I had the Presidents' Day weekend to think. As I reviewed things, the organizational dynamics were a red flag. The fact that the CIO had rushed to have himself named acting CSO even though that meant surrendering a security direct report to the auditor led me to believe that he wasn't too keen about security being moved out from under him. The software development director was looking for application security guidance, which I am a little weak on. And then there was the audit director, who was new to the organization, full of ideas and wanted to shake things up and own information security. At least the IT director knew that his "WAN guys" had security nailed down, which would make his team an important ally. But what a mixed bag.

And in that bag, they wanted technical security architecture review, security assessment, security awareness training, internal audit, documentation, leadership and a whole lot more. What they need is at least one technical security expert in IT, security training for the IT guys, a person devoted to security awareness and training, internal audit as a separate function, employees devoted to disaster recovery, and business continuity planning under a separate banner. It came to me that maybe I should just hold on and write that book.

What Do You Think?

This week's journal is written by a real security manager, "C.J. Kelly," whose name and employer have been disguised for obvious reasons. Contact her at mscjkelly@yahoo.com, or join the discussions in our security blogs: computerworld.com/blogs/security

To find a complete archive of our Security Manager's Journals, go online to computerworld.com/secjournal.