Advice for new ISSO or ISSM

Someone in /r/netsec posted a question about what advice us old sages would have for a new ISSO. The below was my response that I hope is useful to my readers in a two-fold way.

  1. ISSO that are coming into the field
  2. Managers that are trying to hire or understand your staff

Without further ado…

  • Whatever industry you are in there are policies that dictate compliance. Learn them. PCI, DIACAP, NIST, FIPS, ICD, DCID, JAFAN, NISCAP, etc. Learn the policies NOT in your industry as background knowledge. It will help make you a better decision maker.
  • Document everything. If it isn’t written down it doesn’t count. Security practice without policy is fictional
  • Embrace your geek system admins. Find the weird guy with the binary clock and buy him lunch. Without the support of your admin staff you will die on the vine
  • Being an ISSO means that you are upward reporting, downward enforcement. Present well and be consistent with your message. You are no ones friend and therefore must form alliances to ensure your success. Also don’t dress like a hippie unless your company encourages that. Most days the ISSO is in a weird in between place where you aren’t a suit and you aren’t a sysadmin
  • LEARN THE ARCHITECTURE. You will loose the respect of your teams as soon as you incorrectly state how SSH, PKI, IPSEC, or any other key security terminology works. If you are the ISSO of a group that does mostly web apps you better know web services inside and out. Security guys must know it soup to nuts
  • Be humble, but be firm. You are the enforcer and dictator of all that is securing 1’s and 0’s for your teams. Accept that since you are new you will not know everything. Let people see that you are humble and willing to hear both sides before making a ruling
  • Get active in your local security groups. Hackers, B-Sides, Con’s and whatever else can serve as an excellent networking tool for you to see how your peers are practicing security
  • The fact you came to /r/netsec shows you are trying to learn. Keep learning. Subscribe to mailing lists and RSS feeds and block out portions of your day to read them. You are there to ensure someones ass or data doesn’t get stolen/chewed. As the ISSO you are expected to be ahead of the curve
  • Compliancy sure feels good, but without it actually enforcing good security it will only make you feel good. Let your company or group get hacked and see how much leeway you are given for an ATO or compliance checkbox
  • If you cant recite port #’s out of memory or explain basic PKI, MFA, Defense in Depth, packet theory, or how different protocols work then you need to move along. Study up quick or write your resignation and hand it over. Security has no time for people who lack basic knowledge. Eventually it will catch-up with you
  • Good luck and welcome to the community!

Updated: