This post is part 2. Part 1 is “The Conceptual Problem ofCyber Security Ownership.”
So, you decided to distribute ownership of securing business processes outside of the cyber security team within the standads set by the security team. You have a conceptual model. Now, we need to examine the mechanics of implementing that model.
Communications isn’t enough to transfer ownership to
business process owners. If communications alone was sufficient, almost every cyber security team would
have distributed ownership of cyber security by now.
Communications infers one way directives.
Easy to ignore proclamations.
You need engagement. Engagement is deeper than simple
communications and requires building a two way relationship and ongoing
negotiations with frequent contact, interactive expectation setting, and discussions
with a business process owner – Help desk, cloud platform team, desktop engineering,
HR, accounting, contracting, whatever team owns a key process that you want to
secure.
The goal of engagement isn’t to proclaim, harass, or berate.
This isn’t the time for that and I’m not sure that there ever is. Remember that
we are building a relationship that leads to both ownership and security being
driven into the organizational DNA.
You’ll initially want to understand the process owner team’s priorities
and work plan (with or without security included). If security needs to be built into new work, discuss the
security requirements around the new work, ensure that they are aware of them, work
to understand any obstacles blocking incorporation of those standards, and negotiation
for removal of those obstacles.
Since the cyber security team will be the eyes and they’ll
be the hands, an outcome of engagement will not only be a backlog and work plan
for review at each engagement meeting but also identification of any governance
gaps, definition of success, the mechanics of ongoing measurement, and
agreement on those measures.
Once you have this done for new work, do the same with securing
legacy work or existing processes.
Ownership of cyber
security by business process owners won’t happen overnight. That said, engagement allows your team to map
measurable progress and milestones as part of that transition. They can be mapped individually and scored broadly across the organization. Engagement as a security
process enables the cyber program to scale as execution becomes more decentralized.
These are all outcomes that your executive team will
understand and should support.
Go forth and do great things.
Like what you've read
enough to follow me on Twitter? @Opinionatedsec1.
SEE ALSO
No comments:
Post a Comment