Poor management of IT Security Team and Program.
I recently got a job as a security analyst in the Payment Card Industry. I work in a team of four, the work environment is fast paced and somewhat stressful. After being here for a month I can definitely say the manager has no plan where he wants to see the department in the next 2 years or so. We are due for a PCI audit and I recently realized we don't have a security awareness program for corporate and field workers.
My question is: as a young security analyst I would love to change users mindset and knowledge concerning information security without stepping on toes. What security awareness program, CBT, or tools are out there for me to use?
Any information/suggestion is helpful.
Thanks
Neno
My question is: as a young security analyst I would love to change users mindset and knowledge concerning information security without stepping on toes. What security awareness program, CBT, or tools are out there for me to use?
Any information/suggestion is helpful.
Thanks
Neno
Comments
-
darkerosxx
Banned Posts: 1,343
Edit: nm, you said a month
How recently were you hired? My advice... Prove yourself and your skills before developing a campaign to alter any mindsets. Build the credibility you need to do so. -
lsud00d
Member Posts: 1,571
This seems like a top-down scenario for change...unfortunately more often than not this takes someone getting bit or trouble to brew before people wake up and put a plan to action.
Hopefully in your case it doesn't involve an actual security breach but a poor audit scoring and/or fines would help bring the case to the forefront. I would brainstorm ideas that could help assuage issues that arise from both a high and low-level perspective. You'll be viewed as the 'idea guy!' which will make people seek your advice in the future. -
tpatt100
Member Posts: 2,991 ■■■■■■■■■□
Focus on learning your job first, don't worry about making waves until you know the true nature of your work environment. -
xnx
Member Posts: 464 ■■■□□□□□□□
Haha, focus on getting some level of job security before trying to do other people's work for them.
This isn't going to end well with the approach you want to take..Getting There ...
Lab Equipment: Using Cisco CSRs and 4 Switches currently -
joneno
Member Posts: 257 ■■■■□□□□□□
This is partially part of my job. I'm was thrown into the wild with little knowledge of the environment. It's not my first security position and I'm not worried about job security. I was simply looking for ideas about an online security awareness solution if one is available.
Thanks for the concerns though. -
bobloblaw
Member Posts: 228
You can get security awareness training modules from plenty of 3rd party vendors, or make one yourself.
Like lsud00d said, this a top down issue. You need management support before you move any further. -
joneno
Member Posts: 257 ■■■■□□□□□□
Maybe I was bad communicating the issues we have. The Management buying in is obviously needed, that's why I'm researching solutions to fix the mess. If the management approval was not given I won't even bother with it. The VP of technology and my manager agreed we need one, there is money approved for it now. I was simply asking if you guys have any idea for me.
Again, my job security is not in question here. You can always learn an environment and accomplish goals at the same time....trust me guys, the environment is a good place to work and learn new techs from a security standpoint. They just don't plan ahead for common stuff, we(the new employees) are simply trying to change attitudes. -
bobloblaw
Member Posts: 228
Gotcha. Find some vendors, get some demos, and request quotes for the ones you find sufficient.
Also, you'd be amazed what regular email reminders can actually accomplish once a quarter. Writing a 2-3 page pdf with visuals in it with best practices discouraging piggy backing, locking your pc every time you leave your area, badge display, etc., go a long way.
