Santarcangelo Interviewed on “The Web Squeeze” – Listen In!
On Friday, The Web Squeeze posted an interview with me. We had a blast discussing backups, passwords, building more secure websites and a bit about the human paradox and Into the Breach.
I’m impressed with The Web Squeeze (http://thewebsqueeze.com/) and hope to get more involved in additional ways.
In the meantime, I really enjoyed the banter (enough to really get me thinking about getting a new show or two going) and the professionalism extended to me by Jacob and Linda.
I hope you consider taking a listen; more – share it with the folks you know in development and see what they say. Use this as a springboard for conversations.
Here is the link: http://www.thewebsqueeze.com/freelance-podcasts/into-the-breach.html
Data Cleanup Part 1: Primary UserIDs
Welcome to the February issue of Identity Management in 13 Easy Steps. In most parts of the country the weather is cold and dreary, and what better weather for an ID cleanup? 
clean the data
So roll up the sleeves, find the glasses, and brew a lot of extra-strong coffee – it’s time to tackle those primary userIDs.
Primary userIDs – what are they?
A primary userID is the main ID that each user has in an organization. This is the one ID that they *should* have on all systems, although that is often not the case. Typically, the primary ID is the user’s network ID – that is, the ID that each person uses to log into their computer in the morning, and probably also to log into their email. Many organizations call this the LDAP ID or (for Windows-heavy shops) the Active Directory ID. Organizations that are mainframe-heavy might store their primary IDs on the mainframe.
The task at hand
On the surface, this month’s activity is simple: correlate each user’s primary ID with their name and other identity information, as this will be the basis for the identity repository going forward. Hopefully everyone’s primary ID is already stored electronically somewhere (at least in a spreadsheet) and there is some useful data already associated with each ID – like a name, an employee number, or other identifying information. If not, well, that’s where the extra-strong coffee comes in (or maybe decaf would be better?).
The task may be easy to describe, but there are three significant challenges in this cleanup process:
Challenge #1: mapping primary IDs to people
It is likely that the list of primary IDs (assuming it exists) is missing information, or has data that’s so outdated as to be useless. Worse still is a list of IDs without any information (who are bassfisher68 and jedimaster84?). Equally frustrating is the same-name problem: how many John Smiths, Trong Nguyens, and Juan Gonzalezes are in your organization… and whose name goes with which ID?
Challenge #2: are they even still here?
It is often hard to map IDs to people when the ID has persisted, but the person is long gone. Even more doubt is created when the ID belongs to someone with a common name.
Does jsmith3 belong to that contractor that was in here 2 years ago, or does it belong to the guy downstairs in accounting?
A nasty – but necessary – part of cleaning up primary IDs is identifying orphaned accounts that should no longer be active. On the upside, this is a healthy security exercise that often gets put off – after all, who wants to deal with the screaming users when the wrong IDs get disabled? But for identity management to work, this HAS to be done – no more excuses or avoidance!
Challenge #3: mapping primary IDs to primary sources of record
Once the IDs are mapped to the correct names/people and orphaned accounts are retired, it’s time to map the IDs to the corresponding accounts in the sources of record that were identified in last month’s exercise. Remember, identity management is just a facilitator of actions. A key integration is between identity management and the HR system, as that enables the automation of access creation and removal based on hire, transfer, and termination events in the HR system. Identity management can also facilitate the auto-provisioning or password self-service of a user’s other accounts (like email) based on proper linking.
The biggest difficulty in this exercise is typically matching the userID with the right HR record, due to potential differences in legal vs. preferred name. Very often, email addresses and userIDs are set up based on the individual’s preferred name (e.g., Mike, Trish, Betsy), whereas the HR record will contain their legal name (e.g., Michael, Patricia, Elizabeth).
Is Mike Smith the same guy as Michael Smith – or not?
Guessing is not allowed here – matching up the wrong user with the wrong HR record can have very serious consequences. HR doesn’t take kindly to people seeing each other’s salary information. Getting someone else’s email is generally frowned upon as well, especially if some new junior analyst was confused with a senior VP (believe me, this has happened more than once!)
Approach
There is no *right* or *easy* way to execute this cleanup.
With little starting information and/or a large user base, this will be a painful and time-consuming process, but here are some things to help get organized:
- Determine the data set that is needed. Make sure it is the bare minimum to start because once identity management is implemented and the records are linked, a lot of additional information will populate automatically. The goal here is to identify which data points are needed to accurately link records between systems – nothing more
- Start with the cleanest source of record to build some momentum. While this is often the HR record, sometimes email is the best bet. Other sources may also be appropriate (like the mainframe). In general, the cleanest sources of record are ones that are carefully controlled and well automated in a database or a repository.
- Enlist the help of someone good at scripting to automate some of the searches and comparisons. Done right, this saves immeasurable time!
- Communication is key!
- Make sure the user base knows a cleanup is underway and why it benefits them
- Solicit assistance from department heads – they can help identify users and their correct/current information
- Ask the leadership to alert their people that they may be polled for information, and specify the name of the team that will do the polling (provide the names of individuals if possible). Users need to know that these requests are legitimate and not a phishing attempt (especially if they just attended training on phishing or Michael has already worked to improve your awareness program)
- Communicate the cleanup process to the leadership so they know the who, what, where, when and why of the effort. This is especially important when the team ends up with a pool of orphaned IDs and no other means of research. The only remaining option is to deactivate those accounts and see if anyone complains. Management needs to understand and support this decision before it can be executed
- Don’t be afraid to disable IDs if reasonable research has not yielded results. Researching identities is extremely time consuming – there is a point where enough is enough, and the security risk to the company should outweigh the brief inconvenience that a handful of users may experience
- Engage HR representatives and local technical support personnel. They tend to know the users personally, and can be of great help identifying them
If existing records are already in pretty good shape, sit back and smile smugly while everyone else beats their head against the wall for a while.
Keeping it clean
If there is no current identity management system in place, it is important to keep the new repository of primary userIDs reasonably clean until the new system is in place. Otherwise this fun exercise will need to be repeated.
Staying up-to-date manually requires a process to keep user data in good repair but the process should not be complex or labor intensive. Do the bare minimum necessary to keep the data decently clean. It’s OK if it’s not perfect – a small final cleanup is inevitable.
A word about userID naming standards
If this process reveals the lack of a userID naming standard, or a standard that no longer makes sense for the organization, this is the right time to establish a new, sensible one. This is a large and painful exercise in and of itself, but it is far better to enter into an identity management implementation with a solid and appropriate naming standard than to try to fix it later.
Here are the things to consider:
- Grandfathering existing users vs. making them change their ID to match the new standard
- Unless there are specific technical reasons for converting everyone, I recommend grandfathering. A primary ID can be created in identity management in the new format and mapped to the untouched existing IDs. This meets the needs of identity management while minimizing impact on the users
- Helping users with multiple ID formats across various systems consolidate to one ID format
- Although this can be a little painful, many users are happy to undergo the initial challenge in exchange for not having to remember which ID to use on which system
- Having different ID formats for employees vs. non-employees
- I recommend not doing this. Having visual segregation of ID is much more important in a manual paradigm. With identity management there are many ways to identify a user’s employment status without segregating by ID, and having different ID formats causes more problems than it solves
- Make sure that the selected format will work on all systems – including those legacy dinosaurs with all their length and character limitations
- If you choose to have userIDs based on name, establish a clear policy about changing the ID in the case of marriage, divorce, sex change, etc.
- Changing someone’s display name is easy. Changing their userID can be tricky, because on many systems this isn’t possible –the old ID has to be deleted and a new one created, which leaves a lot of room for error in copying permissions, files, scripts, etc. However, some people feel very strongly about their name, especially after a nasty divorce or a sex change, so there has to be a provision for this
- Make sure the new naming standard scales adequately for the expected growth of the company, and that it addresses situations where users may need more than one ID, or where individuals have the exact same name (possibly even same middle name or middle initial)
Parking Lot
Doing a userID cleanup of this nature can uncover all kinds of interesting issues – like fields being used to store data that they were not meant to store, IDs being created through unofficial channels that probably shouldn’t’ve been created, etc. Some of these discoveries might be security risks, some might just be sloppy administration, and still others might impact the identity management implementation down the road. In any case, it is important to document these discoveries along the way and do something about it – even if that something is just notifying the responsible manager.
Action Recap
This month, we covered the following key actions:
- Identify the primary ID, and determine who owns each ID
- Identify and retire obsolete IDs
- Connect primary IDs to the appropriate records in the target systems identified in last month’s exercise
- Develop (and use!) a process for keeping the IDs clean until identity management can take over
- Make sure the current ID naming standard is adequate and fix it if it isn’t
None of these actions is quick and easy, but getting them done sets a firm foundation for a successful identity management implementation.
How can I help?
Do you need some clarification or additional assistance? Do you have an experience to share with others? Leave a comment below so we can all improve together.
Giving back: The Catalyst Career Compass Program
Giving back: The Catalyst Career Compass Program
What started as a way to help friends improve their careers has started to turn into a full-fledged program called the Catalyst Career Compass™.
Over the last few years, I’ve slowly worked through the elements to help friends – and each time I promise to make the approach public. Last weekend, I was called on my promise (thankfully) and decided to open it up.
More, with the help of Andy Willingham, Kevin Riggins and others, we are preparing to relaunch and improve the Security Catalyst Community. When we relauch (hoping for Q2 but the timeline is not defined), new opportunities for members include the career compass program that leads to a mentoring program.
We’re all excited about the program and the possibilities.
In the meantime, we have colleagues who need a boost – they need to build, calibrate and follow their career compasses.
This is a new program – so I am open to a small group of people running through the elements for their own benefits, and to help shape the elements that will be incorporated into the community. In fact, I’d like to figure out how to train others on the approach and work as a community to help each other out.
So it starts now.
And we’ll start small.
For now, no charge (money) to partcipate — but there is a cost. If you are interested, send me an email (securitycatalyst/gmail) or engage me on twitter (http://twitter.com/catalyst) and let’s discuss. We have to keep the initial run small, and we need people who are willing to participate fully and work through the entire system.
More details below:
Career Compass Overview
Whether you are currently a Security Professional or want to become one, this highly flexible program will help you set and meet your professional ambitions while serving lifestyle goals.
Set your Career Compass:
- To prepare for a raise
- To receive a promotion
- For career development
- If you are ready to move into the security field
- To find a new position (within your current company or outside it)
Determine your path and venture forth.
Setting Your Career Compass is a multi-faceted program to help you refine your career objectives and realize them.
It is a three-step process.
1. You will first think about and answer a series of questions about yourself, your ideal working environments and your future. We help you align your answers – the ‘who you are’ – with what you have done and where you would like to go.
2. Then we prepare you to effectively communicate your value to the right audience. With guidance you will build a personal brand in the form of a resume, bio, cover letter and whatever else is needed for you to reach your goals.
3. With all the background work complete, we will help you follow the compass you built.
We do not judge.
Everyone thrives in different situations and has different desires in life. Our passion is to help you find the unique value you bring to an organization and position yourself for success.
Why the Compass approach works.
We guide you through a process that helps you explore your strengths, values and goals. As a result, you will understand yourself better than simply listening to someone tell you what they think, based on a questionnaire.
You will be self-aware.
You will have the clarity required to communicate your value effectively. After guiding you through this exploratory process, your Career Compass helps you position and differentiate yourself from others in a strong finished package – written and oral.
The program will help you craft a resume that is simple, powerful and designed to attract the attention of the “right” people. It will help you market yourself better and guide you to greater success.
How much time does this take?
Like most things in life, the more you invest into this program, the more you will get out of it. It is recommended that you budget 3-5 hours to complete step one, 3-5 hours for step two and 3-5 hours to begin step three.
Step three is ongoing but 3-5 hours gets people where they need to be. Some will breeze through the process. Others will need more time. There is no right answer, but the time you invest in yourself will pay off down the road.
Security From Scratch: Using Compliance For Good
by Dennis Kuntz
“This isn’t just a legal compliance issue for us. We consider the privacy issue to be an opportunity to reinforce our brand image.” – Tom Warga, SVP and General Auditor, New York Life Insurance Co.
Early in my career I accepted a job rich with challenges and opportunities. It was for a bank that was not yet Y2K compliant (and yes, this was pre-2000), was under a cease-and-desist order from the Office of Thrift Supervision (OTS) and had a very inefficient system that needed to be rewritten from scratch – from the front end all the way to the back.
They wanted the system completed in technologies with which I was cursorily familiar (though I at least had industry experience). In addition to rewriting the system, I was also starting it months after the OTS had wanted new “financial systems” to be completed (which did not enhance their patience in dealing with us).
On my first meeting with the auditor for the OTS to lay out my plan, I thought I’d break the ice by cracking a joke. I told him, “It’s not Y2K that worries me. It’s Y10K – those 5 digit years are going to be a bear.”
My attempt at humor was met with a blank stare, an uncomfortable silence, and then a humorless statement about the requirements we needed to fulfill.
This set the stage for my first real introduction to compliance – putting it in place, those that enforce it, and those holding you responsible for the first two items.
Putting Compliance In Its Place
Focusing only on compliance almost by definition limits its usefulness.
Many compliance standards change in order to encompass tactics that have already been tried. Bruce Schneier has covered this concept within the context of terrorism and explains how ineffective it is.
However, most compliance standards also have a “spirit” (or intent) in addition to the “letter of the law”. For example, HIPAA aims to protect “individually identifiable health information”; PCI aims to protect cardholder data, etc. By focusing efforts on embracing the spirit of the compliance standard, the end result is “compliance” and a vastly superior job at actually protecting information.
Answering for Your Efforts
Having to “answer for your compliance efforts” doesn’t always mean an audit.
Sometimes there is an internal role that oversees compliance efforts for the whole company. In my opinion, the best way to deal with anyone whose job it is to judge your efforts is to be honest (of course), but in a way that first seeks to understand their role.
When dealing with an auditor, try to understand what it is they are looking for (fellow contributor Jim McFee does a great job of explaining this perspective).
Often, auditors are looking for proof the “letter of the law” was followed, or otherwise properly addressed. By understanding the auditing procedures and general expectations regarding the compliance standard it is possible to position actions in a way that make sense, demonstrate compliance and reduce friction.
The advantage (albeit sometimes hidden) when working with an internal colleague is the simple fact that everyone shares the same corporate goal: achieve compliance and protect company information. Working toward a common goal makes a difference (along with a deep breath and sometimes a squeeze ball).
Using Compliance for the Greater Good
Information security compliance standards almost always received the attention of those who may not normally be focused on information security risks: legal, management, etc. This is primarily because of the legal and financial implications of not obtaining or maintaining compliance.
This can be an advantage to manage the company’s risk.
Not only may decision makers be more willing within the context of a compliance effort to spend money on information security, but they may also be more open to education and awareness efforts.
Ultimately our job is to protect company assets and help to manage risk.
While on the surface compliance can simply be a necessary evil, when looked at with some creativity, most compliance efforts present opportunities to improve the security posture of your company beyond the requirements themselves.
On tap at The Security Catalyst for February
Greetings from Myrtle Beach!
February at the Security Catalyst Online
We did it.
The house is rented. We packed, sold or donated most of our “stuff.” We loaded up the RV and headed south.
More important, we are liberated. I feel grounded, connected and free.
The purpose of this change is to live simply and engage with more people – to seek experiences over “stuff.” Part of our focus on learning and living deliberately allows me more time to focus on the programming and content we provide through the Security Catalyst Online Experience.
In addition to our contributors powerful insights forged in the trenches (more below), this month we welcome some guest voices (and topics).
On tap for February
Our contributors have some great insights to share, including:
- The key to effective communication and overall success when working with others from Trish
- Martin explains how disruptive change, when well planned, crisply executed, and continually adjusted can enable organizations to “jump the curve” and function well above where they were previously
- Why we need more attention focused on the consequences of actions with a challenge to help prevent and reduce fraud from Sharon
- Using compliance to your advantage without doing damage; as a result – decision makers may be more willing within the context of a compliance effort to spend money on information security, but they may also be more open to education and awareness efforts from Dennis
- Aaron shares how to avoid legal 500 error with privacy policies
And I’ll be climbing back into the writing saddle – and sharing my focus for the year with the awareness that works™ column.
Guest Voices
Craig Nelson – a good friend from the beginning of my career – chimes in with his insights on how businesses can determine if “the cloud” is right for them.
We might sneak in another guest voice or two (and try to convince them to stick around for the balance of the year!).
Engagement is the key to success
I invite you to read, consider and engage: likes, dislikes and constructive challenges are welcomed!
Connecting and engaging in person is a rich experience, indeed.
To that end, we’ll be leaving Myrtle Beach in the middle of February and traveling to San Franciso with stops planned in Atlanta, Dallas, and Phoenix.
Are you along the way?
If so, I’d love to explore how we work together.
Into the Breach – Audio Series – Chapter 7 (Putting the Strategy to Work: A Pilot)
Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).
What you’ll find in this episode (Chapter 7)
The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, contact us to learn more).
So how do you implement in a way that gets results?
In this chapter, “Putting the Strategy to Work: A Pilot,” Michael explains the basic approach – with key insights – to engaging people in the process of protecting information. Learn how to select the pilot approach that works best, build the team and plan a strategy that drives tactical and strategic success.
There is no “one-size-fits all” approach, and this chapter lays out how to make the right decisions the first time. Get a jumpstart on success with this chapter.
You want more, so after listening…
After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by
- Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
- Subscribing to The Security Catalyst podcast & blog to get more insights
- Learn more about The Catalyst Foundation Series – proven success for security initiatives to excite, ignite and turn insiders into allies who reduce business risk!
Go deeper Into the Breach with Michael Santarcangelo with EMC
Each month, EMC pulls back the curtain and provides more insights and a deeper discussion with Michael Santarcangelo about the elements in this chapter. Learn how to harness the power of their people to inform and improve the risk management process in a matter of weeks. Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get access to the latest session.
Podcast: Play in new window | Download (7.5MB)
The Three Elements of Action
Your meeting was supposed to last just 45 minutes, but the first 35 have been devoted to the first agenda item. Most eyes have glazed over and you are the only one speaking. Just as tired as everyone else you say, “OK, so we all agree that we’re going to do that?” Hearing no objection, you move on to the next subject.
You are relieved to move on, but don’t be surprised when you have to rehash the same subject at the next meeting. Do not mistake movement for progress; your discussion was an utter failure because it lacked the fundamental element to any progress: An Action Item.
Every action item is comprised of three things:
- A Person
- A Deliverable
- A Date
Absent one of these three things, a decision is not an action item. It is a wish. All would-be “action items,” “goals,” or “decisions” which fail to include one or more of these components were a waste of your breath and their time. Action items must be clear, measurable, and have accountability. Unless you want to rehash the same issue at the next meeting, never walk away without identifying a person, a deliverable and a date for each action item, regardless of the subject matter. Let’s analyze some would-be “action items” from actual meetings:
Assignment 1: “Development of a power point presentation to train staff.”
| Person | None. |
| Deliverable | A powerpoint presentation. However, the subject matter of the presentation is not clear in this context. |
| Date | None. This presentation will never be late, because it’s never due. |
| Outcome | Inaction. This is a wish, not an action item. |
Assignment 2: “Staff will take decisive action aimed within the next 30 days at having the new privacy policy ready to be trained upon.”
| Person | Nobody, or more specifically, everybody. Note the excessive use of passive voice. An action assigned to everybody is nobody’s responsibility. |
| Deliverable | None. If you can tease a deliverable out of this, you deserve a raise. What exactly does “decisive action” and “ready to be trained upon” mean? |
| Date | 30 Days. However, this date doesn’t mean much because there’s no deliverable or assignment. |
| Outcome | Inaction. This is a wish, not an action item. |
Assignment 3: “Jane Davis should work with the Communications Department to discuss the issue of posting the entire training program on the website for free downloading to all visitors.”
| Person | Jane Davis. |
| Deliverable | Hold a discussion with the Communications Department. Although they probably intend for Jane to post the training program, her only assignment is to have a discussion. It might have been written better, “coordinate with the Communications department to post the training program in by the end of the month.” |
| Date | None. |
| Outcome | Inaction. This is a wish, not an action item. |
Assignment 4: “Kevin Jones will identify key end-users, such as educational and other relevant organizations, and develop a database of end-users, by the end of January.”
| Person | Kevin Jones. |
| Deliverable | Database of end-users. Of course, with this responsibility, Kevin must also have the authority and resources to execute the assignment. |
| Date | January 31st. |
| Outcome | Action. This is an action item. |
The three components of action are a person, a deliverable, and a date. Here’s your assignment: Next time you lead a meeting, don’t rest until you identify the three elements of action for every assignment. It’s the single most effective thing you can do to shorten meetings and avoid rehashing the same issue again in the future.
So let’s evaluate my assignment:
| Person | You. |
| Deliverable | Require a person, deliverable, and a date for every assignment you make. |
| Date | Your next meeting. |
| Outcome | Shorter, more effective meetings, happier employees, and real action. This is an action item. |
Into the Breach – Audio Series – Chapter 6 (Implementing The Strategy to Protect Information)
Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).
What you’ll find in this episode (Chapter 6)
Chapter Six is where Michael explains how to customize and implement the Strategy to Protect Information. The information he shares is designed to bring immediate results. This set the stage for the refinement of what is now called The Catalyst Method™ — what Michael teaches, guides and uses to help organizations get results that transform insiders into allies who reduce business risk.
Go deeper Into the Breach with Michael Santarcangelo with EMC
Each month, EMC pulls back the curtain and provides more insights and a deeper discussion with Michael Santarcangelo about the elements in this chapter. In fact, for this chapter, Michael explains how he has modified the implementation and refined “The Catalyst Method™” to get real, rapid results. Learn how to harness the power of their people to inform and improve the risk management process in a matter of weeks.
Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get access to the latest session.
You want more, so after listening…
After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by
- Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
- Subscribing to The Security Catalyst podcast & blog to get more insights
- Learn more about Michael’s keynotes – and hire Michael Santarcangelo to excite, ignite and turn insiders into allies who reduce business risk!
Podcast: Play in new window | Download (14.3MB)
Strike Up the Band: Building Security from Scratch
by Dennis Kuntz
“Individual commitment to a group effort — that is what makes a team work, a company work, a society work, a civilization work.” – Vince Lombardi
When faced with creating a new security program – Building Security from Scratch – it can be like George Taylor in The Planet of the Apes: you awaken to find your ship has crashed and you have little more than the clothes on your back. You have to figure things out and make use of what’s around you.
When in this situation, it is important to establish your bearings quickly. There are a lot of things to digest in order to start making a difference. As fate would have it, this seems to be a specialty of mine; I have accepted the challenge of creating a new role at least a half-dozen times in my career.
In my new position I have the honor and challenge of building a security program from scratch (hence the name of this column). Over the next year, I am going to share my plans, insights, and lessons-learned to contribute to a dialogue where we all can improve the way we protect our organizations.
Based on my experience, there are three steps to take when starting from scratch:
1. Getting Together: Who’s on Your Team?
The first question focuses on the team: “What will my team look like?” This is key whether you’re a “one man band” or you have (or get to build) a team. Understanding who is “on the team” puts you on a path to create a plan to determine how to be most effective tactically, and how to achieve strategic success. And the answer is more than just having people report directly to you.
This is not set in stone – more time generally yields a clearer picture, but starting with a picture is key.
2. Assess the Situation: How Will this Work?
With a snapshot of the team in place, it is time to assess the resources. This includes existing resources (personnel as well as software, etc.) and potential resources (budgeted items, management’s flexibility for unplanned spending, etc.).
As you identify resources – and the gaps between them – you’ll start to get a vision of your current situation, and your company’s overall posture. As this picture develops, you will more easily be able to map out how to address the gaps using those resources.
3. Get to know the family
Just as important though, is to figure out who the right people are in your “sister” departments, such as Human Resources, Legal, and as you might guess, IT.
Human Resources is essential because it manages the relationship between a company and its employees. While there are many non-risk functions an HR department performs, one of the most important is in managing situations involving employee misconduct, terminations, and other delicate issues. There will often be an overlap between HR’s responsibilities regarding any kind of internal employee issue and Information Security’s role in protecting internal assets. You will definitely need HR’s help in proceeding in any kind of internal investigations as it relates to employees, and they can definitely benefit from your expertise when addressing certain kinds of employee issues – and they may not even know it.
The Legal team in an organization normally helps to protect company assets by dealing with anything from relationships with external entities (via contracts, NDA’s, etc.), alongside HR with internal employee matters, managing the company’s posture when dealing with legal issues/requests that arise from “outside” the company (discovery requests for pending litigation, law enforcement requests, etc.), as well as compliance matters (PCI-DSS, HIPAA, SOX, etc.).
As an information security professional, you probably already have at least some familiarity with the functions of both of these groups. It should be pretty easy to see how cultivating relationships with these departments – and those like them, such as Document Management and Compliance departments – can help in your efforts to build your program. And that’s whether it’s a tip-to-tail effort, or something more concentrated like penetration testing. Less likely and possibly more beneficial to you, is that these departments may not be fully aware of the benefits you bring to their efforts.
Turning the One Man Band into a Symphony
Information Security is about managing risk.
In creating a security program, it pays to realize that even when alone, it requires a team. Showing other groups how their jobs can be easier while helping to manage risk and protect the company’s assets can effectively extend the security “team” beyond whatever may be listed on paper.
What are you doing as a one-man-band to make a difference? What challenges are you tackling? Drop a note in the comments and we’ll take it from there…
When your employees don’t want to come to work anymore
What happens when people lose their motivation at work?
- Less efficient use of resources
- Less creative solutions (at a time when creativity is even more vital)
- Less productivity
And worse, the possibility of security breaches and risks. Some companies learned this lesson the hard way: TMobile in the UK , Greengrocer.com, and the Office of the Attorney General of Maryland.
When employees lose motivation, they become less of exactly what the company needs: A creative, productive contributor. Worse, they might become angry and disgruntled, causing a loss or theft of essential company information.
Motivation – I know it when I see it
So what is this abstract concept called “motivation”? Is it like love – hard to define, but easy to recognize?
According to Webster’s, to motivate is to “provide with an incentive, move to action, impel”. Motivation is, put simply, giving others a reason to do something: To do their job well, to be creative, and to be an asset to the company.
Now that we’ve defined it, can we describe it? What are some common motivators? Some things that have found to be effective motivators are:
- Positive reinforcement
- Effective discipline
- Fair treatment
- Satisfying employee needs
- Setting work-related goals
Notice something missing from the list?
If you assumed that “more money” would be a lock, it turns out it isn’t. The Minneapolis Gas Company completed a 20-year study of motivation. They asked 44,000 employees what they desired most from a job and found that, surprisingly, wages were not highest on the list. Job security was, followed by advancement, type of work, and pride in the company.
But even without the study, we all know that providing motivation is a good thing. The challenge is “how?”
I’ve listed some basic concepts of motivation to help you devise a system to give employees what they need, so they can contribute their best work:
1. Be the change
Employees won’t be their most creative, energized selves – they won’t be assets to the organization – unless you are, first. As the Minneapolis Gas Company found, intangibles rank higher than wages, and they start with your attitude and energy. Simple actions can start the process. Ask yourself: “If I were one of my own employees, would I see myself as an asset to the organization? Does the work I do reflect my most innovative thinking?” Some ways you can start being the change you want to see are:
- Welcome challenges. See them as opportunities, not as limitations. After all, without challenges, we don’t get a chance to exercise our skills and talents to their fullest potential.
- Ask if there are better or different ways something can be done. Good innovators practice creativity; they generate solutions, ideas, and concepts in every aspect of their lives.
- Be curious, ask questions, and develop problem-solving skills by practicing them.
- Take action – have confidence in your ideas, and dare to express them. Don’t fear failure; it’s inevitable, and the only way we learn. Above all, be persistent – don’t give up.
Remember, the positive energy and creativity of your team start with you.
2. Size the motivation to the person
Despite what some people might try to tell (and sell) you, there’s no “one-size-fits-all” system of motivating employees. Each person is different, as is each organization. The key to effective motivation is to discover what moves each person to be their best and to be an asset to the company.
How?
Start by asking. Then stop to listen. Watch the quiet moments. Then continue the discussion.
3. Motivation is a journey, not a destination.
People and organizations change; what works for the employee and the company at one point might not be as effective months later. By listening to and observing employees, motivations can be adapted to their needs.
Treating motivation as a one-time event or a destination leads to a situation where it would have been better to do nothing at all. Commit to the journey and reap the rewards (and continue to read Security Catalyst to get ideas and support).
It might be dangerous and harmful to assume employees are motivated by “more money.” The “trick” is to figure out exactly what will move them to become greater assets to the company, then give it to them. In my next article I’ll explore in greater detail how to develop a motivational plan for your employees, and ways to overcome some common challenges in developing such plans.
What challenges have you experienced with motivation? What successes have you had? Share in the comments….
Sources:
- Merrian-Webster’s Online Dictionary: http://www.websters.com
- Accel Team Development: http://www.accel-team.com/motivation/
- The Journal of Extension: http://www.joe.org/joe/1998june/rb3.php
- The Free Management Library: http://managementhelp.org/guiding/motivate/basics.htm)
Engage with Michael
-
Journey Into the Breach
