No follow up

Continuing "Things I've done wrong".

After designing and agreeing an Info Sec Management approach with the board another element of “Getting Distracted” happened and I never went back and followed it up. I could bleat about how “it wasn’t my fault because…” or “I meant to but this or that stopped me” but basically I should have persevered but didn’t. I allowed myself to get involved in other stuff that just wasn’t productive for the InfoSec environment. It was incredibly constructive for the company but that doesn’t improve InfoSec or earn me a bonus.

A point learned is that the executives will say "yes" to whatever you ask them and then do nothing about it thereafter. That is, unless you keep shoving it under their noses at every opportunity.

The trick is to get the “yes” from them, then continuously hit them with actions. Keep the work visible, report regularly (but bare in mind the format must fit the target audience).

It’s also necessary to identify what makes people tick, what are they interested in? It may not be as obvious as you think. So, some donkey work in the offing for me is to get a better understanding of what they ultimately want from the job. Only when I understand how to talk to them can I start to increase awareness.

Repetition is key, but it must be productive repetition, not just shoving inane data at them and expecting them to take it in and understand it.