Getting distracted is a killer

First part of the "things I've done wrong" theme is "Getting distracted".

This is the main reason for lack of progress. The Company I work for is primarily an online entertainment provider (no, not that sort of “entertainment”!!) and focuses heavily on new initiatives and new markets. This means a lot of "drop that, do this" type meetings. Not conducive to long term planning, unfortunately.

The result has been a lot of involvement in numerous projects that I would not call "core InfoSec" related. Knock on effect is a lack of any real focus or awareness regarding InfoSec and this coupled with the other issues listed in the previous post means a lack of progress in general.

On the PCI DSS Compliance front, a similar situation has occurred with the compliance project being postponed several times due to resource reassignment to other business related projects. For that read "revenue generating". Despite all the protestations and declarations that PCI DSS Compliance was "revenue protecting", it doesn't wash.

So, I have learned that it is vital to remain focussed. Draw up the plan and stick to it, not blindly, you have to adapt the plan. But the plan is the plan, the end result is key, that must be your focus. The other thing I changed is to make smaller targets. Forget designing and delivering a full InfoSec Awareness Training Programme because it will be too big and cumbersome. Go the "baby steps" route. Get out and about and get known, make sure people understand what you are and what you are trying to do.

Maybe, just maybe, with that sort of approach, trouble will come looking for you instead of you having to go search it out.