[Previous] [Next] [Index]
[Thread]
Re: Need a Security Consultant
Verily Paul Rarey allegedly did write:
>But let's give Frank the benefit of the doubt. Since Frank brought it up -
what
>are specific success stories of your ex ISO's?
Thanks for the benefit of a doubt. As the last sentence seems to be
directed to the companies who have experienced ISOs, I'll answer for
Fortified Networks.
In my particular case, I used to worked for a subsidiary of a multi-
billion-dollar international high-tech corporation as the (nationwide)
Information Security Operations Officer. The size of the subsidiary
was 3K+ systems & 6K+ employees. Some of my duties included:
o responsible for ensuring the compliance of all internal systems to
corporate policies & standards (many of which I helped write).
o central infosec security/technical approving authority for all
electronic connections from that subsidiary to the "outside world"
(avg. over 120/yr)
o penetration testing of internal systems
While I was there, we achieved and sustained the *highest* level
of measurable information security of any country in the world.
This compliance streak continued for over *continuous* 4 years.
While I was there, we withstood numerous hacking attacks and never
had a successful breakin. Also, when we were audited, we had
results were "Excellent" and "Best of Class". BTW, this has the
added benefit that the auditors then left us pretty much alone
and spent their efforts on subsidiaries whose level of compliance
wasn't quite as high as ours.
The above results were achieved by integrating good infosec at all
layers of the company. The result was a very high level of security
awareness which resulted in the above statistics. The employees were
genuinely interested in ensuring that their systems were secure and
were proactive about infosec. They did not hestitate to call me if
they thought there was something that looked suspicious.
When an employee was proactive and reported something, I would send
a mail to the employee's manager (cc the employee) received an "attaboy"
memo from me praising the employee for his/her efforts in helping to
ensure the continued security of the subsidiary (and consequently,
the corporation). I am certain that this helped people when it was
time for job reviews. I'm a firm believer that those who go the
extra mile should be rewarded. Also, word of this gets around -
which helps to further promote high levels of infosec.
FWIW, I had the extreme good fortune of working for a brilliant
InfoSec officer named Gerhard Oberle (for those who know him).
IMHO, he was @3-5 years ahead of where the corporation was going
with infosec (and that corporation was @3-5 years ahead of where
most companies are with infosec). I learned a *lot* from him in
the 2 1/2 years I worked for him (before he left the company) and
make an effort to teach others about infosec from the things he
taught me as well as the benefits of my own experience.
The stuff I mentioned earlier (and is on FNI's home page) about
helping companies achieve high levels of infosec which are highly
secure, user-friendly, virtually non-intrusive to business operations,
and as inexpensive as possible - isn't hype. It *is* possible
(as illustrated above) and it is one of our specialties.
If you are interested in having your company receive the benefits
of our experience & achieve similar results, give me a call at the
number below.
Best Regards,
Frank
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
<standard disclaimer>
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting
http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817
Home of the Free Internet Firewall Evaluation Checklist