I recently finished the book “Traction” by Gino Wickman. Next to Scaling-Up by Verne Harnish, I think it is one of the most actionable business books I’ve ever read. Our team has informally adopted both books as part of the risk3sixty cannon. While the book is largely about building a great running business – I think a lot of the same lessons can be applied to building a well-oiled information security program.
If your security organization hasn’t formally adopted these action items – then you will probably get a lot of value out of reading “Traction”.
Does Your CISO Do This?
1 | Have you clearly defined roles and responsibilities within the security organization?
2 | Does each role owner have a specific set of objectives to accomplish this week, this quarter, this year?
3 | Do you have regular meetings to measure results and track progress against mission objectives?
4 | Have you established measurable KPIs (a scorecard) with defined owners within the security organization?
5 | Have you defined the security organization’s mission, core values, and vision?
6 | Does all of this align with the business’s objectives?
Battle Rhythm – Something You Can Start Today
If you haven’t done so already, working through the list above (in order) is worth the time and effort. For the average sized security team it might take 6 – 12 months to work out the kinks, but it will change way your security team operates for the better. But one thing you can do today is establish an effective set of standing meetings to “operationalize” your security team.
Here is your new meeting cadence:
THE WEEKLY TACTICAL MEETING
|MEETING PURPOSE||Review KPIs, Align on mission for the week, Discuss any immediate barrier|
|WHO SHOULD ATTEND||The whole team (If more than 10, start sub-weekly meetings)|
|DURATION||60-90 minutes (ours is 60 minutes)|
THE QUARTERLY STRATEGY ALIGNMENT MEETING
|PURPOSE||Review scorecard trend, Assess progress toward mission, Discuss any major changes|
|WHO SHOULD ATTEND||Management Team|
|DURATION||2 – 8 hours (ours is 2 hours)|
THE ANNUAL OFF-SITE MEETING
|MEETING PURPOSE||Set the mission/vision for the year, define goals, clarify roles, adjusts KPIs, how this all fits with the businesses objective|
|WHO SHOULD ATTEND||The Management Team|
|DURATION||(ours is usually 2.5 days of work, half day of fun)|
|WHERE||Off-site, if possible|
Let’s Get Started
If you or your team need help taking your security program to the next level, please contact us.