I've been assessed!!!!

The Company has organised some management training courses and the first entitled “Personal Leadership Style” was today. Why is this InfoSec relevant? Well, I’ll tell you later.

The day was good, in my opinion. I don’t think I learnt anything new about myself (which was sort of the point) but learnt a lot about “leadership styles”. There were a number of practical exercises and assessment based on the “Myers-Briggs Type Indicator” methodology.

For those that are familiar, I am a ISTJ (Introvert-Sensing-Thinking-Judging) type. The verbal description for type is as follows:-

Serious, quiet, earn success by concentration and thoroughness. Practical, orderly, matter-of-fact, logical, realistic and dependable. See to it that everything is well organised. Take responsibility. Make up their own minds about what should be accomplished and work towards it steadily, regardless of protests or distractions.

This is spot on, I have to say, I describes me to a T.

Now, why is this related to InfoSec? Well, it’s the old “communication” chestnut. In order to communicate with your audience for awareness issues, getting people on side, selling the concept of InfoSec etc. then if you can understand you audience better, you’ll make more headway. So, what I need to do now is assess (without them knowing, I suspect) my colleagues and identify their traits. In that way, I can adjust my approach as necessary and hopefully make progress.

A question I’ve been considering since the type classification was made is “is this the right type for the job?” I think it is, assuming that the job is what I believe it is. I’ve still to agree the job description and will get to that as soon as the PCI DSS Compliance project allows.

The Company Newsletter article

As you will know, I have an issue with awareness in my Company. To that end, I agreed to write a short article for the company newsletter on me and InfoSec in general.

I remembered guidance I received from Rob Newby on keeping things short and sweet so as not to scare off the reader so the fir st article is exactly that. I'm going to write some follow up articles on InfoSec in general and PCI DSS in particular over the next few weeks in order to keep chipping away at the ignorance issue.

I've anonomised it somewhat as the original contained names of the innocent(!!), for now, this is the article, don't get too excited!!!

======================

“Who” and “what”, you may ask. Well, I joined the Company in November 2004 initially as a Project Manager in the Finance department dealing with projects about payment solutions and exciting stuff like that. However, after a while I began badgering my manager and his Boss about “information security”. So much so that they gave me the Information Security Manager job and maybe they thought that would quieten me down a bit.

I have been interested in Information Security throughout my 22 year career which has mostly been in and around the IT arena. I did a spell in sales (hated that!!) and then got into project management. However, InfoSec has always been a core interest.

What is Information Security all about anyway? Well, the textbook answer is that it is about “ensuring that the confidentiality, integrity and availability of the company’s information assets is maintained”. What that really means is making sure that the company’s information is used in the right way by the right people for the right purpose. And by “right”, I mean whatever the company decides is right. My job is to help the company decide what is “right” and then write the polices to back that up.

The InfoSec programme at [the Company] has yet to get truly off the ground. As is the case with most areas of the company, there is always something else more important, more urgent etc. etc. Currently, my focus is on the PCI DSS Compliance project which [the Project Manager] explains later in this newsletter.

======================

Spreading the word

Well, I’ve written the article for the company newsletter about me and what I do. I’ve kept it short and sweet on purpose so as not to:

a) bore people stupid
b) use up all my material at once

I intend to do further articles to elaborate on “what InfoSec is” and “how it works within the company”. That last item should be a short sentence!!!

My PCI DSS Project Manager has produced another article for the newsletter about the PCI DSS Project itself. At three A4 pages (!) I think it’s too much and will suffer from the “TLDR” (Too Long Didn’t Read (thanks Rob !!)) issue for a lot of people but he is adamant that as it contains a lot of pictures people will read it. I am happy for this to go forward as I want to gauge the response to this kind of approach for future “awareness” items.

Also on the awareness front, I’m finishing off a document aimed at the IT bods which summarises the PCI DSS Audit Procedures document into sections related to areas of functionality within the IT arena. (When I'm completely happy with it I might post it over on PCI Answers if it's considered of use) I’ve done this because:

a) To make it easier for people to appreciate the depth and density of the requirements
b) The IT function reckon we’ve “just thrown PCI at them and said get on with it”

"b)" isn't true, of course, but rather than have an argument about it, I've decided to remove the argument completely by giving them what they want, information, or rather, more information.

The danger with this approach which we will have to guard against is that they will read this document and not all the relevant PCI DSS documentation. It’s up to the project team to ensure that the people concerned appreciate that this is meant as an “addition to” rather than the “gospel” top live by.

We're going to present the document to the relevant IT bods together with a (or rather, "another") summary of PCI DSS project. Thereafter, individual areas of responsibility will be reviewed with the specific people to make sure they have understood the requirements, and for us to obtain feedback, questions etc.

It's leg work but necessary to get them on side. Hopefully then, we should be able to make progress.