This article is part of a continuing series on the “Jargon-Free security model.”
- In part I, we briefly introduced the model.
- In part II, we covered the foundational capability, “Visibility.”
- Part III covered the other half of effective Information Security, “Control.”
- Part IV talked about “Compliance” as essential busywork that you should manage as cheaply as possible.
- Part V presented “Innovation” and provided the outline of a structured program of experimentation that recognizes the importance of short-term failure in producing long-term success.
In Part VI, we’ll talk about “Execution.” The execution element is neglected in traditional infosec models because it is about planning and management, not security per se. The execution capability measures how effectively you are managing your resources to accomplish the rest of the elements of the model.
It’s rare for an information security professional to get any formal training in management before being put in a management role. As a result, many infosec professionals stumble when we first find ourselves managing a corporate function rather than solving technical problems. I was no different — my appointment to Director of Information Security (“DIS”) was my first exposure to senior management, and I had to figure it out as I went along.
The first version of the “Jargon-free Security Model” didn’t include the execution element. I’ll explain below how the need for this element became apparent and how I developed it.
React, or Lead?
In my first months in the role, I found myself buried in the day-to-day tasks of managing legacy spreadsheets and tracking patch deployment. These activities are essential, but I knew that an InfoSec organization with no future vision has limited benefit to the business. I made the development of a strategy my second priority after managing urgent security risks. It took a few months to develop the outline of a strategy and roadmap but putting in the extra effort allowed me to chart a path out of perpetual panic.
For any company or department, the key to organizational effectiveness is to develop a strategy and a plan. It is impossible to drive improvement effectively without having a strategy and roadmap based on a clear vision. It is equally important that you back up your roadmap with clear milestones and success criteria.
Personnel constraints can be a limiting factor, as they were for me, but beware of staying in your comfort zone, focusing on technical details rather than thinking about the big picture. As a senior security manager, you must elevate your thinking, assign the details to your subordinates, empower them, and look at the big picture.
No Heroes
After building out my strategy and roadmap, I got to work affecting the transformation that I envisioned for my department and my employer. I found myself routinely working 12–15 hour days during the week and coming into the office on Saturdays. It took a great deal of time to get my hands around the business, identify the areas where that required strategic change while managing the day-to-day tasks of the security office.
As I started hiring additional resources, I had one primary goal as a manager — my direct reports would have healthy lives with a 9–5 job. Except in emergencies or during security incidents, I did not want any overtime in my department. Regular overtime decreases efficiency and creates burnout, which causes employee turnover. My reports were valuable company resources and personal friends, so I did everything I could to make sure they enjoyed working for our department.
I had to ensure that there were enough employees so they could complete the work without heroic efforts. My employees’ long-term health and work-life balance are an essential part of the “Execution” element of the model.
Skimping on Training is the Worst Way to Save Money
Another critical part of my team’s effectiveness was training. We did not have a culture of training and employee development at my company before becoming a security executive. Management didn’t see the benefit of spending money on it, and the senior engineers had the attitude that classroom training was only for people who were too dumb to “Read The Fine Manual.”
I made training a priority in my department. If someone had responsibility for a product, I expected them to attend an in-depth, multi-day training session on the product, and the department would pay to fly them out and put them up at a hotel if necessary. I believed that saving on employee skill development is the worst way for a business to save money.
I wanted regular training and skill improvement to be a central part of my department’s culture, so I deliberately added it to my objectives via the Execution element of the model. I defined metrics and asked to be held accountable for achieving them.
From Effectiveness to Execution
After identifying these critical factors for organizational effectiveness, I needed to highlight them to senior management to communicate their importance and allowed me to request and manage a budget for them. To accomplish this, I incorporated them into my model and developed corresponding metrics and a roadmap.
I collected the new factors under the heading of “Execution.” The Execution element of the model is designed to measure all of the things that make a security department more effective in doing everything else that is required.
- Creating and maintaining a security vision, roadmap, and execution plan.
- Providing a positive work environment for the security team members by ensuring that they were adequately trained and were not overloaded.
These are maintenance activities that don’t directly contribute to Information Security, but they are critical to the long-term health of the InfoSec program.
As you evolve from a senior engineer to a senior manager, your thinking must change as well. In addition to supporting the core responsibilities of your program, you must think about structuring your department and the work of the team for optimal delivery. The ability to engage in higher-level thinking is the mark of someone who has taken the next step in career maturity.
