I lied!!

OK, the previous post said that it was the last (for now) in the “Things I’ve done wrong” series. It wasn’t, this one is.

There are other things I have learned but those are a good starter for 10. For now, I think it is safe to say that having learned the lessons I'm better equipped to start making the sort of progress I want and the company needs.

From the above experiences, I looked for a publication that could provide guidance on the "from scratch" aspect of the role. I read "A Practical Guide To Managing Information Security" by Steve Purser which was a little vague in places but had a lot of good ideas. I've also bought a copy of "The Pragmatic CSO" by Mike Rothman of Security Incite (http://securityincite.com/blog/mike-rothman/the-pragmatic-cso-is-here) and having read the first section, it seems promising. I'm not sure it's going to teach me anything I hadn't already thought of but it is definitely reinforcing some ideas I have regarding getting buy-in and cooperation from others in the company. This can only be a good thing!!

In the previous post I said that it was demoralising to think that EVERYTHING needed to be explained. I have to get over this. I need to start thinking about this as a battle between good ideas and bad ideas. Like all battles, the side who is better prepared usually wins. So, I need to improve my preparedness and deliver the relevant information in a way that helps the opposition select the best way forward.

Basically, I’ve got to stop being lazy and start doing my job.

It’s a good idea, trust me, I’m a gynaecologist

Last (currently) in the “Things I’ve done wrong” process.

To a certain extent, this is linked to expecting people to understand “why”.

In the past, I have explained the details of an Info Sec related issue and then the possible remedial actions available to the company and then assumed that the correct decision would be made. How naïve can you be?!?!?!

Unfortunately, it would appear that the "correct" decision is not reached based on sound assessment and analysis. Mostly, it is made against a "what's cheapest / quickest / most like what we do currently” process and this is not sound decision making.

I’ve underestimated the human ability to take the easy option and this means that when faced with the “right” decision versus the “cheap / quick / less resource consuming / more like we do currently” decision, one of the latter is opted for.

You’ll notice the second “option” is in fact a list of options. Realising this has enlightened me. I always knew that there were infinitely more ways to do something wrong than to do it right. However, I hadn’t appreciated how easy it was to choose to do something wrong.

So, the remedy? Interesting question. I might expand on this in future blogs but for now, these are my thoughts. It’s necessary to do the hard work on everything, every decision that needs making has to be supported by argument. All possible decisions related to a particular issue need analysis and “pros” and “cons” debated. Then a recommendation needs to be made.

This is hard work and demoralising. I mean, as an example, imagine having to explain that WEP only encryption is a bad idea. And I mean really explain it. Explain about the ability to set up rogue APs, then explain about the ability to intercept traffic, then explain about the ability to capture user IDs and passwords, then explain about the ability to create rogue user accounts, then explain about the ability to log in as a rogue user and download data.

Oh…. Erm…. Hang on…. I seem to remember that this may have been covered in a recent TJX related article……..

No follow up

Continuing "Things I've done wrong".

After designing and agreeing an Info Sec Management approach with the board another element of “Getting Distracted” happened and I never went back and followed it up. I could bleat about how “it wasn’t my fault because…” or “I meant to but this or that stopped me” but basically I should have persevered but didn’t. I allowed myself to get involved in other stuff that just wasn’t productive for the InfoSec environment. It was incredibly constructive for the company but that doesn’t improve InfoSec or earn me a bonus.

A point learned is that the executives will say "yes" to whatever you ask them and then do nothing about it thereafter. That is, unless you keep shoving it under their noses at every opportunity.

The trick is to get the “yes” from them, then continuously hit them with actions. Keep the work visible, report regularly (but bare in mind the format must fit the target audience).

It’s also necessary to identify what makes people tick, what are they interested in? It may not be as obvious as you think. So, some donkey work in the offing for me is to get a better understanding of what they ultimately want from the job. Only when I understand how to talk to them can I start to increase awareness.

Repetition is key, but it must be productive repetition, not just shoving inane data at them and expecting them to take it in and understand it.

Getting distracted is a killer

First part of the "things I've done wrong" theme is "Getting distracted".

This is the main reason for lack of progress. The Company I work for is primarily an online entertainment provider (no, not that sort of “entertainment”!!) and focuses heavily on new initiatives and new markets. This means a lot of "drop that, do this" type meetings. Not conducive to long term planning, unfortunately.

The result has been a lot of involvement in numerous projects that I would not call "core InfoSec" related. Knock on effect is a lack of any real focus or awareness regarding InfoSec and this coupled with the other issues listed in the previous post means a lack of progress in general.

On the PCI DSS Compliance front, a similar situation has occurred with the compliance project being postponed several times due to resource reassignment to other business related projects. For that read "revenue generating". Despite all the protestations and declarations that PCI DSS Compliance was "revenue protecting", it doesn't wash.

So, I have learned that it is vital to remain focussed. Draw up the plan and stick to it, not blindly, you have to adapt the plan. But the plan is the plan, the end result is key, that must be your focus. The other thing I changed is to make smaller targets. Forget designing and delivering a full InfoSec Awareness Training Programme because it will be too big and cumbersome. Go the "baby steps" route. Get out and about and get known, make sure people understand what you are and what you are trying to do.

Maybe, just maybe, with that sort of approach, trouble will come looking for you instead of you having to go search it out.

Things I've done wrong

Right then, first real post. I thought I'd start off by listing out the things I'd done wrong since persuading the company to generate the position of Information Security Manager and giving me the job. That all happened about 6 months ago and to be honest, I don't feel like I've made a lot of progress since. So, first is a list of titles in no particular order, I'll comment against each over the next few days.

1. Getting distracted
2. Expecting people to just understand "why"
3. No agreed job description
4. No follow up
5. Trusting people to do "the right thing"
   

There are other things I have learned but these are a good starter for 10. For now, I think it is safe to say that having learned the lessons, I'm better equipped to start making the sort of progress I want.

So, the next post will be about the dangers of "Getting distracted" and why that must be avoided at all costs.