To better understand how we as security professionals can hone our messaging across the organization and up the corporate food chain to elicit the responses we are seeking, we recently spoke at length with Michael Santarcangelo (@catalyst) of Security Catalyst, widely recognized in the security field as an effective communicator and catalyst for change and improvement.
Santarcangelo draws on nearly two decades of translating the complexity of security into transformative experiences. With a background that blends security with the science of human ecology, Santarcangelo developed, applies, and teaches a system designed for individuals and organizations to effectively communicate value.
In the first part of our discussion, Santarcangelo discussed the fundamentals of communication, how to define a common vernacular, and the art of translating technical knowledge into functional outcomes that resonate with the business.
To accomplish this translation effectively, security professionals need to understand what it is that is most important to the organization, and then be able to prioritize actions based on risk factors and potential impact to the business.
Santarcangelo said this can be accomplished by adopting the Value Imperative Mindset, a strategy comprised of five factors that work to build business value and assess projects and programs objectively to determine how they contribute to building business value.
“It’s a move away from counting hours, tasks, and deliverables and towards always building business value. For most people, this is a radical but liberating shift in the way we approach our work,” Santarcangelo said.
The Value Imperative Mindset is currently a work in progress, and Santarcangelo expects that materials will be released in late August or early September of this year and will be available free of charge.
In lieu of the strategy’s release, Santarcangelo offers the advice on how we as infosec professionals can help keep security efforts aligned with the organization’s objectives moving forward, no simple task he says.
Again he emphasizes that the first step is to really understand your organization’s primary business objectives.
“Not just the words, but the meaning… the intention,” Santarcangelo said. “A lot of executives say nice things, powerful things even, and it is the security team — especially the leadership — that has to filter it down to truly gain clarity on the business’s purpose.”
Documenting the expected outcomes is a necessary first step, and it takes a certain knack to get this right Santarcangelo says.
“Then you are in a position to review these outcomes in light of the business by considering the aspects of the process, the steps needed to succeed, and the teams and technologies involved.”
Understanding the impact of security efforts on the business means learning to measure what really matters by focusing on measuring outcomes.
“Not the small things. Measure the big things. While complex and advance models are great, start small. Keep it basic. Look for evidence that the program is working,” Santarcangelo said.
“Effective measurement is a blend of qualitative and quantitative efforts and the key is the story is having a clear view of what the baseline situation looked like, and how the situation changed as a result of your actions. How do we know what changed? And even more to the point, how do we know this change was a good thing?” he asked.
Which brings up the issue of having confidence that we are measuring the right things in our evaluations. Santarcangelo says we need to answer three critical questions:
- Does the measurement provide the insight necessary to adjust the program?
- Does the measurement make sense to others, and represent success?
- Does the measurement demonstrate increased business value?
The key is to measure meaningful outcomes, and this means resisting the urge to simply count things. Santarcangelo uses the example of a team he had worked with which was excited that they created a dashboard that reported over 1400 vulnerabilities against five key servers.
“When we probed of the value, the cost, the time to repair issues, the priority for remediation, etc. all we got were blank stares, shoulder shrugs, and an admission that we really don’t know all that because we were just counting vulnerabilities, not really measuring impact,” Santarcangelo said.
“Really measuring the right things would allow for incremental improvements, new insights into what else you need to adjust, and that will provide a demonstration of an actual increase in the business value of the security efforts.”
We asked Santarcangelo if once this level of metrics anlysis has been achieved, was it time to begin the task of making security efforts more visible to the rest of the organization, to which he countered that it really is not important to make security more visible, and that perhaps the key is to make it less visible while inspiring individual responsibilities.
“My focus is on transforming security programs to center on the mindful actions of people. The more security is visible, the less people feel the need to take responsibility,” Santarcangelo noted.
“The key is to connect people to the impacts of individual actions and decisions, and while the industry tends to focus on the negative, in my practice we actually seek to amplify the good™.”
This is essentially because no one likes to be told/reminded of their mistakes, Santarcangelo says, and influencing behaviors with appropriate modeling and positive reinforcement requires a change in the way we think, communicate, and act as a whole.
“There is no trick, it’s a process,” Santarcangelo said. “Shift the mindset, change the actions, get better results.”
- Consequences Matter, Assets Don’t – At First…
- Effective Communication in IT Security
- Four Things You Should Teach Your CEO about IT Security
- Infosec Gurus on Positioning Security as a Business Enabler
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock