百日计划:新安全经理的成功之道
2010-05-19      
打印自: 安恒公司
地址: HTTP://linux.anheng.com.cn/news/article.php?articleid=2064
百日计划:新安全经理的成功之道

【TechTarget中国原创】恭喜你成为新的安全经理。也许你是因为打赌输了或者是抽签中了(才摊上这差事)。也可 能你就喜欢这种挑战带来的刺激。

不管怎样,蜜月期都是短暂的,所以一定要想方设法干好最初的100天。这会给你今后在公司的这个职位上定下一个基调,所以千万别把时间浪费在思 考要做些什么和构思如何具体去做上面。这一般来说都意味着要查明和弥补一些大的缺陷,对整个机构或规定程序作修改(向更好的方向),并且最后还要确定业绩 目标。

一定要记住,职位的变动不会是无缘无故的。可能是因为前任安全经理对团队失去了信心,或者是他/她做得不够或者根本就没有作为。多半是因为有问 题需要你来处理,这就需要你和你的团队着手开始解决了。

基本上,第一个100天可分为4个重要方面:

  • 基准线
    明确安全问题到底在公司的事务中处于什么地位是非常有必要的,因为这样才好按顺序评估。也许是渗透测 试,也许是扫描,也许是社会工程实验;最有可能上述所有的一起。一定要记住,过了大概100天,任何问题都会归咎在新的安全小组,所以一切的遗留问题都得 尽快找到。隐瞒情况,粉饰太平是没有任何好处。
  • 修补
    设定好基准线后,就可以开始补漏了。这意味着要尽快补救最明显,最容易和最便宜的问题。在头一百天内打上几次胜仗绝对是非常重要的。这些问题可以不是最引 人注目的或最重要的,但是通过解决这些问题,管理层就会知道你把成功地把问题如期解决了。
  • 宣传
    头一百天中另一个重要任务就是为安全计划制定实施步骤,这是安全操作的基础。这意味着要合高层会晤,以找出他们想要保护些什么以及为什么要保护。把整个计 划展示给这些权力大佬们看看也是很有用的,他们通常会推动某些方面的动作,这就给你带来了好处。威信建立起来了以后,再去寻求对保护数据所需的项目或程序 的支持就容易多了。不过安全经理成功的很大一部分都在于和公司行政官的会晤。如果他们不知道你是谁,也不知道你在干些什么,那么你就做错了。
  • 规划后续步骤
    蜜月期要做的最后一件事就是计划年内余下的时间该怎么做。高管们喜欢看到团队的工作计划。基本的安全计划提供了一个大概框架,所以余下的任务就是设定一些 里程碑,然后开始根据这些计划进行。


正确地迈出头一百天的步子是至关重要的。这是第一个(也可能是最后一个)给管理层褒奖或问责设个基调机会。如果处理得好的话,管理层会把安全问 题当作是大事要务来抓,这也正是每个安全经理的努力方向。

Congratulations, you are the new security manager. Maybe you lost a bet or drew the short straw. Or maybe you like the thrill of a big challenge.

Whatever the circumstances, the honeymoon period ends quickly, so it’s critical to make sure the first 100 days are optimally spent. This will set the tone of your working career in this organization, so it’s essential that no time is wasted in figuring out what needs to be done and implementing a plan detailing how to do it. That typically means identifying and fixing some of the biggest holes, making some organizational or process changes (for the better) and, ultimately, establishing a track record of meeting objectives.

Keep in mind that the regime change happened for a reason. Maybe the previous security manager lost the confidence of the team, or maybe he or she didn’t get enough done or didn’t let anything happen at all. Odds are there are issues that need to be dealt with, and it’s up to you and your team to start making progress.

Basically, the first 100 days can be broken down into four distinct areas of focus:

Baseline — It’s important to figure out how security really stands at the company, so some kind of assessment is in order. Maybe a pen test, maybe a scan, maybe a social engineering experiment; most likely all of the above. Keep in mind that after about 100 days, the blame for any problems will fall on the new security team, so all of the residual issues need to be found as soon as possible. There is no benefit to sugarcoating the situation.
Triage — Now that the baseline is established, the leaky buckets can be plugged. That means moving quickly to remediate the most obvious, easiest and cheapest issues. Finding a few quick wins is absolutely critical during the first 100 days. Those issues may not be the highest profile or even the most important, but by getting them fixed, it informs the organization’s senior management team that you get things done successfully and on schedule.
Evangelize — Another key task for the first 100 days is to set the stage for a structured security program that will underlie security operations. That means meetings with executives are in order to figure out what they want protected and why. It also makes sense to present the entirety of the program to the power brokers in the organization; they will likely push back on some aspects, and that’s fine. As credibility is built up, it’ll become easier to get support for the projects and processes that are important to protecting data. But a big part of finding success as a senior security manager is to get face time with the corporate executives. If they don’t know who you are and what you are doing, then you are doing it wrong.
Plan the next steps — The last thing to do during the honeymoon is to build a plan for the rest of the year. Senior managers like to see the team working on a plan. The underlying security program provides the structure, so the remaining task is to define some milestones and then start tracking progress against those milestones.
Starting off on the right foot for the first 100 days is critical. It is the first (and possibly the last) opportunity to set a tone of achievement and accountability with the senior team. If it’s done right, executives will consider security to be a key initiative for the organization, and that’s what every security manager strives for.

责任编辑: admin