Don't just take my word for it

Continuing the "Things I've done wrong" series

The next error I made was expecting people to understand why something is either a good idea or necessary. An extreme example follows:-

Imagine a discussion where you have to explain in finite detail "why" a company should implement a firewall solution at all. I don't mean a certain type of firewall, I mean any firewall.

Things aren't quite that bad here (we have a firewall solution!) but almost. I have not done the donkey work and educated the target audience as to why InfoSec is a good idea. I've done the easy stuff, published reports, emailed links to InfoSec in the news etc. but this has not delivered the message in the way the audience can understand. Therefore, in effect, it's been wasted effort.

What I should have done is delivered the information in the way the target audience will appreciate. The FD will want to know different information to the IS Director. The CEO will want different information from the Marketing Director. Yet all these people and more need to be convinced of the need before signoff will be gained and priority assigned.

It isn’t enough to know yourself that WEP only encryption on wireless access points is a bad idea. You need to sell the “why” it’s a bad idea in a way that the target audience will understand and that means a different approach for different people.

Once they gain the understanding, you get buy-in. Once you get the buy-in, you get the signoff. Once you get the signoff, you get the job scheduled. Once you get the job scheduled, you get the job done.

If only it were that easy…….