"...be truly honest with yourself. Are all of your people the right
ones for their jobs? The reality is that some are probably hurting
your cause more than helping. Your greatest performers must get it, want it, and have the capacity to do it..."
Gino Wickman, Traction
BOTTOM LINE UP FRONT
The Cyber Security business is first and foremost a People Business [it is only
about the People and the Business, period]. If this surprises you, you
should honestly think about stepping aside and hiring a different type
of person as your CISO, one who holds these beliefs as non-negotiable
core values, as nothing else will do.
A CISO who hides (overtly or inadvertently) behind techno-babble is
not a value add to the business. A CISO who can analyze risk, and allocate
resources accordingly in lock step with the Strategic Goals of your
business, is both a value add and a force multiplier.
Be truly and harshly honest with yourself, is this the type of
person who is your current CISO? If not, you owe it to your business,
your BoD, your shareholders, and your employees to be both
the sheep dog and the wolf to drive tactical decisions in support of your long-term strategy.
Get yourself a CISO who almost never says the word Security, who
always discusses Strategic Business Goals in the context of Cyber Security goals, principles, strategies and operational processes.
Each Leader in your organization is given personnel and capital
resources to support Strategic Business Goals.If they are not
delivering and they have not asked for resources to deliver in a
satisfactory results, they are not a good fit to role of a CISO. Act
accordingly.
THE PEOPLE COMPONENT
Let me say it early so the outrage can get out of the way...
There is no Cyber Security Talent shortage.
There are only weak managers (certainly not leaders) who use weak excuses for why:
- Their Cyber Security Roadmap is not delivering business results
- Their Risk Management Program is not delivering business results
- Their investment in Tools is not delivering business results
The list goes on...
To solve your Cyber Security Talent Shortage problems, look no further than your current IT Department.
Let me say it early so we can get the outrage out of the way...
IT services are a commodity now, we've had them for half of a century.
Your CIO knows this so let's just face up to it. If you want great Cyber Security Talent:
- Look no further than your current IT Department(s)
- Actively encourage and incentivize your IT Department personnel to transfer into your Cyber Security Deportment(s)
- Your investment in training will be a trivial cost when compared to the value to the Business.
- It's a fact that IT skills are easy to replace. They are a commodity.
Your IT Department people already work for you, they are a known
commodity, they know your business, they know your processes, they know
your networks, they know your Strategic Business Goals (hopefully), so they
are resources that need to be actively managed for the good of
Strategic Business Goals. Period.
KEY TAKE AWAY: Aggressively source Cyber Security talent from your existing IT Department staff members.
ANECDOTE: ...I used to have the Service Desk
Manager send me reports on which IT staff were the most productive in
closing tickets... this was a key indicator over time of their
troubleshooting ability... these folks were very successful Cyber Security Practitioners at the end of training...
THE PROCESS COMPONENT
Let me say it early so we can get the outrage out of the way...
Documentation in both the IT and Cyber Security organizations isn't important, it's critical. How this documentation is maintained and continuously validated is also important.
If your CIO and CISO have to be told this, they are not the right team members to support your business. Period.
As a Business Leader, what do you get for your investment in documentation (Process and Procedure Documentation particular)?
- Repeatable Business Outcomes: Business Service disruptions and those "...oops..." moments become a thing of the past (mostly).
- Better
Audit Results: Auditors will ask an employee to generate an audit
artifact or tell them (the auditor) how they do a process. The
employee's first action must be to go to the Process Library on line and
open the germane process (or procedure) document and follow it to the
letter. If your employees are
following written process or procedure as required by Policy, auditors will likely be satisfied.
- Better
Employees: Your documentation becomes your new employee training
program. No more new employee frustration at shoddy on-boarding. Map
Process and Procedure documentation to their position in the org chart.
When on-boarding, have them read, then practice, then be observed by
their supervisor following the documentation. Give them ownership of
the documentation that is critical to their job and make them responsible for maintaining and updating it. This will drive a "...no
negative business outcomes..." mindset that can only benefit the
business and gain alignment with Strategic Business Goals. What's not
to like?
- Continuous Improvement: By assigning a Manager as the
Process Owner and a team member as the Process Manager and making this a
key component of the annual review process, your employee KPI's are
both measurable and in lock step with Strategic Business Goals.
KEY TAKE AWAY: Well-designed and well-documented processes and
procedures are the key to meeting Strategic Business Goals, including retaining
skilled and knowledgeable employees.
THE TECHNOLOGY COMPONENT
In both the IT and Cyber Security Department(s) "...tools..." are a
significant capital expense. Not only that, each tool carries with it,
annual maintenance contract equal to, on average 20% of the purchase
price. Over the next five years you will pay 200% of the acquisition
cost just to have that tool.
Ask your CIO and/or CISO:
- To
establish and demonstrate a tool evaluation matrix that addresses tool costs,
benefits, features, and ROI, including mappings to:
- Strategic
Business Goals
- Business
processes
- Skill
sets
- Audit
controls and artifacts
- Automation
capabilities
- That the tool is not duplicating the capabilities of other tools.
- That
the capabilities of the current tools have not been "...overcome by
events..." such that, a newer tool would not provide significantly
greater capabilities at a better cost point.
- That the capabilities of the tools have been mapped to business, audit and/or compliance requirements.
- That the required
Audit Artifacts that are mapped to each tool have been to the greatest
extent possible (and practical) automated such that labor dollars have
been returned to the Departments.
- If this is not automated, ask for proof that it cannot be automated.
When you ask, "...show me where each tool that the Business is currently
paying for is mapped to Critical Business Process support and/or
Compliance requirements or Risk Mitigation...". Be on the look out for
blank stares from your CIO and/or CISO... if you see them, your next
stop should be to chat with the VP of HR...
Don't accept vague answers, it is natural for people to become
complacent over time, if you hear the lament "...that's the way we've
always done it...", this should be your key indicator that the tool has
become a sacred cow and is ripe for justification, or replacement.
KEY TAKE AWAY: The tools in the IT and Cyber
Security Department(s) are owned by the business. Period. There must be
an agreed upon master plan for all tools, regardless of who manages them
that clearly shows how each supports the Strategic Business Goals of
the Business. This is a non-negotiable condition of further employment.
ANECDOTE: If your tools investments are not
currently mapped to Strategic Business Goals, Compliance and Risk
targets, find Leaders and Managers who understand this key requirement
to replace the ones that you currently have. They are not aligned with
your Strategic Business Goals.
Resources, where can you get help?
Gino Wickman, and his world changing book, "Traction"
Traits of Great Leaders
