In this episode… the triumphant return!
Previously on LSD…
There are many copies…
Sigh.
So it’s been a while since I’ve posted. Something that El Jefe Lewis (over there with the smirk) takes up with me every.damn.time.we.talk.
So I’m working to remedy that.
This week, in reasons that you shouldn’t walk away from the steaming heap of nonsense that is your day job, I’d like to relate a little story. It’s a story with good guys, bad guys, challenges, and solutions. Also, it does not have Ewoks.
Click for more…
Glad you could make it to infosec story time here at Liquidmatrix Security Digest. Today’s story is going to be about executive involvement.
I’ve been plugging away at my current rock face for almost two years. I’ve solved what can be solved in the IT department. I’ve tried (and failed) to get upper management to grasp what I’m up to as an intrinsic part of the organization. I’m running out of interesting things to do.
Because I report up through the IT organization, and because the entire company thinks that “Information” is synonymous with “Information Technology”, and because some of those that have gone before me were all about the blinky lights, I failed miserably in getting the other “C”s to listen to me when I was trying to describe to them how the organization can really elevate itself and dramatically reduce risk.
I was in a meeting this morning, listening to status reports, and one of the staffers hinted that an executive had finally found something that clicked… he got it.
I spent a few minutes picking my jaw up, and kept listening…
As it turns out, the executive was being forced to listen to his staff talk about operational processes, and they were completely ignoring compliance, risk, audit, privacy and security stuff – basically the CRAPS I deal with constantly. He pointed this out to them, and in doing so, came to the personal, visceral realization that CRAPS is orthogonal to process. That all processes have a little bit of CRAPS in them.
Ha.
I got one.
Since then, I’ve had a talk with the exec and he’s totally comprehending the program now. And best for me, he’s seen that I’ve been trying to get it through to him for a long time. Working together we’ve summed up the message this way:
By considering the CRAPS in every Operational Process, you design the Process to make the Right thing the Easy thing.
Go ahead, write that one down. Total t-shirt material. I’ll wait.
Well, actually, I can’t.
I’m going to keep smashing myself against the rock face and see how many more converts I can get. Sometimes it just takes persistence. Yaknow?
Feel free to comment – I’d rather hear from you guys that I suck than from El Jefe Lewis up there.
Oh, and I wouldn’t mind a bit of a straw poll on whether or not you ever want to hear another podcast.
[tags]dqydj, information security management, management techniques[/tags]