Here’s a Story
Over several months I worked with a senior IT manager to sort out how to best manage cyber security. The manager’s CEO and COO were very clear that his job was to deliver security that ensured both their customers’ and the cyber-insurers were happy, while not impacting sales or productivity.
As it turned out, he was constantly between a ‘rock and a hard place’.
As we got started, here is what we heard:
- The company’s customers and insurers required the company to demonstrate strong security and indicated there would be serious consequences for failures.
- The IT manager had previously hired an expert security group to design, build, and implement a security system.
- The security group reported that based on their assessment, the company was in serious trouble and needed to implement over 300 tasks to make the company secure!
- The company hired the security group for over $100,000 a year.
- As the new security systems were rolled out they ran into fierce resistance from staff. Operations led a charge to stop using the new security because if was slowing them down.
- Staff went into full revolt and began using their own personal devices and storage systems (Dropbox, etc.) to bypass company security.
- Both the customers and cyber-insurers were not happy.
Where Do We Go From Here?
- Build Trust – I recommended was to go back to the beginning and build trust with the operational teams. This was largely a ‘human factors’ problem. We needed to first get consensus on just how they would all agree to work together.
- Simplify, simplify, simplify – I took the 300+ recommendations, along with 40+ new policies, and boiled them down to match the priorities from the management team and feasibility of time and money. We started out with less than 10 projects, and 20 polices written in plain language.
- Use Current Project Management Processes – Using Agile project methodology, the project was managed in smaller increments and focused on getting compliance in small steps.