"...be truly honest with yourself. Are all of your people the right ones for their jobs? The reality is that some are probably hurting your cause more than helping. Your greatest performers must get it, want it, and have the capacity to do it..."
Gino Wickman, Traction
BOTTOM LINE UP FRONT
The Cyber Security business is first and foremost a People Business [it is only about the People and the Business, period]. If this surprises you, you should honestly think about stepping aside and hiring a different type of person as your CISO, one who holds these beliefs as non-negotiable core values, as nothing else will do.
A CISO who hides (overtly or inadvertently) behind techno-babble is not a value add to the business. A CISO who can analyze risk, and allocate resources accordingly in lock step with the Strategic Goals of your business, is both a value add and a force multiplier.
Be truly and harshly honest with yourself, is this the type of person who is your current CISO? If not, you owe it to your business, your BoD, your shareholders, and your employees to be both the sheep dog and the wolf to drive tactical decisions in support of your long-term strategy.
Get yourself a CISO who almost never says the word Security, who always discusses Strategic Business Goals in the context of Cyber Security goals, principles, strategies and operational processes.
Each Leader in your organization is given personnel and capital resources to support Strategic Business Goals.If they are not delivering and they have not asked for resources to deliver in a satisfactory results, they are not a good fit to role of a CISO. Act accordingly.
THE PEOPLE COMPONENT
Let me say it early so the outrage can get out of the way...
There is no Cyber Security Talent shortage.
There are only weak managers (certainly not leaders) who use weak excuses for why:
- Their Cyber Security Roadmap is not delivering business results
- Their Risk Management Program is not delivering business results
- Their investment in Tools is not delivering business results
The list goes on...
To solve your Cyber Security Talent Shortage problems, look no further than your current IT Department.
Let me say it early so we can get the outrage out of the way...
IT services are a commodity now, we've had them for half of a century.
Your CIO knows this so let's just face up to it. If you want great Cyber Security Talent:
- Look no further than your current IT Department(s)
- Actively encourage and incentivize your IT Department personnel to transfer into your Cyber Security Deportment(s)
- Your investment in training will be a trivial cost when compared to the value to the Business.
- It's a fact that IT skills are easy to replace. They are a commodity.
Your IT Department people already work for you, they are a known commodity, they know your business, they know your processes, they know your networks, they know your Strategic Business Goals (hopefully), so they are resources that need to be actively managed for the good of Strategic Business Goals. Period.
KEY TAKE AWAY: Aggressively source Cyber Security talent from your existing IT Department staff members.
ANECDOTE: ...I used to have the Service Desk Manager send me reports on which IT staff were the most productive in closing tickets... this was a key indicator over time of their troubleshooting ability... these folks were very successful Cyber Security Practitioners at the end of training...
THE PROCESS COMPONENT
Let me say it early so we can get the outrage out of the way...
Documentation in both the IT and Cyber Security organizations isn't important, it's critical. How this documentation is maintained and continuously validated is also important.
If your CIO and CISO have to be told this, they are not the right team members to support your business. Period.
As a Business Leader, what do you get for your investment in documentation (Process and Procedure Documentation particular)?
- Repeatable Business Outcomes: Business Service disruptions and those "...oops..." moments become a thing of the past (mostly).
- Better
Audit Results: Auditors will ask an employee to generate an audit
artifact or tell them (the auditor) how they do a process. The
employee's first action must be to go to the Process Library on line and
open the germane process (or procedure) document and follow it to the
letter. If your employees are
following written process or procedure as required by Policy, auditors will likely be satisfied.
- Better Employees: Your documentation becomes your new employee training program. No more new employee frustration at shoddy on-boarding. Map Process and Procedure documentation to their position in the org chart. When on-boarding, have them read, then practice, then be observed by their supervisor following the documentation. Give them ownership of the documentation that is critical to their job and make them responsible for maintaining and updating it. This will drive a "...no negative business outcomes..." mindset that can only benefit the business and gain alignment with Strategic Business Goals. What's not to like?
- Continuous Improvement: By assigning a Manager as the Process Owner and a team member as the Process Manager and making this a key component of the annual review process, your employee KPI's are both measurable and in lock step with Strategic Business Goals.
THE TECHNOLOGY COMPONENT
In both the IT and Cyber Security Department(s) "...tools..." are a significant capital expense. Not only that, each tool carries with it, annual maintenance contract equal to, on average 20% of the purchase price. Over the next five years you will pay 200% of the acquisition cost just to have that tool.
Ask your CIO and/or CISO:
- To
establish and demonstrate a tool evaluation matrix that addresses tool costs,
benefits, features, and ROI, including mappings to:
- Strategic Business Goals
- Business processes
- Skill sets
- Audit controls and artifacts
- Automation capabilities
- That the tool is not duplicating the capabilities of other tools.
- That the capabilities of the current tools have not been "...overcome by events..." such that, a newer tool would not provide significantly greater capabilities at a better cost point.
- That the capabilities of the tools have been mapped to business, audit and/or compliance requirements.
- That the required Audit Artifacts that are mapped to each tool have been to the greatest extent possible (and practical) automated such that labor dollars have been returned to the Departments.
- If this is not automated, ask for proof that it cannot be automated.
When you ask, "...show me where each tool that the Business is currently paying for is mapped to Critical Business Process support and/or Compliance requirements or Risk Mitigation...". Be on the look out for blank stares from your CIO and/or CISO... if you see them, your next stop should be to chat with the VP of HR...
Don't accept vague answers, it is natural for people to become complacent over time, if you hear the lament "...that's the way we've always done it...", this should be your key indicator that the tool has become a sacred cow and is ripe for justification, or replacement.
KEY TAKE AWAY: The tools in the IT and Cyber Security Department(s) are owned by the business. Period. There must be an agreed upon master plan for all tools, regardless of who manages them that clearly shows how each supports the Strategic Business Goals of the Business. This is a non-negotiable condition of further employment.
ANECDOTE: If your tools investments are not currently mapped to Strategic Business Goals, Compliance and Risk targets, find Leaders and Managers who understand this key requirement to replace the ones that you currently have. They are not aligned with your Strategic Business Goals.
Resources, where can you get help?
Gino Wickman, and his world changing book, "Traction"
No comments:
Post a Comment