Ten months in to being the SISO

Reflections on ten (ish) months into my post as Senior Information Security Officer.

Cartoon image of a penguin sat working at a computer.

I moved to my new job as a Senior Information Security Officer (SISO) at the end of June 2022, so I've been in post about ten months now.  My previous job had been a Deputy SISO so this was a step up for me.  I also moved from public sector (local government) to private sector (a technology company).  In this post I'm going to reflect on my first ten months (or so), remembering my arrival, commenting on the things I've been doing, challenges I've faced, and some tips I think others would find useful if looking to take a similar role.

To be clear, this will not be a critical piece about my employer.  While no employer is perfect I've been made to feel very welcome and valued.  If you're after drama you probably want a different blog post!

The role

I sit within the compliance team and my role is to do the technical side of security.  Non-technical items such as compliance with cookie regulation fall to others.  Wider reaching items such as GDPR compliance and data protection fall to everyone.  Overall, if it's not technical cyber security I should be passing the query on - sometimes I'm good at that, othertimes bad.  Ultimately if I know the answer I'm still inclined to help someone if I can.

First weeks

For my few days I worked from our head office, probably the nicest office setup I've worked in.  Not many people come into the office anymore, so it was pleasantly not over crowded 🙂️.  I met my boss and went through various induction sessions so I could understand the company better.

In my first few weeks I met a lot of people from different departments.  Some were department heads, others colleagues that I'd be working closely with.  Everyone was abundantly welcoming, and some incredibly pleased to have a dedicated security person on board.

Equipment

I've written before about how it's important to give staff the right tools, and I was pleased to find I'd been provisioned a laptop of the spec I needed.  I picked a secondary monitor for use at home.  A work phone arrived in the post a day later - an iPhone, which I'm learning to work with but still treat it like an Android...  For me having a work phone is important, allowing me to separate work and home life.  I'm not formally on call, so when the work phone is off I'm not being disturbed by work.

The hardware I've got should last me years.  In theory we have a policy of replacing Windows laptops after three years, but if the equipment is servicable I plan to use it for longer, saving the cost.

Frameworks

While at the council I had to adhere to the Public Sector Network code of connection and Payment Card Industry Data Security Standard - or PSN and PCI DSS.  Each of these mandated regular testing (infrastructure pentests and vulnerability assessments) in order to gain a certificate of compliance.  Now I'm in the private sector there's no PSN compliance to meet, and as we don't handle card payments I don't have to worry about PCI DSS either.

The organisation is ISO 27001 certified, so I need to ensure I'm working within that framework.  I'd not worked under 27001 before, although had an awareness of it, and it's very interesting to see that in use.  Numerous policy documents declare what we do in all sorts of areas, and I own some of those policies.

What have I been doing?

Very much a rapid tour over the last ten months, but here's some of what I've been up to.

Looked after IT, briefly

Not long after I arrived the Head of IT left - he assures me that wasn't due to my arrival!  I'd actually worked with him about 18 years ago, he's a nice chap and a reader of this blog.  "Hello!"

My role isn't IT support or infrastructure management (that was a past job I held elsewhere), but I was asked to look after IT for a while, until other staff were recruited.  This was a learning curve in some areas - I'd not administered Microsoft Office 365 fully before, and the virtualisation hypervisor is one I'd not used beyond some lab work a decade ago.  I found my way through though and I was pleased to pass the baton on to others after a few months.  I still help out ocassionally, particularly if it's a security related task, but for the most part IT is someone else's job.

Updating policies

I'd never been the owner of any policies before, only having contributed in the past.  I inherited a number of policies and have updated a few now.  Some needed an update to current best practice (e.g. removing a stipulation to change your password every 90 days), others needed updating to reflect what we actually do.  Another I updated to reflect the greatest malware threat to the business was ransomware and extortion, whereas previously it had said remote access trojan.  There was nothing wrong with the policies, just times have changed.

I also became responsible for physical security of one office, so inherited its policies.  After a quick review, and finding "you may not take photographs in secure areas" I realised I was in breach, having photographed the server cabinets as part of writing IT documentation 🤦️.  Fortunately, as the policy owner, I could edit that to say "except where approved by the security officer", so won't have that problem again.  Phew!

Vulnerability management

Not all of our infrastructure was covered by vulnerability scanning tools, so I've been working to extend that.  I needed information so I could determine our current security position, and implemented Rapid7's InsightVM.  I'd used InsightVM at the council, and it met our budget, so that's running nicely now.  Still some more work to do though.

I also use AWS Security Hub as part of the vulnerability management programme.  While InsightVM looks at items such as missing patches or TLS configuration issues, Security Hub looks at cloud configuration deviance from recommended practice.  That's really handy, although I'm sure my colleagues don't like being sent remediation tickets when a problem is found.

Security questionnaires

Before my arrival, if a client submitted a security questionnaire someone would have to stop their usual tasks to complete it.  Now those come to me, and I'm able to build an answer bank to reduce the time taken to complete them.  I still have to reach out to colleagues, but that's becoming less necessary as I've already got the answer to some questions.

As far as I know, there's no international standard for security questionnaires - I wish there was so we could write the response once and share it when necessary.  We get a lot of questionnaires from clients, often with the same questions but worded differently.  To help reduce the workload I've started to put together security FAQ documents that cover the common questions we're asked - from "how does your company do X?" to "how does your product handle Y?".

Coordinate penetration tests & track fixes

A colleague had started arranging our penetration tests before I arrived, so I was able to pick up from him.  Once the tests are completed I log tickets for the relevant teams to get items fixed (or I'll dispute the finding if it's a false positive).  Some of our customers perform tests too, so I review their reports and do likewise.  Those reports can be of varying quality, shall we say!?

Once tickets are logged I track them to completion, liaising with product owners to check timescales.

Challenges

This is my first time being at the top of the security tree, so security recommendations or decisions I make stop with me.  I'm quite happy to take responsibility for my actions, that's not a problem, but it can be daunting.

Knowing who does what in the organisation is something I'm still learning.  Our company lets people move around the business so sometimes that changes once I think I know who does a particular task.  Fortunately people are happy to point me in the right direction though.

I work for an organisation where several companies have come together, and that's quite a challenge on a number of levels.  From my perspective, combining security policies to apply to the whole organisation can be quite tricky.  We're working towards a single policy set but, as you can imagine, that's a lot of documents to merge and working practices to update.  My aim is to get a consistent approach in all areas (which is not to say current practices are bad, just different).

Tips

If you're looking to make a similar move I hope you find these tips useful:

  • When asked for an opinion on the best way to do something, don't be afraid to say you'll need to go away and research it prior to providing an answer
  • If you're the whole security team, maintain a network of peers outside the organisation that you can discuss ideas with (without sharing proprietary information).  Your peers are bound to have come across similar issues, and may already have the solution
  • Remember that security is a team sport, so don't be afraid to work with others
  • You can't be the expert in all areas, so lean on the expertise of colleagues.  For example, AWS is not my biggest strength so I'll discuss security of AWS with those that know it better
  • Be approachable - there's no benefit to being the security person no-one is prepared to talk to!

Banner image: "Penguin Admin", from OpenClipart.org, by Moini