Into the Breach – Audio Series – Chapter 8 (Measuring Success)
Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).
What you’ll find in this episode (Chapter 
The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, drop me an email). The key considerations for a pilot shared – and now it is time to measure success.
So how do you measure what matters so you can communicate what counts?
In this chapter, “Measuring Success,” Michael draws on his background of social science and economics to explain a powerful approach to measuring success. Learn how to use the right mix of qualitative and quantitative measurements to get the feedback necessary for success.
Learn how to measure what matters and communicate what counts.
You want more, so after listening…
After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by
- Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
- Subscribing to The Security Catalyst podcast & blog to get more insights
- Learn more about The Catalyst Foundation Series – proven success for security initiatives to excite, ignite and turn insiders into allies who reduce business risk!
Go deeper Into the Breach with Michael Santarcangelo with EMC
Each month, EMC pulls back the curtain and provides more insights and a deeper discussion with Michael Santarcangelo about the elements in this chapter. Learn how to harness the power of their people to inform and improve the risk management process in a matter of weeks. Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get access to the latest session.
Podcast: Play in new window | Download (10.6MB)
Catalyst Consideration: Simplify
It is simplicity that makes the uneducated more effective than the educated when addressing popular audiences. — Aristotle
I’ve noticed the instinct lately – of individuals, government and security practitioners — seems to be one of more control.
When something seems broken, or the outcome is alternate than what was desired, the answer comes in the form of regulation, controls and otherwise restricting the options to prevent or influence the outcome.
And when these controls fail, it leads to finger pointing, grandstanding and… you guessed it… the call for more controls.
But what is the net effect of these additional controls?
Sometimes the solution is to strip controls away. To simplify.
I’ve spent the last few months pondering this message, and realize the more we ask ourselves “what is the problem we are trying to solve” the more effective we are. We need a foundation for success – and simple trumps complex.
Santarcangelo Interviewed on “The Web Squeeze” – Listen In!
On Friday, The Web Squeeze posted an interview with me. We had a blast discussing backups, passwords, building more secure websites and a bit about the human paradox and Into the Breach.
I’m impressed with The Web Squeeze (http://thewebsqueeze.com/) and hope to get more involved in additional ways.
In the meantime, I really enjoyed the banter (enough to really get me thinking about getting a new show or two going) and the professionalism extended to me by Jacob and Linda.
I hope you consider taking a listen; more – share it with the folks you know in development and see what they say. Use this as a springboard for conversations.
Here is the link: http://www.thewebsqueeze.com/freelance-podcasts/into-the-breach.html
Giving back: The Catalyst Career Compass Program
Giving back: The Catalyst Career Compass Program
What started as a way to help friends improve their careers has started to turn into a full-fledged program called the Catalyst Career Compass™.
Over the last few years, I’ve slowly worked through the elements to help friends – and each time I promise to make the approach public. Last weekend, I was called on my promise (thankfully) and decided to open it up.
More, with the help of Andy Willingham, Kevin Riggins and others, we are preparing to relaunch and improve the Security Catalyst Community. When we relauch (hoping for Q2 but the timeline is not defined), new opportunities for members include the career compass program that leads to a mentoring program.
We’re all excited about the program and the possibilities.
In the meantime, we have colleagues who need a boost – they need to build, calibrate and follow their career compasses.
This is a new program – so I am open to a small group of people running through the elements for their own benefits, and to help shape the elements that will be incorporated into the community. In fact, I’d like to figure out how to train others on the approach and work as a community to help each other out.
So it starts now.
And we’ll start small.
For now, no charge (money) to partcipate — but there is a cost. If you are interested, send me an email (securitycatalyst/gmail) or engage me on twitter (http://twitter.com/catalyst) and let’s discuss. We have to keep the initial run small, and we need people who are willing to participate fully and work through the entire system.
More details below:
Career Compass Overview
Whether you are currently a Security Professional or want to become one, this highly flexible program will help you set and meet your professional ambitions while serving lifestyle goals.
Set your Career Compass:
- To prepare for a raise
- To receive a promotion
- For career development
- If you are ready to move into the security field
- To find a new position (within your current company or outside it)
Determine your path and venture forth.
Setting Your Career Compass is a multi-faceted program to help you refine your career objectives and realize them.
It is a three-step process.
1. You will first think about and answer a series of questions about yourself, your ideal working environments and your future. We help you align your answers – the ‘who you are’ – with what you have done and where you would like to go.
2. Then we prepare you to effectively communicate your value to the right audience. With guidance you will build a personal brand in the form of a resume, bio, cover letter and whatever else is needed for you to reach your goals.
3. With all the background work complete, we will help you follow the compass you built.
We do not judge.
Everyone thrives in different situations and has different desires in life. Our passion is to help you find the unique value you bring to an organization and position yourself for success.
Why the Compass approach works.
We guide you through a process that helps you explore your strengths, values and goals. As a result, you will understand yourself better than simply listening to someone tell you what they think, based on a questionnaire.
You will be self-aware.
You will have the clarity required to communicate your value effectively. After guiding you through this exploratory process, your Career Compass helps you position and differentiate yourself from others in a strong finished package – written and oral.
The program will help you craft a resume that is simple, powerful and designed to attract the attention of the “right” people. It will help you market yourself better and guide you to greater success.
How much time does this take?
Like most things in life, the more you invest into this program, the more you will get out of it. It is recommended that you budget 3-5 hours to complete step one, 3-5 hours for step two and 3-5 hours to begin step three.
Step three is ongoing but 3-5 hours gets people where they need to be. Some will breeze through the process. Others will need more time. There is no right answer, but the time you invest in yourself will pay off down the road.
On tap at The Security Catalyst for February
Greetings from Myrtle Beach!
February at the Security Catalyst Online
We did it.
The house is rented. We packed, sold or donated most of our “stuff.” We loaded up the RV and headed south.
More important, we are liberated. I feel grounded, connected and free.
The purpose of this change is to live simply and engage with more people – to seek experiences over “stuff.” Part of our focus on learning and living deliberately allows me more time to focus on the programming and content we provide through the Security Catalyst Online Experience.
In addition to our contributors powerful insights forged in the trenches (more below), this month we welcome some guest voices (and topics).
On tap for February
Our contributors have some great insights to share, including:
- The key to effective communication and overall success when working with others from Trish
- Martin explains how disruptive change, when well planned, crisply executed, and continually adjusted can enable organizations to “jump the curve” and function well above where they were previously
- Why we need more attention focused on the consequences of actions with a challenge to help prevent and reduce fraud from Sharon
- Using compliance to your advantage without doing damage; as a result – decision makers may be more willing within the context of a compliance effort to spend money on information security, but they may also be more open to education and awareness efforts from Dennis
- Aaron shares how to avoid legal 500 error with privacy policies
And I’ll be climbing back into the writing saddle – and sharing my focus for the year with the awareness that works™ column.
Guest Voices
Craig Nelson – a good friend from the beginning of my career – chimes in with his insights on how businesses can determine if “the cloud” is right for them.
We might sneak in another guest voice or two (and try to convince them to stick around for the balance of the year!).
Engagement is the key to success
I invite you to read, consider and engage: likes, dislikes and constructive challenges are welcomed!
Connecting and engaging in person is a rich experience, indeed.
To that end, we’ll be leaving Myrtle Beach in the middle of February and traveling to San Franciso with stops planned in Atlanta, Dallas, and Phoenix.
Are you along the way?
If so, I’d love to explore how we work together.
Into the Breach – Audio Series – Chapter 7 (Putting the Strategy to Work: A Pilot)
Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).
What you’ll find in this episode (Chapter 7)
The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, contact us to learn more).
So how do you implement in a way that gets results?
In this chapter, “Putting the Strategy to Work: A Pilot,” Michael explains the basic approach – with key insights – to engaging people in the process of protecting information. Learn how to select the pilot approach that works best, build the team and plan a strategy that drives tactical and strategic success.
There is no “one-size-fits all” approach, and this chapter lays out how to make the right decisions the first time. Get a jumpstart on success with this chapter.
You want more, so after listening…
After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by
- Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
- Subscribing to The Security Catalyst podcast & blog to get more insights
- Learn more about The Catalyst Foundation Series – proven success for security initiatives to excite, ignite and turn insiders into allies who reduce business risk!
Go deeper Into the Breach with Michael Santarcangelo with EMC
Each month, EMC pulls back the curtain and provides more insights and a deeper discussion with Michael Santarcangelo about the elements in this chapter. Learn how to harness the power of their people to inform and improve the risk management process in a matter of weeks. Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get access to the latest session.
Podcast: Play in new window | Download (7.5MB)
Into the Breach – Audio Series – Chapter 6 (Implementing The Strategy to Protect Information)
Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).
What you’ll find in this episode (Chapter 6)
Chapter Six is where Michael explains how to customize and implement the Strategy to Protect Information. The information he shares is designed to bring immediate results. This set the stage for the refinement of what is now called The Catalyst Method™ — what Michael teaches, guides and uses to help organizations get results that transform insiders into allies who reduce business risk.
Go deeper Into the Breach with Michael Santarcangelo with EMC
Each month, EMC pulls back the curtain and provides more insights and a deeper discussion with Michael Santarcangelo about the elements in this chapter. In fact, for this chapter, Michael explains how he has modified the implementation and refined “The Catalyst Method™” to get real, rapid results. Learn how to harness the power of their people to inform and improve the risk management process in a matter of weeks.
Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get access to the latest session.
You want more, so after listening…
After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by
- Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
- Subscribing to The Security Catalyst podcast & blog to get more insights
- Learn more about Michael’s keynotes – and hire Michael Santarcangelo to excite, ignite and turn insiders into allies who reduce business risk!
Podcast: Play in new window | Download (14.3MB)
Getting Behind the Wheel: Driving Audit and Compliance
“Pass on all hills and curves.” ~Author Unknown
The concept of the audit, to some, may feel relatively new and immature. However, financial statements have been audited since the 1800s and regulated IT Audits got a footing in the 1970s. The challenge in making sense of audits is in the approach: are you driven by compliance and audits, or are you driving the audits and compliance?
In my experience, compliance and audits are more journey – and less road trip. The challenge in preparing for this journey is the murky starting point, winding roads and changing conditions that must be successfully navigated. And when finished, the reward is taking another lap.
Developing a “Culture of Compliance”
Day in and day out those who work in finance adhere to basic principles that over time have simply become habit. These basic principles are in part derived from the understanding that they will be audited against their actions. We, as IT experts, tend to have much more of a cowboy approach to getting work accomplished. Now that IT is being held accountable we need to instill the same ideology of daily work ethics that is second nature in finance departments.
This concept of cultural development is awkward at best when considered in bits and bytes. While IT staff are experts in their fields, they often have difficulty in understanding why perceived red tape (commonly experienced as additional process to get code into production). For many, it just doesn’t make sense and feels more like an obstacle than a useful control.
Building the culture of compliance takes time, dedication, education, and influences some interesting debates. Yet the journey is rewarding and the results proof positive of the investment. Over the course of the next year, I’ll share my experiences learned over the last two decades to ease the journey for everyone.
Sell the concept, reap the benefits
Management responsibility – wait for it – “must be driven from the top down.“ It’s quoted a lot, and for good reason. And I agree. The outcome of IT assessments, sometimes in combination with finance audits, has a direct impact on the bottom line.
Who would you rather do business with: a company who has process deficiencies and stated exceptions or one that passes the litmus test of standardized IT auditing?
Positive results are an endorsement that the organization is operating efficiently and more importantly securely. This endorsement should be used by your sales and marketing departments at every opportunity.
Building Support
Step one: find the right internal sponsor. This sponsor should be the liaison to any audit firm partner. While IT management is needed to explain details of process, systems, and applications, they should not be on point. Often the best bet is a leader in finance. Building on years of experience, savvy finance management can simply save money.
Of course there are exceptions; mature IT organizations can fulfill this role with the understanding that it is critical to update senior finance management throughout any audit.
Should IT audit and compliance be managed internally?
This question needs to be asked regardless of the size of the organization. It is common practice to hire external audit firms (opposing) to prepare your organization for an IT audit. Independent assessments can help identify process deficiencies, help with documentation and, more importantly, ensure a smooth audit when it counts.
Quite simply, if you need to bring an organization into “compliance” within a predefined time frame external help may be your only option. If the decision (or only choice) is to manage this internally, then dedicated staff is essential. This team needs the expertise in systems, applications, security and perhaps more importantly the ability to communicate and educate others on why IT auditing is so important. We’ll explore this more in the future (and quite frankly, I’ve seen Michael in action, and he is the master of this — and he makes it easy for others to do it, too).
One of the best tangible outcomes of this whole process is detailed documentation. Interesting how there is never time to develop or update documentation; now the excuses are kicked and a valid reason exists. These policies, standards, and other documents are the foundation of the IT department, the keys to success.
What’s in it for me?
Develop this “Culture of Compliance” within the IT department and witness creative solutions being developed with the base principles of security and with forethought into what auditors really want, Who, What, When, and How!
Sound off
How have you developed a culture of compliance in your organization? Or has your compliance car skidded off the road along the path? Engage in the discussion in the comments and we’ll work on getting there together.
Your Invitation: Journey with me “Into the Breach”
I remember it like it was yesterday, even though it happened over three years ago.
While learning about how a large organization detected and responded to a breach, a stark reality suddenly hit me. Looking back at it now, I probably jumped out of my seat when I connected the dots. I was forever changed.
The Black Hole of Data
After initial concern the breach was a focused external attack – and the appropriate authorities alerted – the final conclusion was more pedestrian, and more common: in the course of trying to do their job, an employee took an efficient action to move a file to his home computer – over the Internet – then forgot about it.
It took a few years before the file was discovered.
The discovery – made by an employee, three years later, on a Friday afternoon – triggered a swift, thorough and amazingly competent response. Yet while being briefed on the specific details, costs, actions and findings, what stuck out to me was simple: the root of the breach was someone “trying to do their job.” No external attacker, no disgruntled insider, no nefarious plot.
It was an honest worker finding a way to work from home, on his own time; he wanted to get the job done. He was trying to do the right thing, but managed to do it the wrong way.
This wasn’t a breakdown of controls. In fairness, we have some technologies today that would have prevented this breach – but that doesn’t mean the user wouldn’t have found a better/different way. Technology is important, but more important is the consideration of people and how we factor (or ignore) them into the solution.
This was the spark that led to Into the Breach: Protect Your Business by Managing People, Information and Risk.
Since the book was published, I have presented the concepts in keynotes and seminars, and I have continued to research, reflect, and more importantly, get into the field and work with organizations of all sizes. This has sharpened my focus on – and renewed my commitment to – the human ecology of the organization to help turn insiders into allies who reduce business risk.
As we prepare to leave our stick house and head out full-time in our RV to travel the country and work with individuals, organizations and communities, I invite you to join me on a weekly Journey Into the Breach.
Over the next year, I’ll expand and reflect on elements from Into the Breach through candid and updated thinking.
Ready?
Buckle up. Let’s go.
Who is the intended audience for Into the Breach ?
Into the Breach is for business executives, decision makers, influencers and stakeholders. However, anyone can benefit from the executive level discussions and solutions: it’s been commonly noted to me that the challenges I uncover and solutions we advance address issues broader than security.
It was important to me that I distilled the essence of the book into a form that could be easily consumed, understood and acted upon. The measure of success was to be able to read the book on an airline flight or comfortable afternoon. We hit the mark.
Breaches are only symptoms
When something goes wrong (say, for example, a breach), it is natural to seek someone to blame and a technology to fix what keeps us up at night. After taking the time to go deeper into the breaches all around us, I asked a simple question:
What if breaches are only symptoms?
As soon as I asked it, I realized that breaches and other breakdowns are just symptoms. They are not the problem. I’m not suggesting they don’t create harm; some do. But we don’t have to solve “breaches.”
The fundamental challenge is what I dubbed the human paradox.
The Human Paradox
The challenge we face is simple to state, easy to understand, quick to prove, yet elusive to address.
The human paradox: individuals have been unintentionally, but systematically disconnected from the consequences of their actions. People disconnected from the consequences of their actions do not take responsibility – and are not held accountable for their actions.
To be clear: we do not have a people problem. It is counterproductive to blame people. Yes, people play a role – certainly in the challenge, but more importantly, in the solution.
So what is the problem?
We need to consider the source of the disconnection; in many cases, the best intended actions of security professionals have created the disconnection.
Ironic, isn’t it?
We must reframe the way we consider consequences: what if consequences are neither good or bad, but intended or unintended?
If we keep doing what we’re doing, we’ll keep getting what we’re getting. I don’t want to continue on this path.
What got us to where we are – which has been amazing change and progress in the last 10-15 years – may not be what will get us where we need to go next. The purpose of this column is to reframe and illuminate the challenges we face while suggesting a path forward.
How to prepare for our Journey
1 – Read or listen to Into the Breach (you can listen for free)
2 – Look for – and share – positive examples of where people are CONNECTED to the consequences of their actions
3 – Ponder questions you would ask me if we were sitting together around a campfire. Then make plans to sit with me around a campfire and discuss.
Sound off!
What do you think? Have you found people doing the right thing? What did I miss?
Share in the comments… and always share with me the challenges you face and we’ll work together on this journey to amplify the positive and turn the tide…
Amplifying the Good: The Security Catalyst Online Experience 2010
As the snow starts to cover the ground in Upstate New York, my thoughts are already turning to the year ahead. I’m not at all disenchanted with the Holidays; I’m just excited about the journey ahead with the Catalyst onTour RV adventure. Equally exciting to me is the programming that will be presented by the Security Catalyst in 2010.
The Security Catalyst is designed to be a clearinghouse of bright ideas from a collection of passionate and thoughtful professionals. I believe that more voices, more perspectives, and more discussions are essential to influencing the positive change we need. To that end, we have spent the last few months sharpening our focus – based on the needs of the industry – and developing themed columns and a revised approach to producing readable, actionable content.
We will introduce the bulk of the series in December, and continue rolling out new features and opportunities to engage as the year progresses. So as I travel the country to meet with as many people as possible, we will shine an increasingly bright light toward the future on the pages of the Security Catalyst Online.
The Security Catalyst Online Experience: Amplify the Good
Our mission is simple: amplify the good. A dozen contributors give of their time and experience to help advance the profession. Take a moment to consider the diverse programming prepared for 2010. Each of the contributors spent a few weeks developing a column and outlining key ideas and concepts to guide what we share in the coming year.
We’re working on a production cycle and are implementing a peer review process in 2010. In the coming weeks, I’ll showcase the contributors, reveal more about their series and provide the opportunity to engage with them – for the benefit of everyone!
We welcome feedback – comments, questions and challenges – to help shape our efforts and provide outstanding value for you and your efforts.
Security Social Worker — by Trish Smith
Trish Smith explores the perspective of a licensed MSW on the information security field. In the overall spectrum of topics, which all center on the juncture of technology and people’s thoughts, feelings, and behaviors, Trish’s focus will be on people and how to turn a change concept into reality.
Foundational Identity Management – by Ioana Bazavan Justus
Ioana Bazavan Justus will share her extensive experience in implementing Identity Management at Fortune 50 companies in a 14-part series that is focused not on the technology, but on the process pitfalls and data preparation – the aspects that, if ignored, will make an IAM implementation fail. I’ve known Ioana for over a decade, and her ability to understand, explain and get results is amazing. I’m really excited about this series.
Organized Fraud Prevention – by Sharon Shaw
Sharon Shaw is more than an expert on preventing fraud – she is passionate about sharing ideas, insights and strategies that bring a new focus by explaining the (sometimes hidden) challenges every organization faces. She then provides thoughtful, straightforward solutions.
Leading from the Front – by Martin Fisher
Martin Fisher is a leader (my word, not his) that has engaged me in great conversations about leadership, management and the future of the industry we both serve. He’s agreed to share his thoughts and the secrets of his success to help influence positive change in 2010.
Security From Scratch – by Dennis Kuntz
Dennis Kuntz is gifted in a lot of ways, and I originally wanted to call this the “one man band” given his musical prowess. However, since he’s embarking on an effort to build security from scratch, we deemed it to be a more fitting title. We’re still tweaking the outline – but the goal is to harness collective experience and provide clear insights to the challenge many of us face: building security into an existing organization. Where to start? What to do? And what really matters… tune in and find out.
The Privacy Advantage – by Aaron Titus
Aaron Titus is focusing on the positive aspects of privacy. Instead of dwelling on the shortcomings of privacy, Aaron will set forth the keys to turning a focus on privacy into an advantage.
Security… Psych! – by Jeff Kirsch
Jeff Kirsch blends security with psychology – not only an interest for him, but a vocation for his wife. Jeff will share insights that improve the way we practice security based on how we think, behave, and learn.
Managing Your Compliance – by Jim McFee
Jim McFee knows compliance. He knows audits. As someone that has sat on “both sides of the desk” Jim is ready to share two decades of experience on how to set up and run and effective compliance and audit program. Emphasis on how to actively manage audit and compliance for outstanding – and harmonious – results.
Awareness that Works – by Michael Santarcangelo
Starting in January, Michael Santarcangelo (your humble Catalyst) will share his unique and effective approach to building “awareness that works.”
Ioana got started in November, and the balance of the contributors will introduce their columns this month, with a nugget or two to ponder and digest over the holidays. By January, we’ll be running full tilt – loaded with ideas, insights and success for 2010.
Engage with Michael
-
Journey Into the Breach
