The company I work for (kind of a startup) can't afford a full-time chief information security officer (CISO). So the boss is asking the security aware people in the team to work together to do a CISOs job. And I don't think we will have any budget for that.
The thing is, we all have a security related background, and know some stuff, but don't really know where to start, neither where to go after that.
We do know we should :
- Document ourselves for methods and best practices, set goals
- Assess the needs of our organisation and the risks
- Define a security policy
- Apply the security policy
- Promote security awareness throughout the company
- Control that the policy is being respected
- Report directly to CEO (and not, traditionally, to CIO)
- Adapt the policy with growth and business: back to point 2.
What we need are the exact steps, contents, things to look for, things we may not think of. Basically a complete guide to do a CISOs job.
We found and read through several resources, often complementary, sometimes contradictory, but never complete. So we don't really know what we are missing. And it seems a lot of work, but we believe that if the knowledge is correctly gathered and the methods defined, we would be able to succeed in doing this, while staying motivated and, above all, doing it right.
It's maybe a lot to ask, but can someone help me with that?