Earlier Today I was thinking about how to provide guidance on information security decision making to new managers on the field. I realized that this is not the only area of information security that we don't have enough guidance available for new security managers. There's almost no content on security team organization, security operations, human resources (apart from the old discussions around certifications and "hiring hackers"), relationship with other groups within the organization and the development of a security strategy.
I know there's a lot of books, courses and other resources related to what an organization should do about information about security. However, the guidance for the manager who will conduct that group, focusing on the "how" instead of "what", is just not there.
Now, imagine yourself as a brand new security manager, with the new mission to assemble a security team for a big company. You know everything about PCI, ISO2700x, Firewalls, IDSes, cryptography. But how should you start? How many people do you need? What roles will they have? Can you define a job description and describe the kind of professional you want in each of those roles? What about the relationship with the auditors? How should you conduct that? By the way, what will you do next?
Those are the answers that I feel are not easily available for those starting in these positions. It seems to be content good enough for a book. I wonder, is it writable? Or is it the kind of content that depends so much of the context that will be useless? If you are planning to become a security manager, or has just started in the position, do you think this kind of guidance would be valuable to you?
I hope to see some good content like that on RSA next week. If are attending and have an opinion about this, please drop me a line, we can talk about it there.