Low-Effort Yet High Return
Originally published on LinkedIn Pulse as “One Pizza-Based Security Improvement”
As has long been said, the elements of a security program fall into three categories: people, process and technology. Pizza-based improvements, of course, apply to the people category. It doesn’t have to be pizza. It can be sandwiches, which can be an advantage if you are dealing with papers, tablets or keyboards (fewer napkins are needed).
The reason that I’m bringing up pizza and so on is because the “people part” of security programs is often underutilized. I’m not saying that people are not being tasked well or that they don’t work hard enough. Many are over-tasked. Which is another reason why it can be of real benefit to make a casual working lunch or pizza break into something that can help improve the security picture.
There is untapped potential in the knowledge and experience of the security staff, whether they are contract security personnel or in-house personnel, supervisors or mangers. How do I know that such potential is not always tapped? I know because when I perform security assessments, it is rare not to get valuable feedback and suggestions for security improvements, which could have been put to good use much earlier. However, that kind of feedback had not been expected or requested, and so the ideas lay dormant. Discoverable, but dormant.
Here is one way to tap that knowledge and experience that can end up making a worthwhile difference.
General Improvement Brainstorming
General improvement brainstorming is a valid way to obtain helpful information and get suggestions for security improvements. However, simply ordering pizza and asking for improvements is not likely to be as productive as taking the structured approach described below.
- PREPARATION: Order the pizza! Then create a paper or word-processor or spreadsheet chart (or download one here), for capturing the recommendations developed, giving it nine columns whose column names and purposes are listed below (names are in bold):
- Improvement: Describe the suggested improvement.
- Rationale: Explain why the improvement is needed or will improve things.
- Current State: Explain how things are now, to provide a context for the improvement.
- Future State: Describe how things will be after the improvement is made.
- Success Criteria: Describe how to tell if the improvement is successful. “It will be considered successful if . . .”
- Resources Required: This can be money or personnel, but should also include training or any other actions needed to put the improvement in place, including a brief description of the project required if the improvement effort is significant enough.
- Implementation Time-frame: Recommend the time that should be allowed for implementing the improvement.
- Review Time-frame: Recommend how long before the results will be visible or can be reviewed.
- Priority: Provide either a numerical ranking or simply High, Medium andLow as a means of relative prioritization of the various improvement recommendations.
- START: Display or provide a chart or list of the security program elements.
- ACTION: Take each security program element and use the following list to prompt ideas:
- Does our implementation fully achieve the scope and purpose of the program element?
- Are any actions or procedures broken? Do any require a workaround?
- Is any part of it too time-consuming?
- Is any part of it too difficult to execute properly?
- Difficult to manage or oversee?
- Could it benefit from a checklist or other documentation or tool?
- Is it lacking in accountability?
- Are any parts of it no longer needed?
- Are enough personnel trained on it?
- Are there any complaints about it?
- Do we measure or track it appropriately?
Optional guidance is to fill out the chart in two passes:
- Pass one: for each improvement fill in the first three columns (Improvement, Rationale, Current State)
- Pass two: for each improvement fill in the remaining columns
There are extra benefits to performing this exercise. The participants are exposed to concepts for thinking about the security program in ways that their thinking is not typically engaged. Most security personnel are focused on planning and execution relating to responsibilities, duties and tasks. They don’t get a chance to consider the whys and the wherefores. They have little experience in putting these kinds of thoughts and ideas into words. This makes them better able to represent security to the various stakeholders as such opportunities arise.