EXPERT RESPONSE
It's not clear whether you report to the IT group or directly to the compliance officer, and the answer to your question will vary depending on where you are in the organizational hierarchy.
In general, the security officer's main job is to develop and run the security program. A lot of the blocking and tackling is increasingly being integrated into the operational groups (networks, data center, desktop, applications) and it's the job of the CSO to evangelize the entirety of the program and persuade each of the operational managers to work together and deploy a layered security environment.
Now if you work for the compliance officer, then you are basically in charge of implementing the security program, and that's fine. But you should have a hand in developing the program as well because it's really hard to implement something you don't help build.
To be clear, I do not recommend delegating the development of the program. It's a bit wacky to think someone other than the security officer's team is better positioned to understand what needs to be protected and how it should be taken care of, and then to define program success and manage milestones.
For more information:
Learn why it's important to keep enterprise networking and security roles separate.
In this tip, Khaild Kark explains how to develop controls for people, processes and technology.
|
