The only thing worse than being blind is having sight but no vision – Helen Keller
According to a newly released report, 54% of security professionals said they were under more pressure in 2014 than the previous year. 61% said the pressure came from the board, corporate owners, or C-level executives – up by 50 percent!
Yes, the pay and job security may be good for Information Security (InfoSec) professionals these days – thanks to Target, Home Depot, Sony, and now Anthem. But that kind of constant pressure, year after year, can make these professionals quickly lose the vision that took time, sweat, and tears to implement. The vision that became their path to success.
The CISO needs to remember that they are not just their organization’s security leader, but they are their staffs’ leader as well. And leadership means communication and engagement. Being visible is the best way to make sure your vision is understood and maintained.
So how can you provide that 20/20 vision once again to your Information Security professionals? And, if you’re lucky enough, how can you maintain that 20/20 vision? The following are some tips (and I am sure you can add more, especially those unique to your organization and industry):
- Town-Hall Meetings
Hold these at least once a month with a published agenda – accomplishments, pain points, projects (in flight, upcoming), etc. Book the big conference rooms, use WebEx, Video – use the technology to make it warm and cozy despite geographical challenges.
Be sensitive to different time zones. Be seen and be heard frequently but make sure the agenda allows for full participation from all. This is one platform you can use to start bringing back that vision. Bring up all the exciting and new technologies, the breaches, Internet of Things, the Apple Watch, etc.
Get to know your employees. There is so much to learn from different perspectives, from different experiences. Opinions matter. Make them feel that way. Make notes, get back to them whenever applicable. Find out when they are in the dark what can make them see well. Don’t forget to engage them in their areas of passion and expertise.
- Partner with Audit, Compliance, Legal, Privacy
One of the biggest complaints of InfoSec professionals is that there is not much more of a tighter partnership with folks from Compliance, Audit, Legal, Privacy, and the business.
There is a lot of overlap and things that overlaps often gets missed – thinking the other person is responsible and accountable. In some organizations, the partnership with these groups is minimal to almost non-existent. It all starts at the top. Provide the leadership that will regain everyone’s confidence and vision to help cross this bridge.
- Partner with your critical vendors
From banks, healthcare, retail – small, medium-sized, and large, global companies – no one seems to be spared these days when it comes to getting breached. Talk to your vendor security risk assessment team, those participating in the onboarding and continuous monitoring of all third-parties. Find out their pain points – whether it is document and evidence collection on a timely basis, onsite assessments, NDA issues with 4th-parties – there are ways you can help to work with these critical vendors to ease the pain and vision of your information security team.
To regain or keep the vision, you may want to review and enhance your metrics from time to time to find the gaps, the blind spots, the dark areas that cause so much concern for your team that you never come to know about.
Send surveys to your InfoSec organization. This is of great value! Let them be anonymous. You can really gain tremendous insight into your organization and how well your vision has become their vision.
- User Awareness
You’ve got policies, processes, procedures. Syndicate, syndicate, syndicate with all. Road shows must be on the calendar each and every year – and must be ongoing as well whenever and wherever applicable.
One of the biggest hurdles InfoSec pros face is dealing with users across the enterprise. Use Lunch ‘N’ Learns, Town-Halls, and the like to get manageable teams together for proper interaction and Q&A.
- Information Sharing
This is of tremendous value as well. Find a place, on the Intranet, SharePoint, or a similar spot, for your InfoSec team to be able to share documents – policies, processes, procedures, best practices, white papers, useful URLs, etc. Blogs are a big plus too. Folks must be able to ask a question to the team and be able to receive responses. A very useful platform for information sharing.
- Roles and Responsibilities
Knowing everyone’s roles and responsibilities is always a challenge until it is documented and syndicated with all. It is those grey areas that create issues, unnecessary delays in projects, and a lot of finger pointing.
It is important for teams to develop RACI charts/matrices to properly document roles and responsibilities within the team and all interfaces with other teams in the company. Providing this vision is a must to have a well-tuned and functioning team.
Make a point to announce and celebrate birthdays, anniversaries, promotions, significant achievements, etc. Okay, not each and every birthday and anniversary – but have an excuse once a month to do so for everyone for that particular month.
A cake, donuts, bagels – or if your organization is big and makes it impractical, you can always do so via email, Intranet/SharePoint, Town-Hall, or whatever mechanism the size of your organization allows. Bottom line, on a regular basis, there needs to be a cause for celebration!
It is obvious that we can no more explain a passion to a person who has never experienced it than we can explain light to the blind. – T.S. Eliot