Friday, July 27, 2012

Information Security screw-up #2 - it's about selling not telling!

Not many Information Security Manager or CISO has the luxury of walking around with a strong mandate from their CEO or Company Board for implementing and enforcing information security processes within their organization. Especially, if a company's bread and butter are not of finance or intellectual property in nature. In this kind of company,  it is unlikely that the people would automatically give a good support on what an information security guy try to do or enforce. People tend to see information security more of a barrier than enabler. 
Now, let's the story begin....

This story is about the same "young" Information Security lad, but now has joined a new company as the new regional information security manager. Sadly, he still has the mentality that as an information security person, everyone will do whatever he says when it comes to information security matters.

Mr. Global CISO: <speaking in a team meeting> Ladies and gentlemen, thank you for your contribution. After 6 months of hard work, I'm glad to announce that the Corporate Information Security Policy that we developed has been approved by the Management. Now, it is your task to ensure that this policy is enforced within your area. Please do not hesitate to come to me if you have any difficulties or getting push back.

Young Information Security lad:  Don't worry sir, I will ensure that this is enforced in my region. I don't foresee any issues.....
Right after the meeting, the "young" information security lad open his laptop and start drafting an email:

To all Managers,

My name is Jason Doe. I'm the Regional Information Security Manager for Europe.

Attached here is the Corporate Information Security Policy which has been approved by Management. Please ensure that all controls and requirements stated within are enforced and implemented within your area of responsibility. 

2 monthly from now, we will conduct an assessment to review the status of implementation. The result will be communicated to the Management. 



2 months after that..... surveys were carried out and guessed what? Almost zero implementation for Europe region. Only a small fraction of employees were aware of the policy.

Mr. Global CISO: Now tell me, why the survey result of your region is so bad. Seem like you just sit there and have done nothing!

Young Information Security lad: No no! I did everything. I sent all the managers email right after our team meeting. I even sent them reminder every week! 

Mr. Global CISO: Did you pick up the phone and talk to the manager? Did you explain to them what is this all about? Did you explain to them why we need to do this and why this is important? Did help them to get it started?

Young Information Security lad: Hmm.... Not really, I don't see the need for that as my instructions stated in the email were very clear. They should understand it.....

Mr. Global CISO: What the heck! Don't you realize that this company is not the same as the bank you work before? The fact that it took 6 months for the Management to approve this policy already shows that we are fighting an uphill battle here. You need to SELL this to the managers. Convince them that the policy is here for their own benefits, and that the policy can help them protect their customer, protect the business. Reduce the risk of failures etc etc... Work with them! You can't just TELL them or write emails! Pick-up ur damm phone or move your lazy ass, go talk to them! Work together with them! Help them conduct awareness training etc! Do you understand what you need to do now? Or do I need to find someone else to do the job?

Young Information Security lad: <* shocked by his boss's outburst and almost wet this pant *> Yes...sir. I know what to do... please give me another chance to make it right.

Mr. Global CISO: You better make it right time time!

Young Information Security lad: <* another hard lesson learnt.., *>

Moral of the story?   
1. Information security policies implementation is about SELLING. Sell it right and you get the support you need. This is especially true in large organizations which information security is not a priority (example: organization which core business is delivering goods, logistics etc).
2. Most of the time, the managers are already have a lot on their plate to deal with. Extra works are always not welcomed. Hence, offering helps to lighten their burden often get things going the way you want.
3. Talk to the manager individually. Skip the "stubborn" one and deal with the more supportive one first. When you already have the other managers' support, peer pressure would normally influence the stubborn one to start moving. Sometimes even faster when you start providing progress reports that comparing on departmental level. Basically, no manager likes to look bad in front of other manager. Play it right, things get done :)     

Ain't security fun? ;)

acknowledgement: photo taken from

No comments:

Post a Comment