— By Frank Kim
Chief Information Security Officer, SANS Institute
I can’t remember how many times I’ve seen other managers or security leaders join the company while carrying an explicit goal of actually changing the culture of the organization. You can guess how long these particular people lasted in their organizations.
Now we do know that from a security perspective we do need to try and influence the culture to make is more security-aware, but I argue that first we have to capchure the existing culture.
“Culture eats strategy for breakfast” - Peter Drucker
If you join an organization and you don’t take into account how this organization actually wants to actually work, what the core values are, you are going to fail from the very beginning. As we are thinking about our security plans and strategy, we need to know how we fit that in into existing culture so they don’t get eaten for breakfast.
We need to structure our program that will answer these three questions:
Where are we today?
Where do we want to get to in the future?
How is everybody else doing?
If you are coming up with your overall security plan, divide it up into 5 common sense areas of security that can easily be represented:
This example descibes the overall security life-cycle in a really simple way. It represents what do we need to identify and plan our overall initiatives, to prevent bad things from happening by protecting the organization. And if things get passed those preventative measures - how do we actually detect and respond to those particular events. Finally, how do we go about remediating all of the issues that we actually discover?
That is where we, security leaders, need to figure out how to drive change in the organization.
Whenever you go in asking for money or trying to get buy-in from some of your stakeholders, don’t just go in with one option. I suggest you go with 3 different options that highlight what are some of the different business trade-offs that can potentially be made. That way your business partners will have more of the business conversation, which will engage key stakeholders into decision making process. After all, CEO’s don’t want you to come in and tell them exactly what to do. It should be more of a collaborative discussion in terms of building the business case.