Thursday, October 30, 2008

Security through walking around

Perhaps you have already used this term or have at least heard others refer to it on occasion. I have read several articles concerning the subject and am, quite frankly, a fan of the idea. For those new to the term, it means turn off the computer and show your smiling face. If you spend your day processing information at your computer, you don’t get the full security picture. If you only get out to play “gotcha” or to conduct preliminary inquiries into violations, then those you serve only get a partial picture of you.
Security through walking around requires a plan. Without the plan you are just milling about engaging in conversation and basically, wasting everyone’s time. A plan will keep you focused as well as prevent the temptations to have conversations and activities that can cause you to lose credibility. The plan doesn’t have to be complicated or lengthy. It just helps direct your purpose, attention and answers questions about your security program’s health.
The plan should allow opportunities to enforce your message as well as getting to know the names and characteristics of employees, team members and executives. It also allows you to get your face out there, thus making you more accessible to the very people you depend on to support the security program.
Have a prioritized list of milestones that help you measure your effectiveness. This list could reveal your effectiveness in matters of personnel, physical, IT, privacy, proprietary and, if applicable, classified information security. As a word of caution, research and know your topics before you go. Understand the policies in effect and level of security success. Know regulations and requirements your company complies with and how it affects the company’s business and team members. If you answer a question with a “best guess” or rattle off a party line, you can lose credibility and cause others to doubt your abilities.
While preparing for your walk, anticipate good and bad feedback. There will be some who praise your efforts and there will definitely be those who criticize or question your motives. Some may be the result of you personally implementing a security plan such as limiting access. These objections are perfect opportunities to talk about how door magnets prevent unwanted and unauthorized visitors and how they reduce energy spending by $12,000 annually. Others may be upset with having to comply with federal regulations. This is also a great time to NOT quote regulations, but demonstrate how they impact the company and the benefits of compliance. If any question arises that you can’t answer, be candid. “I don’t know, but I’ll get back with you,” is a perfect response. Be sure to follow through and get back with the person. Likewise, if anyone requests action that you can complete, do so in a timely manner.
Be sure to offer praise and kudos to those deserving. Do so publically and immediately. Avoid criticism or wry comments directed toward or about an employee who is critical, has committed violations, or just doesn’t understand security. Definitely stay away from getting into personal conversations, self-admittals, privacy or Health Information Privacy Act (HIPA) violations. These are better left for private, official occasions.
Security through walking around provides an excellent tool to measure the success of your security program. Asking open ended questions and developing rapport with company team members will help a security manager gain ground in selling their security program and meeting company needs. However, each session should be well planned to prevent wasting valuable time and the loss of credibility. After the event, write up findings, recommendations and Kudos. You represent your corporation and management. Keep conversations professional and avoid the temptation for getting into personal conversations that violate company policy or privacy and HIPA compliance.
For more security education and articles, visit Jeff’s website: www.ispcert.com

2 comments:

David Scott said...

In the realm of risk, unmanaged possibilities become probabilities: These data breaches and thefts are due to a lagging business culture. As CIO, I'm always looking for ways to help my team, business teams, and ad hoc measures of various vendors, contractors and internal team members. A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium."
We keep a few copies kicking around - it would be a bit much to expect outside agencies to purchase it on our say-so. But, particularly when entertaining bids for projects and in the face of challenging change, we ask potential solutions partners to review relevant parts of the book, and it ensures that these agencies understand our values and practices.
The author, David Scott, has an interview here that is a great exposure: http://businessforum.com/DScott_02.html
The book came to us as a tip from one of our interns who attended a course at University of Wisconsin, where the book is in use. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. The real crux of the matter is education and training to the organization as a whole – and a recurring schedule of training – in building a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
I like to pass along things that work, in the hope that good ideas continue to make their way to me.

jeff said...

WEll said David. I appreciate the comment and best of success with your book. It looks like it is selling well on Amazon.