CISOScott,

Thank you for your very informative and well put together reply.  The hardest aspect of this position for me so far is that I am coming from the DoD where change happens quickly and sometimes forcibly.  I am learning the hard way that the water utilities sector moves like frozen water; however, it does change.  You made a lot of great points, especially producing metrics and justifications for adding more personnel.  Right now it is just me, but I do have intentions of requesting 1-2 more additional personnel at a later date.  Until then, what are your thoughts about sharing the wealth among the various IT people in regards to some of the security functions? For example, account auditing.  Being that it is just me, I do not want to get to the point that I am drowning because I consolidated all of the functions into my section, which is just me.  Finally, here is my itemized list of projects that I want to accomplish in order, let me know if it looks good to you:

1.  Produce, revise, update policies and procedures.

2.  Produce highly detailed and thorough network diagrams, both virtual and physical (will contract out).

3.  Implement an IT Asset Management program (reviewing programs right now).

4.  Change existing password reset procedures (Right now people just contact the IT section).

5.  Create and implement a Cybersecurity awareness and training program.

6.  Institute a multi-factor login option (Looking at smart card technology).  

7. Implementing some type of data monitoring system (have a request for a quote from Splunk).

8.  Institute a daily log review schedule. 

These are just some of the things I identified in the first few days that I have been here. Again thank you for taking the time to reply and I am trying very hard not to be a security jerk, especially since I am a former Criminal Investigator!

One of the things I try to do is to think about where I want my department to be next year. I always like to build up my threat hunting capabilities. To do this you will need some security analysts. The ideal situation is to have both Senior and Junior analysts so that you have 1) a career path Jr>Sr>ISSO/CISO and you have built in training potential. Sr teaches Jr how to do it better.

Sounds like you are off to a good start. One of the biggest challenges you will face around policy is going from Federal government to this agency. You didn't mention if it was state or local government but usually a service like water/wastewater is done at a local or state level. Could be some federal ones too, but I am guessing more local/state. I had over 25 years in federal government. The big advantage of the feds is ready made documentation and policies, NIST 800-53, etc.. You have frameworks and standards a plenty in federal gov. Not so much on the local/state levels. So coming up with policy is a good idea, but may not be your most pressing issue. 

I think you are on the right track with the review of who does what in IT. I would expand your list by finding out what everyone can do in IT. In most agencies/companies I have been with (about 10 so far) I find that the line between IT and security is very blurry with folks operating on both sides of the lines. So find out what security items are being done and by whom. Then you can help lay out your plan to help the company separate them by showing that these security items should really be done by people who do not have the rights to do them (separate the fox from the hen house). I was able to "pry" some of my security staff away from the IT department this way. If you have an audit dept, try to lean on them to do some of the auditing items, if they can. If they deny you, use that as a reason to have more staff. Lean on the Least Privilege Principle. As a former investigator you have probably seen the damage caused by insider threat. Show how having people that are able to make changes, with no one to audit their actions, and not enough people watching all of the items that need tracking could be bad for the company. Look at rights management to see if people have too many rights (i.e. IT made them a global or domain admin because it was easier than trying to figure it out on a granular level.)

One of the quickest ways to gain staff is to frame your findings in how it relates to risk to the agency.

1) Not having a policy in place means it is harder to prosecute individuals for wrongdoing.

2) Having people with too many rights raises the risk of insider threat or even incompetent admins deleting whole Active Directory OU's, yes I saw that happen.

3) Once you perform an activity, create Standard Operating Procedures (SOP's) documentation for them. This will help you document what you do in an efficient manner, it will help with policy or procedure creation, and it will prepare you to be able to hand that duty off to a staff member when you get one.

4) If you start getting overwhelmed you can look at this: Here's what I do, here's what I could be doing, and here is where I would like to go in the future. Look at the current list of tasks and prioritize them according to what you see as important. Include the risks for each item. For example; Not dealing with people clicking on links in email is more of a threat to the network than not having an email policy. Having a policy makes it easier for people to understand the expected behavior and prosecute them for violations of it. So maybe you set up a phishing response security awareness course or even just an email explaining phishing and then have a way for people to send in questionable items for review. Then write the policy.

One of my early successes at one job was shutting off USB access for 85% of the organization of over 5000 users. They had PII and other stuff being transported around on USB drives and were bringing in viruses on them. Once I proved to the CIO there was a risk to his network from viruses and had also explained the potential "lost" PII risks to him and senior management, they went with my recommendation to block them and have people that had a valid business need submit a request. Then I updated the policies around use of portable media. Then I went on to inappropriate use of company email to reduce/close that source of risk.

Also it is going to be key to understand the unspoken organizational culture. If everyone is operating out of a fear mentality, they may be reluctant to do any improvements out of fear of being scolded or punished. If they operate out of an "I don't care" attitude you might have to explain the risks in a way they can understand., etc.

And remember, security should be more like a speed bump than a stop sign. Unless they are headed for a cliff.......

@CISOScott @lavancini Given the previous responses, I would openly seek to understand their current OT engineers, and how they use such systems and control them.   IoT, and automation of control systems is key to understanding how their control systems communicate, many of which will have long distance monitoring going on via Microwave, UHF and potentially direct line of sight communications using WiFI techniques. 

When speaking to the OT engineers, take the tie, off, don the safety boots, get into the one piece engineering and safety helmet, and actively listen, and understand their issues, and how they deal with situations.    You wil gain their respect, and therefore subsequently any decisions will be coordinated and tested with them, before being pushed up to the Governance layer. 

Or do they have a mature approach towards control systems, integration of IT systems, or do they keep themselves separate from the normal IT Operations personnel? 

Regards

Caute_Cautim

CISOScott,

I apologize for not replying to your post sooner, got caught up at work with some hot topics.  We are a local water/wastewater service provider which is actually a private organization.  As with your first reply, you really provided me with a lot of useful information, in fact, I will be printing out both replies and adding them to the continuity book I am creating ( I will redact your screen name).  

One of my mid-term objectives is to bring on 1-2 analysts in order to perform the continuous monitoring function of the security program; however, because of how we are funded (we have to increase service cost to add new personnel) I am looking at hiring from within.  We are evaluating cloud options for our servers, etc., so if we go that route then some of the IT personnel will be phased out. 

Your suggestion on a company-wide email in regards to phishing is an awesome idea, I will propose this option this week to the Director of IT to get his approval and send this out by the end of the week!  Again thank you for giving me great advice and helping me find a direction, which as been kind of difficult since there are so many things I need to do to get security where it needs to be.  

Larry

Caute_Cautim,

Thank you for taking the time to respond.  The SCADA team actually has a pretty good security system in-place.  They are very security-minded and aware of the need for security their SCADA/ICS, their not specifically trained in IT security so it needs some work.  The great thing about water is that if the systems go down, then everything still can be performed by personnel.  

I am glad that you stated that I needed to "take the tie, off, don the safety boots, get into the one piece engineering and safety helmet" because they were surprised when I asked for my safety boots voucher since no one in IT has asked for them before.  I never thought about that this would gain their respect though, more that I needed to understand their systems better before I submitted policies for approval that would affect their abilities.  Thank you for providing that input.

Larry