Sadly, there are times when a prophet is not accepted in his own
country. This happens to many a competent professional. Generally, no
one knows the IT security environment better than the resident security
engineers. However, if you find it difficult to obtain sufficient
funding or support from management to implement the solutions needed,
you might have to look outside the organization for assistance.
Experience has shown that the key to any successful venture is
communications. Keeping management informed of the current state of
security is critical. This can be accomplished by having recurring or at
least periodic management reports to the executive levels. These reports
need to be timely, informative, focused on the risks to the business and
easy to understand. If the report is too technical or lengthy its
effectiveness will be diminished. Management support is essential so
whenever the security program is in question, a professional and
competent communication from the security team will realize desired
results.
There will be times when outside assistance for an information security
assessment will be required. Outside firms are afforded the opportunity
to observe good and bad security programs. They are able to bring a
level of insight that the resident security group might not have the
opportunity to see. They also have a wider view of business models to
compare your business enterprise to.
Look for a firm that uses cyber security professionals to do the
assessment as opposed to financial experts who are just filling out
questionaires. ISACA is well known as an audit firm, but usually the
personnel doing the assessment have no real depth of knowledge re: cyber
security or your systems and issues. When a problem is discovered, you
want someone you can talk to about real options and solutions.