"...life's little dilemma - understanding too late that it is far better to experience a short period of rejection, than a lifetime of regret...".
What we will discuss in this section:
- Before you can have a workable roadmap, you must know where you are
- How to accurately define the current state
- Where do you want to be, really....the "desired end state"
- How will you measure success...are you being honest?
- How will you call the ball between IT and Cyber Security (yes, they will disagree)
- What is your business's appetite for change?
- Call to Action - Your CEO action plan
Setting the stage
It's an inconvenient truth that business leaders are demanding, it's in their nature and that's a good thing. The problems start when business leaders think that things that motivate the Sales Department should be able to motivate the Cyber Security Department.
Every good Leader needs a roadmap that is understandable by mere mortals, nothing beats a great strategy and a roadmap is a strategic document. Problems begin when you either inherit someone else's dream (a.k.a., roadmap), you are unsure about what actually constitutes a useful roadmap or you make the assumption that the business is in alignment with your roadmap.
Before you can have a workable roadmap, you must know where you are
So, let's discuss what constitutes a useful and strategic Cyber Security Roadmap...
Everything we do in the business world revolves around "...the business state model...". There are three "states" in the business state model: (1.) everything that has happened in the past; (2.) everything that is happening now; and (3.) everything that will happen in the future. Your roadmap must take these three states into account.
How to accurately define the current state
The Roadmap and "everything that has happened in the past": This is where we are "now". Things that happened in the past (we're going to use the People, Process and Technology approach) allow us to understand the "services" [Think ITIL service catalog] that the Cyber Security Teams are delivering now to the business.
This is a good start, however, a better start would be to discuss with your business stakeholders / customers what "services" they REQUIRE from the Cyber Security organization to deliver capabilities, products and services back to the business and it's customers.
This is the backbone of gaining agreement on "how success is measured" by your business stakeholders and will enhance your understanding of the current state.
Your business stakeholders should be able to tell you what they need from you. It will probably be messy (chances are no one from Cyber Security has ever asked them before). You should be able to take the business stakeholders "desirements" and turn them / map them to the capabilities of your technology tools - People, Process and Technology - these are your tools. A thorough analysis of this will drive a capabilities/services gap analysis.
Where do you want to be, really....the "desired end state"
Once you have discussed business "desirements" with your stakeholders you have an outline of the "business requirements", now, you as the knowledgeable professional need to identify the hidden dependency relationships between the "desirements" and the capabilities of your tools (People, Process and Technologies [PP&T]) and identify what gaps exist that will inhibit service delivery in the near and long term.
This "gap analysis" when completed should be discussed, frankly with the CEO and CFO (chances are that you will need additional PP&T). Each "gap" should be aligned with a business driven service delivery requirement and the name of a business stakeholder that reports to the CEO who requires that cyber security service to deliver critical capabilities to support strategic business goals. Expect the CEO and CFO to say, "...show me...".
The "desired end state" is that state where three things must happen:
- Cyber Security and IT service delivery are completely aligned with the business, with zero negative business outcomes in the delivery model.
- Cyber Security and IT service delivery capacity planning is proactively discussed with your business stakeholders to the point that service delivery is ready BEFORE business growth milestones need that capacity. Think of this as "just in time" service delivery.
- A note of caution - If your tools (People, Process and Technology) are too lean, your ability to increase service delivery at the optimal tempo to support business success will inevitably compromise business product delivery to meet expanding business opportunity. Your PP&T should be at a 75% utilization rate during times of expected business expansion AND you should have a plan to reduce costs [PP&T] during times of business contraction.
If you cannot deliver business critical Cyber Security Services in this manner, you will, in essence, become a net inhibitor of business success. Needless to say, this is not good.
How will you measure success...are you being honest?
Here is the uncomfortable reality. Your success or failure will be measured (as it should be) by your business stakeholders.
For this reason, it is essential that before you begin work on delivering what is in your "roadmap" that you and your business stakeholders completely agree on how success is measured.
I use the term "completely agree" because we humans are social creatures, we will say one thing in public and another in private - make sure that you are meeting early and often with each stake holder one on one and listen carefully to what they are telling you that they require and do not be shocked if the term "require" comes out as "want" in the Board Room.
Successfully Managing Change
This is where your "steering committee" will come into play (a critical component of your successful roadmap). The goal of the steering committee is to canalize public and private expectations among your stakeholders in a public forum. To drive agreement on "how success is measured", to agree on the roadmap, to approve funding, to discuss, understand and mitigate risks, to own the human impacts of change within you organization that successful delivery of the roadmap will inevitably cause, and to support strategic investment when IT and Cyber Security disagree on service delivery.
Last but not least is your empathy.
As a Cyber Security Leader, you must begin, now, to mentally align yourself with understanding and internalizing the fact that your business stakeholders will define the corporate appetite for risk and that this will, on occasion, run counter to what you think is best for the business.
This is inevitable, get used to it. Remember, it's not personal, it's just business.
CALL TO ACTION:
- What "services" are business critical for your Cyber Security Organization to deliver to your business stakeholders?
- Are your Cyber Security "tools" [ People, Process + Technology] available in adequate quantity to deliver in the short term as well as "surge" to deliver in support of planned business growth?
- Are you confident that your Cyber Security & IT Leaders understand what is "business critical" and that they are managing People, Process and Technologies in ways that completely support that criticality?
- Are your Cyber Security and IT tools aligned with your risk, compliance and audit requirements? Are "artifacts" generated without labor dollars to the greatest extent possible?
- Is your Executive Team in alignment as to their role in Corporate Change Management? You might want to look for a local PROSCI change management consultant to minimize and mitigate the human impacts of change.
Global Leaders in Change Management Success
Copyright © 2020 by"the Secret CISO"
All Rights Reserved.
Our biggest adversary will, unfortunately be ourselves: our preconceived notions, our sacred cows, human weakness, our misunderstood biases.
Robert Greene, wrote a fascinating book, "The Rules of Human Nature".
If you are a serious Cyber Security Practitioner on the way to the "C Suite" you owe it to yourself to read and heed the advise in this seminal work.
Excellent Executive Summary