|
| Recent Articles |
Positive Approach To Employee Discipline
Smoothing the Consequences of Miscounduct with Accountability. For seventy-five years, American organizations have used a fairly standardized...
A Secret No One Tells New Managers
The Merriam-Webster dictionary lists two meanings for "confrontation." There are "a face-to-face meeting" and "the clashing of forces or ideas." Both are part of being a boss, but hardly anyone tells that to a new manager...
Strategies For Hiring The Best Employees
A few years ago I wrote a column in which I compared managing employees to herding cats: just when you think you have everyone organized in a happy little group and going in the same direction one cat breaks...
Leadership: Take Away Their Excuses
Excuses. If you're responsible for the performance of a group, you've heard excuses. Your job is to get rid of those excuses. With excuses gone, the real slackers stand out from the crowd. Then you can...
Employee Performance Appraisal - Ideal...
Conventional wisdom says that there's no such thing as a perfect employee performance appraisal form. And with so many sorry examples of appraisal forms around, conventional wisdom might almost seem correct.
|
|
|
03.19.07
Strategy Before Tactics
By Dan Morrill
If you have no defined strategy then what ever tactics you employ probably won't meet your goals.
How many of us in the information security business bought a product, tool, policy or process from a company because we needed to meet a legal requirement, a passing interest in a neat new toy, or a recommendation from a group or consultant without really visualizing how it will fit into our strategic and tactical goals for the company?
Evaluating technology can be fun, but when looking at a business reason for doing a thing, how does it fit into the strategic vision of the company, and then what tactical exercises will be required to make it part of the day to day processes in the company.
If you purchase an IDS system, what business problem are you trying to solve? Noramlly the answer is (regardless of HIDS or NIDS) track, trace, and in some cases eliminate both an external and insider threat to company assets and data. This strategy works for Anti-Virus, spy sweepers, and other systems that use rule sets or anomaly detection to discover someone doing something bad.
If you purchase a security enterprise management system, what business problem are you trying to solve? The answer could be "I have 4 different types of systems, VPN, Firewalls/Routers, HIDS, and Event logs, all create data that is stored on 4 different points on the network. I need a system that will collate and report on all of these data points, and allow the organization to do work more effectively than it is currently doing."
These are good strategies, I am buying a technology to solve a problem, or solve problems. These are strategies that can end in an ROI, for example, before AV and Anti Spyware, the security department and help desk spent X hours a week fixing issues. Since AV and Anti Spyware, the security department and help desk spent Y hours a week fixing issues. That decrease in man hours spent should equate out to an amount more than what was spent on the technology depending on anatomization of the technology costs.
Tactically though what do you have to do with AV to make it work day to day.
The help desk has policies and procedures on what they need to do. These are day to day tactical works that are required to keep the system up and running.
The Security Department has policies and procedures on what they need to do, like containment, follow up, generation of policies, upkeep of policies and procedures as AV interfaces change.
This same line of thinking can be used on just about any project that any department wants to buy. Even if the regulatory environment indicates a series of steps or technology types that should be used. If you need to do SOX compliance part of the strategy steps would include the requirement for SOX compliance. For tactical compliance there would be:
• The right technology for the company at the right price
• How does it fit into the infrastructure of our company?
• How will it be maintained and used
• What policies and procedures are required for the new technology?
• What defines actionable data and who gets it
Getting the right strategic framework around what you want to solve, and then developing a suitable tactical solution to the strategic goals will help make the project more successful. Rather than many systems in a company that do like or similar things, going back and evaluating the technology you have, in comparison to the technology that you already have, in comparison to the strategic goals for the company, and then how it will be implemented on a tactical level.
About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.
|
