Time
2 hours 9 minutes
Difficulty
Beginner
CEU/CPE
2

Video Transcription

00:00
welcome back to acid security course, and in this lesson I'm going to talk about people involved in asset protection.
00:09
So in the previous lessons I have taught talked about ways to achieve asset protection. Now we're coming to the people factor who is going to do that and how the whole organization functions.
00:25
So you've seen this lesson, uh, over about what are the roles that exist in the company that are involved with acid security?
00:38
And we'll talk about this advantages off hierarchical or role based organisation, which exists in many companies today.
00:49
So let's first see about who are the people we're talking about. So this is a typical way that the decisions are made and things were done in a company's. You have this board
01:00
and at the top you have CEO usually,
01:03
and he's chief executive officer, and he's basically in charge of companies. Now, arrest other people there that are involved in other parts of businesses, have nothing to do with us and security, for example, like business manager or maybe sales manager,
01:19
or somebody who is handling the channel business. If companies sales company and though does it drew channel partners?
01:26
If it's a manufacturing company. There is probably some kind off officer or somebody in charge of manufacturing. Somebody may be in charge of her and the on dso on, and so also means chief technology officer and so on. So
01:47
there are quite a lot of people what? We're not going to talk about these roles. So
01:49
under CEO first person in charge of all these things is CEO chief information officer,
01:57
basically
01:59
his responsibilities to make sure that all I t services function in order to support support the main business
02:07
off the company. So if it's a company making cars, then CEO has to make sure that whoever is making cars or selling them has all the I T services available at every possible moment. So under CEO, you usually have natural cat mean idea. I mean,
02:27
there are many roles.
02:30
Then you have, ah, data custodian, for example. So so Data custodian is, ah, person in a company that is responsible for technical environment and database structure. Basically, he's in charge of data, so
02:49
sometimes we call that person database administrator
02:51
um
02:53
and then you have ah, data owner and the owner is ah,
03:00
basically someone who approves data, glossaries and definitions and initiate data quality authorities and so on. And so so
03:12
basically they are They're in charge off
03:15
structuring data on being
03:19
in charge of the data being properly distributed in the company. Not in the technical sense, but in an organizational sense.
03:27
Then we have S o R C I S o R c So is it's usually cold. So it's ah short for information security officer or chief information security officer. And
03:40
they are in charge of making sure that company follows all the guidelines. Allow the regulations, regulatory
03:51
and stuff like to obey laws that air
03:55
considering the information security in arrested security in that particular branch of industry in which they companies working. And usually they under them. They have something called soccer team or
04:11
security operations center, which is in charge of
04:16
basically implementing and managing security tools to investigate a special activities. Eso They use things like a sigh e m. Dole's toe to monitor the
04:32
the things happening on the network and to
04:35
see if something unusual is happening in them to investigate. Also, they have ah task to reduce the downtime and sure business continue nitty and to create security strategy, and this is very important. So basically security strategy of the company is, uh
04:56
ah,
04:57
in
04:58
it is owned by a soc team.
05:01
Um,
05:03
then way Have chief financial officer who is not directly involved in any technical aspect off acid security,
05:13
but because they are signing the checks.
05:17
They are fundamentally the responsible for all the assets in the company, especially for physical assets. As a matter of fact, in some companies we still have, and I have seen that in Europe, in in many companies, in my experience, the company's I have been working with they have this
05:35
so some some kind off a military approach to
05:41
asset ownership inside the company. So basically, if you're a manager of a department, you're essentially responsible for all the assets that department has so chairs, tables, whatever. And then you
05:55
get to your job. First time they give you a piece of paper in which you basically sign that you are now responsible for all the essence there. Now you you you put that down to people working for you. So if you're for example, I t manager,
06:10
then you signed for all the network equipment and then you get your network admin, and then you make him sign for all off networking equipment and I t admin signs for all the servers
06:24
and point administrator signs for all the PC's in the company. Or you delegate that to the managers off
06:30
business groups in which these species are used. So
06:36
this is how it works now. We also have some people which are not directly in this hierarchy
06:44
or functions. First of all, we have auditors, so these are guys who are not responsible to anybody. But they're especially except sometimes directly to CEO.
06:57
And their job is to audit and to inspect everybody else and see if they're doing their job. So it can be one auditor. It can be team. It can be hierarchically organized or the terror team that has people doing financial auditing and I t auditing whatever
07:13
and a za rule day. They cannot be responsible. They cannot be subordinate to people who were there all the things, so they have to sit on the side,
07:25
and then you have committees and on how panels and boards which are convened. Sometimes they don't function
07:34
all the time, but they're they're made
07:38
to work sometimes when the huge decision has to be made. For example, if a company has to make transition from one operating system toe another,
07:46
then then the penalties O. R or board is organized to do some kind of transition.
07:56
And if you look at the structure of the company to usually looks like this. So I didn't put all of the functions there. This is just the example off. So you have CEO and then you have CEO under him and then you have network at me nightie and mandate owner.
08:11
They take custodian or database administrator and so on. So on, so on. So so and then under CSO, you have wrestled
08:18
C team and
08:20
let's not going to and in further details,
08:24
I mentioned this picture just because
08:28
I want to show you when this works really good first.
08:33
And this structure is really good when something goes wrong and you have to,
08:41
um, determined responsibility.
08:43
Um, and
08:46
even better
08:48
when you have to implement strategy. So you have decided on strategy, for example, you are making security strategy and company Assoc team has defined strategy
08:58
and then it has to be implemented and then the meeting. You decide whose responsibilities, but they're angry and they're tossed. They have their subordinate people there. They have their teams. They convey the message. People start working, everything works perfectly. Of course, if these are
09:20
if these people know what they're doing, which is in big companies, usually the case also,
09:26
uh, But these air with these higher after the structures are really good. This quality and productivity by quality because the people working in in the structures are specialised in their jobs.
09:39
And if they're paid well, if companies in good shape, they're really good people, they know how to do their job.
09:46
So as a result, they do it very well. And because they're quite enough people for everything in the company, they can do it highly, productively and very fast.
10:01
So when this thing doesn't work well,
10:05
ah, the 1st 1 is that these people have sometimes opposed interests, for example, there
10:13
they're all fighting for the same budget.
10:16
And then you have people who are in charge of database and they need more harder for storage, for example, and then their security people who want some new software implemented.
10:28
And in these situations, they might fight over the same amount of money that is Ah, disposal. And then something gets, Ah, cut. And this is not really good. So in my experience in these situations, the people who are
10:46
getting the most money are not those who actually need the most money.
10:50
They're the people who
10:54
have better personal connections with somebody who is making the final decision in this case, the Cee Lo, our CFO.
11:03
Um, the other thing, when these things
11:07
have a tendency to produce bad results, these hierarchical structures
11:11
is when, um
11:15
um,
11:16
you have to think outside the box
11:18
and you have to find new solutions.
11:22
So thinking outside the box is not the characteristic of people who specialized in one Phil field. So if you have ah network and mean he's focusing on network issues a same time, you have i d mn. He's focusing on service, working and stuff like that.
11:41
They're all fighting with the budget constraints
11:45
on and when there is a new solution needed
11:48
when, when? When there is, um
11:52
they face the idea that something is done. Then they organize a panel, some or at her board. Sometimes they hire outside consultants,
12:01
but This is usually, in my experience, the last resort. Because all these people,
12:07
um, are basically when they propose that outside consultant is to be hired,
12:15
they are admitting their incompetence in their field,
12:18
which is not the case. But this is normal human reaction.
12:22
So when you have to, for example, you face to the security issue and the current structure cannot solve it. So you have to change something
12:31
then these hierarchical structures tend to be really slow in producing the quality solution.
12:39
Andi, I will talk about the other ways to do it a little bit later in the lessons to come.
12:48
So in this video in this So listen, you have Ah,
12:52
I learned
12:58
so at the end, largest recap This lesson in which I have been talking about who are the people that are in any way connected with acid security,
13:11
the people in the company providing that the companies hire accurately structured at least people working with this security. And I also talked about the advantages and disadvantages of hierarchical Orel based
13:28
the organization in the company. When it comes to assess resolving some issues
13:33
that they are in touch with as its security

Up Next

Asset Security Fundamentals

As a cybersecurity professional, it's often your responsibility to set security standards for your organization. In the Asset Security Fundamentals course, you will identify what types of assets need protection and the job roles that are involved.

Instructed By

Instructor Profile Image
Milan Cetic
IT Security Consultant
Instructor