RE: First day and week as CISO?



Conduct a fresh organization-wide risk assessment to determine the
stregths and weaknesses of the information security controls and
practices; the existing security staff probably know a handful of
weaknesses off-hand (sore points which they have previously been
unsuccessful at better securing). There are many benefits: you are able
to present management a fresh understanding of the security posture, you
are able to identify areas which they have de facto already accepted a
risk, whether they know it or not (and if an incident occurs as a result
of the existing security state you have CYA), and you are able to spin
off a justified list of projects to mitigate those risks on the horizon.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of cisohelp@xxxxxxxxxxxxxx
Sent: Sunday, November 30, 2008 11:23 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: First day and week as CISO?

throw away wrote:
Scenario....

Going to be interviewing soon for a CISO..

One of the questions were going to be asking is the theroy question
below:

What would you do in the first day and week on the job?

The company is multi-million $ company, web based, sites all over the
globe. 100's of users, 100's of servers, and a hell of alot of
firewall's.

Any thoughts?