Changing the Monolith, Part 3: What’s Your Process?
In my 25-year journey, I have lead security and privacy programs for corporations, and provided professional advisory services for organizations of all types. Often, I encounter teams frantically running around in their own silos, trying to connect the dots and yet unsure if those are the right dots. Connecting the dots becomes exponentially difficult in an environment where everyone is trying to achieve a different goal.
Here are a few tips to create teams unified around a common mission:
1. Define the Mission and implement it like any other business plan.
First, you must know what you are trying to achieve. Are you protecting Trade Secrets? Limiting reputation damage? Reducing the chance of unauthorized access to sensitive data? Complying with all local, regional, and national data protection laws? Trying to keep employees safe? Keep patients, passengers, customers, and business partners safe? Is the answer “All the above”? Define an order of risk magnitude.
Focus on what success looks like, identify quick wins, and get the opinions of executive leadership. What do they view as success? Don’t settle for unrealistic answers such as, “We want 100% security.” Explain what is realistic and offer your approach as a business plan.
2. Define Success. Be able to articulate what it is and how it can be measured.
When you start any endeavor, how do you determine when it is finished? While information security has a lifecycle that never ends, certain foundations must be established to foster a culture of security and privacy. Success could look like reducing risk to trade secrets, reducing the impact of third-party risk, or protecting an organization’s reputation.
However success is defined for your mission, success needs to be measurable. If you can’t summarize success during an elevator pitch, a monthly CEO report, or a board presentation, you haven’t defined it appropriately.
3. Leverage a methodology and make it part of the game plan.
Think of the methodology as a game plan. There aren’t enough people, not enough time, and a finite amount of money; so attempting to do everything all at once is a fool’s errand. The moment you know what you’re trying to achieve, it allows you to create a plan of attack. The plan should follow a proven set of steps that move in the right direction.
A popular methodology right now is ‘Zero Trust’. This has been waiting in the wings for its big debut for over a decade. Zero Trust has made it to the spotlight largely because the conventional perimeter has been deemed a myth. So, what is your approach to achieving security, compliance, and privacy once you have chosen a methodology?
4. Market the Plan
One of the main hurdles I constantly witness is that the larger the organization, the more isolated the business units — especially in IT. In many cases, cybersecurity leadership does not engage in regular communication within factions of IT. To name a few there are application development, end user support, database teams, infrastructure, and cloud teams. And almost always outside their purview resides HR, Legal, Finance, Procurement, Corporate Communications, and Physical Security departments.
In a previous role, I found success by borrowing employees from some of these other departments. Not only to help build political capital for the cybersecurity team, but to land the security awareness message with the populace and connect with the aforementioned units within IT and business leadership. To do the same, you have to start by building a plan and define your message. Repeat the message often enough so it is recognized and people are energized to help drive the mission forward.
5. Teamwork in the form of Governance
Once ‘inter-IT’ and business relationships are established, governance can commence — that ultimately means creating process and policy. Involve as many stakeholders as possible and document everything you can. Make everyone aware of their role in the mission and hold them accountable.
Take for example a Mobile Device Policy. Whose input should be solicited? At a minimum, you should involve HR, Legal, Finance, the CIO, and the user community. What do they want and need? When everyone agrees and all requirements are negotiated, it’s amazing how quickly a policy is ratified and becomes official.
Cybersecurity, Privacy, Compliance, and Risk Management should be managed like any other business; and any business values process. Without process, product doesn’t get manufactured or shipped, patients don’t heal, and the supply chain grinds to a halt. Without process, there can be no consensus on how to protect the organization.