To succeed in information security, you must know yourself and your business.
How many times have you been in a situation where politics or personalities sidelined a decision? Information security policies and procedures are developed with the best of intentions, but often fail because they were created without accounting for the dynamics of the organization for which they were built.
Success (as we've heard others say) has a lot to do with group dynamics, motivation and leadership. Whether they realize it or not, the best infosecurity professionals are situationally aware and attuned to what is happening to them and their environment.
The MIT Sloan School of Management has developed a way to assess situations around you. Called Three Lenses, it encourages managers to look at organizational processes from different perspectives to understand how to excel.
- The strategic lens sees the organization as a machine that's designed to achieve business goals by completing required tasks. This perspective requires you to pay attention to the organization's reporting hierarchy, as well as informal teams and task force groups. What rewards and incentives are used to encourage employees to achieve business goals? Here, organizations flourish through methodical planning.
- The political lens is about power. It sees the organization from a Machiavellian point of view and acknowledges diverse stakeholders who struggle for power and may have conflicting interests. The organization's progress depends on interest groups that compete for resources and attention from top management. To succeed, you need to understand who has the power in the organization and how employees can use that power to achieve their individual goals.
- The cultural lens examines the meaning that employees assign to situations. We all rely on informal routines and traditions to guide decision-making; pay attention to cultural elements such as the rituals and symbols that employees use. For instance, quarterly all-hands-on-deck meetings are important at some businesses; others might encourage after-work socializing. Such norms—or habits—are easy to take for granted, but they strongly affect behavior.
Which of the three lenses is right for your organization? All of them. Unfortunately, as information security professionals, we tend to approach security from a purely technological perspective, without accounting for the "softer" side of organizations. Looking through three lenses into your environment will change that.
Will this approach work? Well, consider a security management program that is not tied to the organization's strategic needs. If treated as a goal in itself, the program will become irrelevant. Similarly, a security architecture that lacks support from influential individuals, regardless of formal titles, will be unlikely to gain widespread adoption. A manager who devises policies that conflict with the organization's culture, perhaps by being too constraining or overly permissive, will get stuck fighting a losing battle.
Try using these three lenses when you approach your next security project. They will help you understand which measures are likely to work, which might fail, and who needs to be involved in the development of the program in your organization. When the security program succeeds, so will you.