Thursday, October 3, 2019

Governing the Previously Ungoverned

Perhaps it’s your first week of leading a cyber security program that wasn’t effective. Or, maybe, you are getting the resources that you need to begin to govern and secure a part of the company or a discipline within the company that had been a gap. 

One group will be certainly waiting for you. Perhaps even be at the door to meet you. 

The “previously ungoverned.”

The ones who did whatever they wanted to do before. The wild west.  Perhaps, no rules. Perhaps, only the rules they wanted.  

And, now, you’ll have to figure out how to get them in the fold. Secured. Governed. 

Rather than your standards text, you might want to start with a different lever: empathy.

Before anything else happens, understand what they do, how they do it, and how they are measured. It’s also a good time to listen and understand what their concerns are. “Listen and…”, not just “listen”

Next, identify the cyber security champion(s) with whom your team should engage. These are the folks who need to understand and be able to explain what governance means to the rest of the team. They should also be the ones that you work to govern first. You’ll need to test and be sure that the things that the team is measured on still work and that team can still make their goals. 

You’ll also work through the details of the broader plan with the champion(s) for rolling out the changes to the rest of the team.

On the security champion(s) have no issues, begin the rollout to the larger group. If the previously ungoverned population is large for your governance efforts, work with smaller, more manageable groups until all are in the fold. The group size should not exceed your team’s ability to immediately respond and resolve issues that they may be having. Use the security champion(s) as necessary to calm any fears. 

Measure your progress and don’t be shy about publicly praising the impacted team while in transition.

Most importantly, work in good faith. Keep whatever they are measured by at the forefront of your efforts. 

Often, only your empathy is necessary to reduce security friction.

Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.


No comments:

Post a Comment