I am in a company right now that is in the process of creating an IT security department from scratch. They are under the impression that this department should be what i would classify as reactive, meaning that they will approve or refuse proposal for installations as they are presented (as being secure or not). They do not intend to participate in the analysis of any of those project, just react to them. It does not seem like they intend on delivering standards to follow aswell.
I find this to be a bad and costly view of security. I stronly believe that this will end up costing them more than they intended and will probably not yield the desired results.
Unfortunately, this is not the first company I come across that thinks this way. I was wondering if I hit two similar exceptions or is this the trend out there on the field.
My idea of a proactive department would be one that establishes standards for the other departments to follow, make sure that those standards are followed and participate in project to make sure they follow the spirit of what a secure environment should be.
Your thoughts are appreciated.
PS. How would you go about chainging their minds, if you agree with my point of view.
Thanks
TCB
