Building the Information Assurance Program

In 1948 in his book “The Seven Story Mountain”, Thomas Merton wrote “Success – the logic of worldly success rests on a fallacy:  the strange error that our perfection depends on the thought and opinions and applause of other men.”

Within the Information Security profession we must agree with Thomas Merton that the early definition of success is not one that fits our world.  Not many of us in the profession receive the applause of other men or women during the course of our duties.  Think about it for a moment, if you write a “Tough” Policy that forces people to do something that they are resistant to do then do you really think that the applause is going to start rolling in?  The opinions will so at least we’d be half way to the fallacy of “worldly success”.

Yet, as Information Security Professionals, we know that having Policies based on International Standards, best practices, etc. combined with a mechanism to enforce compliance with those policies is a critical component to having a successful program.

So, if we buy into the belief that success isn’t about counting on the applause of your community members than what does success look like for an Information Security department, or an information security professional?  The definition of success can be different for each Information Security department based on their self identified mission and vision.  One Information Security department I worked with decided to follow a modified version of Roger Allen’s formula for success, as explained in his book “Winnie the Pooh on Success,” in which Winnie and the gang discuss the formula for being successful.  The Key Success factors in Allen’s book are:

  • Select your Information Security Vision
  • Use your Information Security Vision to set your Team Goals
  • Create an Information Security plan
  • Consider resources
  • Enhance Skills and Abilities as necessary – I have found SANs training good for this
  • Spend Time Wisely
  • Start! Get Organized and Go

While it is challenging to meet your Information Security success criteria I encourage you to continue to move forward in the belief that small systemic improvements over a long period of time will ultimately lead to both yours and your team’s success.

Said another way – focus on getting your wins where and when you can with the understanding that each win will move you closer to your goals and the fullfillment of your vision.  Do not worry or overly fret about the things you can cannot accomplish, focus your time and energy on those items that you can accomplish.

© Kevin L. McLaughlin, probably cited re-use is acceptable

About mclaukl

Professional Certifications - Certified CISO, CISM, CISSP, PMP, ITIL Master Certified, GIAC Security Leadership Certificate (GSLC), CRISC. Kevin also holds Certificates in the Advanced Principles of Information Security and in Advanced Information Security Research Methods from Jones International University. Kevin L. McLaughlin began his career as a Special Agent for the Department of Army. He was responsible for investigating Felony crimes around the globe. He has had many careers over the years, including being a Police Officer in Kissimmee Florida, an Investigator for Mastercard/Visa, a Middle School teacher, a Director at Kennedy Space Center (where he worked with Fred Hayes, James Lovell, Armstrong, Sheppard, etc.), the President of his own company, an IT Manager and Senior Information Security manager with the Procter & Gamble (P&G) company (fortune 35), a CISO at the University of Cincinnati and a Senior Information System Security Manager for the Whirlpool Corporation (fortune 125). Kevin has also been an adjunct since 1992. While at P&G Kevin created one of P&G’s augmentation outsourcing teams in India. Kevin designed and implemented this India team and it won a global Gold Service award from Atos-Origin and has acted as a model for countless corporate relationships since. Over the years Kevin has: created an Information Security program conducted Information Security Strategic planning designed Information Security solutions, investigated over 700 Cyber cases and operated a Global Security Operations Center. • Education - MS in Computer Science Education, BS in Management of Information Systems * PhD in Cyber Security, University of Fairfax
This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s