When thinking about the structure of your central security function you should consider what best makes sense for your organisation and what functions should be allocated to full time employees, contractors and service providers.
There are roles that need to be held by full time employees as these roles need deep relationships with internal stakeholders and service providers for the security program to make progress.
- Information Security Manager - a full time employee will be able to act in the best interests of the organisation and maintain the relationships with senior stakeholders that are necessary for securing funding and approval of security standards.
- Information Security Governance Analyst - a full time employee will be able to build relationships with stakeholders in business units and gain an understanding of their business processes that is essential for co-ordinating risk assessments, security policy compliance checks and security control testing
- Information Security Technical Analyst - a full time employee will be required to liaise with projects and business units for penetration testing. It would also make sense to use a full time employee to conduct vulnerability management activities like vulnerability assessment scanning and oversee security patch management.
There are roles that can be nicely performed by contractors:
- Security architect - security architects are often required when an enterprise security architecture is being established or when there is a high volume of projects requiring guidance
There are functions that can be outsourced to service providers such as:
- penetration testing - it makes sense to outsource this function as the resource requirements will vary dependent on projects in the pipeline
- risk assessment and security policy compliance checks of projects and processes
- security control testing
- security operations - firewall management, IDS management etc.
1 comments:
I am a firm believer that if anything, the role of the architect should be retained in house and the roles of penetration testers should be outsourced, if anything.
Firstly - architects rely heavily on relationships with stakeholders and an understanding of the business environment, IT systems and applications as well as dependencies on legacy systems. This knowledge takes a very, very long time to acquire.
Secondly - penetration testing is a constantly evolving field with a strong upkeep. These skills and the people it attracts need to be very well looked after and consistently trained. Most companies lack the training budget, patience or even just the time to provide this people the care they require.
Thirdly - unless the pentest involves a whitebox methodology, then the pentester needs to be removed to maintain their independence in conducting a blackbox approach. If it is whitebox, then they can be supplied the data they needs regardless. Working inhouse removes that independence.
Fourthly - depending on how busy your office environment is, your pentesters might not be left alone long enough to conduct a test. Have you ever tried doing a pentest with 5+ 1 hr meetings in a given day? Trust me, it isn't possible.
These were my experiences in my last role. I was bought onboard to do pentesting but overtime as the demands of the role increased, found my role changing to that of an architect and almost a technical PM managing pentesters.
- J.
Post a Comment