{"id":90524,"date":"2020-01-30T09:00:28","date_gmt":"2020-01-30T17:00:28","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=90524"},"modified":"2023-05-15T23:28:42","modified_gmt":"2023-05-16T06:28:42","slug":"changing-the-monolith-part-3-whats-your-process","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/01\/30\/changing-the-monolith-part-3-whats-your-process\/","title":{"rendered":"Changing the Monolith\u2014Part 3: What\u2019s your process?"},"content":{"rendered":"

In my 25-year journey, I have led security and privacy programs for corporations and provided professional advisory services for organizations of all types. Often, I encounter teams frantically running around in their own silos, trying to connect the dots and yet unsure if those are the right <\/em>dots. Connecting the dots becomes exponentially difficult in an environment where everyone is trying to achieve a different goal.<\/p>\n

Here are a few tips to create teams unified around a common mission:<\/p>\n

1. Define the mission and implement it like any other business plan<\/h3>\n

First, you must know what you are trying to achieve<\/a>. Are you protecting trade secrets? Limiting reputation damage? Reducing the chance of unauthorized access to sensitive data? Complying with all local, regional, and national data protection laws? Trying to keep employees safe? Keep patients, passengers, customers, and business partners safe? Is the answer \u201cAll the above?\u201d Define an order of risk magnitude.<\/p>\n

Focus on what success looks like, identify quick wins, and get the opinions of executive leadership. What do they view as success? Don\u2019t settle for unrealistic answers such as \u201cWe want 100 percent security.\u201d Explain what is realistic and offer your approach as a business plan.<\/p>\n

2. Define success\u2014be able to articulate what it is and how it can be measured<\/h3>\n

When you start any endeavor, how do you determine when it is finished? While information security has a lifecycle that never ends, certain foundations must be established to foster a culture of security and privacy. Success could look like reducing risk to trade secrets, reducing the impact of third-party risk, or protecting an organization\u2019s reputation.<\/p>\n

However, success is defined for your mission, success needs to be measurable. If you can\u2019t summarize success during an elevator pitch, a monthly CEO report, or a board presentation, you haven\u2019t defined it appropriately.<\/p>\n

3. Leverage a methodology and make it part of the game plan<\/h3>\n

Think of the methodology as a game plan. There aren\u2019t enough people, not enough time, and a finite amount of money. Attempting to do everything all at once is a fool\u2019s errand. The moment you know what you\u2019re trying to achieve, it allows you to create a plan of attack. The plan should follow a proven set of steps that move in the right direction.<\/p>\n

A popular methodology right now is the Zero Trust<\/a> model, which has been waiting in the wings for its big debut for over a decade. Zero Trust<\/a> has made it to the spotlight largely because the conventional perimeter has been deemed a myth. So, what is your approach to achieving security, compliance, and privacy once you have chosen a methodology?<\/p>\n

\n

\n\t
\n\t\t
\n\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\"\"\t\t\t\t<\/div>\n\t\t\t\n\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Zero Trust<\/h2>\n\n\t\t\t\t\t
\n\t\t\t\t\t\t

Reach the optimal state in your Zero Trust journey.<\/p>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tLearn more<\/span>\n\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\n\t\t\t\t\t<\/div>\n\t<\/div>\n<\/div>\n<\/div>\n<\/p>\n

4. Market the plan<\/h3>\n

One of the main hurdles I constantly witness is that the larger the organization, the more isolated <\/em>the business units\u2014especially in IT. In many cases, cybersecurity leadership does not engage in regular communication within factions of IT. To name a few, there are application development, user support, database teams, infrastructure, and cloud teams. And almost always outside their purview resides HR, Legal, Finance, Procurement, Corporate Communications, and Physical Security departments.<\/p>\n

In a previous role, I found success by borrowing employees from some of these other departments<\/a>. Not only to help build political capital for the cybersecurity team, but to land the security awareness message<\/a> with the populace and connect with the aforementioned units within IT and business leadership. To do the same, start by building a plan and define your message. Repeat the message often enough so it\u2019s recognized, and people are energized to help drive the mission forward.<\/p>\n

\"\"<\/a><\/p>\n

5. Teamwork in the form of governance<\/h3>\n

Once \u201cinter-IT\u201d and business relationships are established, governance<\/em> can commence\u2014that ultimately means creating process and policy<\/a>. Involve as many stakeholders as possible and document everything you can. Make everyone aware of their role in the mission and hold them accountable.<\/p>\n

Take for example a mobile device policy. Whose input should be solicited? At a minimum, you should involve HR, Legal, Finance, the CIO, and the user community. What do they want and need? When everyone agrees and all requirements are negotiated, it\u2019s amazing how quickly a policy is ratified and becomes official.<\/p>\n

Cybersecurity, privacy, compliance, and risk management should be managed like any other business; and any business values process. Without process, product doesn\u2019t get manufactured or shipped, patients don\u2019t heal, and the supply chain grinds to a halt. Without process, there can be no consensus on how to protect the organization.<\/p>\n

Stay tuned<\/h3>\n

Stay tuned for the next installment of my series, Changing the Monolith: People, Process, and Technology. In the meantime, check out the first two posts in the series, on people:<\/p>\n