UKSecurityGuy wrote:The issue with scopes for most security professionals at the moment is that the analysis piece is rarely ever done,
some random paper-based security manager
who doesn't really understand the techology, network or threat actors defines the scope, which is then just repeated ad-hoc every single year, making the entire testing next to useless.
Above is the biggest issue underlined and in bold.
We have 3 ways the security manager can go:
1. Understands current information security needs, he/she keeps up with info sec on a day to day basis. Pretty much an all around info sec manager that you want.
2. A person that has been working info sec since the 80 to 90's, no don't me wrong these people can fall under option 1 but some of them do not. All they try to do is what they learn in the early parts of their info sec career, which they try to apply in today's world
. Which causes issues like "who doesn't really understand the technology", their biggest problem is they think they know everything about info sec (we all know, you can never know everything about info sec and when you do think so, you are in the wrong career!), they are in charge
, and last but most often to happen they don't want to listen to anyone under them, or when they do they take the credit for the idea.
3. The big company wants a "manager" in charge of the department. time and time again I have seen people that know nothing about info sec but become info sec managers because they have the management experience.
By no am I saying this is what happens 100 percent of the time, and not trying to upset anyone but this is what I have noticed.