc

Nail the governance around the technology/processes etc.

UnixGuy

Good suggestions so far.

IF I have to give you one advice, avoid a common trap I saw people who moved from Sec operations to lead roles: Start to think outside of security operations. I met many excellent SecOps people who couldn't think beyond SecOps, so don't become one (I'm not saying that you are, but I've seen enough times)

Understand the business, what they do, why they do, the regulatory environment that they operate in. Form relationships with other business units.

The use of consulting firms as suggested above is excellent, so you'll need guidance but it's always best to have an impartial pair of eyes on your job.

scasc

Great point that @UnixGuy. 

I think you should understand the NIST framework that you follow and undertake a gap/risk analysis based on what the most immediate priorities are. This should then guide you in respect to understanding what processes are needed/technological gaps you encounter and people/skills you need to fulfil those gaps. 

You may find that using an MSP is better value for money in the long run with them sending periodic reports on the status of issues found/metrics etc, but the key thing is you need to add value to the role - speak to the senior management team and report on key risk indicators (what was encountered/what the impact of this was/was there any sensitive data/PII exposed etc). You will need to think bigger picture/vision and how the functionality of the SOC/IR is helping the business move forward/achieve its objectives. 

Dont forget if you happen to manage a team, setting goals/performance plans/milestones/training targets etc. Plus working with the wider area of the business so they know their role too. 

If you got an MSP for example and they said we have found xyz that has done/doing abc what are the processes to invoke your IR plan? 

Lots to think about. First point of call is SANS (my opinion). Check out there new courses in the area. 512 touches SOC processes/management, 450/551 sound like a good overview for you. Or perhaps anything else like 508 - unfortunately not my area of expertise.