In this video, Kip Boyle discusses the other players in a successful information security program. Learn who should be on your team and how they can support a successful program.
- [Instructor] It takes careful thought and disciplined execution to assemble the right people in the correct positions to support your program. Let's go through the process of discovering who you need, what they will do, and where they will work. The first step is to figure out what activities need to be done and how often. Start by considering your program goals, then factor in existing organizational policies and established practices. Next, consider cultural boundaries and risk tolerances.
You may need to interview several people to discover all these things. If you don't already know, find out from your supervisor if you have an annual budget and a specific limit on your payroll or the number of people you can have on staff. Hopefully your supervisor will let your analysis determine those numbers, but this process can work either way. Now, describe the outcomes and activities required to achieve your goals and consider which activities will occur and how often.
For example, will your team create new user accounts on a daily basis? Will you meet people who can process network access requests quickly and accurately? How about the cyber security due diligence work for the acquisition of a competitor? Now, sort your activities into those that are core to your program as opposed to those activities that could be done by others either inside your organization or external to it. A core competency is when you do something better than anyone else.
Apple, for example, is great at designing hardware, but they hire an outside company to manufacture their devices for them. To make the greatest impact for the money spent on your program, you need to put as much of your staff time into what is core and delegate the rest. Let's walk through an example. Suppose your analysis generates a long list of things that need to be done. Four of the items on your list are, conduct risk assessments on large IT projects once every month, detect network intrusions 24/7, review the information security requirements for all customer contracts upon request by your legal team, and perform forensic examinations of workstations involved in cyber security incidents as it comes up.
Thinking about what's core, the size of your budget, the frequency of requests, the skills needed to do the work and other factors, you might conclude risk assessments for large IT projects often requires a deep understanding of how your company makes money and that takes a long time for someone to learn. So you conclude it's a core activity and that it'll be done by an employee. Detecting network intrusions 24/7 requires expensive, specialized equipment and a large team of highly trained and experienced operators.
So you conclude this activity should be done either by your IT department or by an outside service provider. Reviewing contracts also requires a deep understanding of how your company makes money and sufficient expertise with contract law. So you conclude it's a core activity and that it'll be done by an employee. In contrast, performing forensics requires specialized equipment and training but there's no need to understand your business, and from talking with managers from the largest departments, the need is infrequent.
So you conclude this activity should be done by an outside service provider on demand. Now for the activities that are part of your core competency, create position descriptions and proceed to hire them in priority order by working with your human resources department. If you inherited a staff of people, you may need to change their duties either a little or a lot. If so, proceed with great care. Be sure to consider what kinds of people would be best suited for the different positions. Look for fit between duties, attitudes, skills, and personalities.
For example, be wary of hiring a person whose energy is drained by being with people, that is, an introvert, into a role that requires a great deal of interaction with people on a typical day. Similarly, be cautious about hiring a person whose energy is drained by being alone, typical for an extrovert, into a role that has minimal interactions with people on a typical day. On the subject of skills and attitudes, some people believe it's a good policy to hire primarily based on their attitudes towards the work and being on a team.
Hire for attitude, train for skill. This is a good approach as long as the person has the aptitude for the job, otherwise the person may not learn enough from the training to be successful on the job and their attitude will eventually sour. Most information security jobs are highly technical. So you may want to administer an aptitude test for a candidate that you plan to bring on and train after hiring. This is especially important if you want to bring a person into your team who's already been working with your organization for a few years in another department.
For the activities that should be delegated outside your team, create statements of work with measurable outcomes and proceed in priority order to find competent vendors by working with your supervisor, peers, and contracts department.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance