If there’s one thing that seems to be multiplying like rabbits in the modern organization, it’s the number of people who think they’re critical to making a decision. C’mon…I know you’ve seen this too.
You have a meeting, and 10 unexpected – and uninvited – people show up, or the CC line of an email thread keeps getting bigger and bigger the longer it takes to think about some particular issue. And it’s even better when you’re suddenly involved 3 weeks into a 40 page email thread and THE BOSS gives you the one-liner:
What’s your take?
I guess we should be “happy” to know that we’re not just imaging things. A couple of McKinsey & Co. articles over the last few of years have pointed out that we’ve become more connected and more used to having answers on the tips of our fingers thanks to things like Google, the global guru of all things, among other stuff.
And that means that it’s easier than ever to beat around the bush and “get the pulse” of all and sundry before anyone is willing to actually commit to making even the simplest of organizational decisions.
…and then…there’s security.
Security. You know…that thing that everybody says they want, but nobody understands. That team of interlopers that screw up and slow down the business they claim they’re trying to keep safe and snug.
“Yeah, we got us a security governance program. We know just what controls we’ve spent money on because Finance bitches at us every month for the invoices they have to pay for the service agreements we’ve signed. That’s a good enough security control inventory, isn’t it?”
Um….ok.
So, do you really know what risks those controls are supposed to stop?
“Hell, yeah. It’s all those phishing campaigns by those APT groups out to overflow our buffers and infiltrate our networks.”
Right. There is that.
And who owns the risks that those controls are trying to stop?
“Uh…. (gulp). Hey, did you know there was this really fantastic new Star Wars show on Disney+ now? It’s pretty cool, man.”
Of course, the interviewee isn’t you. You’ve got your shit together, and you understand that one of the biggest issues we have is trying to figure out who really has the say about what level of cyber and information security risk the organization is comfortable taking. You know that without clear visibility on who can make the tough decisions, and what the criteria are for escalating them if necessary might be, it pretty-much forces us into a control-based, or…
…worse yet: a vendor-based…
…approach to trying to keep our organizations safe.
For us to be able to do our job, we need to be able to understand who owns what decisions—and be able to get the same answer from more than one person in the organization over a period of time.
But it really doesn’t happen nearly as often as it should.
We need to have a system for identifying the bloated mess, crossed signals and confused ownership of security decisions.
Because, I’m sorry…not everyone’s opinion is actually required as to what the right path forward is for the organization. We need to pass out the bunny condoms or something so we can stop further bloating and bureaucracy around security decisions, save some money and actually have a clue as to what’s actually going on—
Not to mention actually get more things done.
If you’d like to get some insights as to the nature of the problem and how to take some practical steps towards more effective security governance as you go about doing your day-to-day job…
…then you MIGHT be interested in some of what’s in the upcoming December issue of the print Security Sanity™ newsletter. Some of the stuff will be from my last COSAC presentation, but, the more I started digging at the problem from a slightly different angle, there’s a lot more that wasn’t on the screen or in the room at Killashee this year.
If you want to make sure you’re on the list to get your copy when it hits the post, it’d be a good idea to just make a quick stop at this link on your way between the office and your Friday beverages—just in case:
But here’s the thing—and I do say this on a pretty regular basis. The point of the newsletter is to make you think. Sure, it’ll give you some concrete answers and guidance you can take and put into practice as soon as you read it, but hopefully…it’ll really make you think a bit differently about what you do so you can do a better job of delivering the mission and purpose of security: to enable the organization to achieve its own mission as quickly and safely as possible.
That won’t work though if you don’t actually do anything with the information inside each of the issues. You have to be willing to try new things…to challenge the status quo…to, well…to be a better you—at least, professionally speaking.
If that’s you, then you might want to make sure you visit that link before the end of the month. If not, well…
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
