1

I2 Security Professionals Workshop - May, 2004

Partnering for Successin the Security Discussion at NortheasternGaining Traction through Influence

Glenn C. Hill, CISSPManager of IT Security, Northeastern University

Copyright Glenn C. Hill, 2004This work is the intellectual property of the author. Permission is granted for this material to beshared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2

Imperatives aroundInformation Security

Customer, community, institutional and regulatory expectations exist.

3

Imperatives aroundInformation Security

Customer, community, institutional and regulatory expectations exist.

Security does not come naturally to everyone.

4

Imperatives aroundInformation Security

Customer, community, institutional and regulatory expectations exist.

Security does not come naturally to everyone.

Not everyone understands the relevance of security to their work.

5

Imperatives aroundInformation Security

Customer, community, institutional and regulatory expectations exist.

Security does not come naturally to everyone.

Not everyone understands the relevance of security to their work.

Educators often have other things to think about.

6

Yet…

Security is a shared responsibility.

7

Yet…

Security is a shared responsibility.

Security risks are man-made problems that require human and technical forces to address.

8

Yet…

Security is a shared responsibility.

Security risks are man-made problems that require human and technical forces to address.

Single-sided efforts are often less successful and more costly over the long run.

9

Challenges…

Create mutual understanding: “Security is more a journey than a destination.”

10

Challenges…

Create mutual understanding: “Security is more a journey than a destination.”

Create shared value in the security proposition.

11

Challenges…

Create mutual understanding: “Security is more a journey than a destination.”

Create shared value in the security proposition.

Identify reasonable “waypoints” on the security journey.

12

Challenges…

Create mutual understanding: “Security is more a journey than a destination.”

Create shared value in the security proposition.

Identify reasonable “waypoints” on the security journey.

Identify and overcome natural resistance.

13

Challenges…

Create mutual understanding: “Security is more a journey than a destination.”

Create shared value in the security proposition.

Identify reasonable “waypoints” on the security journey.

Identify and overcome natural resistance. Underwrite successful outcomes through

cooperation.

14

Techniques togain traction…

Identify essential/optimum partnerships and stakeholders. (the right people)

15

Techniques togain traction…

Identify essential/optimum partnerships and stakeholders. (the right people)

Codify business problems (relevant risk and consequence list)

16

Techniques togain traction…

Identify essential/optimum partnerships and stakeholders. (the right people)

Codify business problems (relevant risk and consequence list)

Diagnose the environments.

17

Techniques togain traction…

Identify essential/optimum partnerships and stakeholders. (the right people)

Codify business problems (relevant risk and consequence list)

Diagnose the environments. Anticipate resistance, but avoid SFP.

18

Techniques togain traction…

Identify essential/optimum partnerships and stakeholders. (the right people)

Codify business problems (relevant risk and consequence list)

Diagnose the environments. Anticipate resistance, but avoid SFP. Expect the academic argument.

19

Techniques togain traction…

Identify essential/optimum partnerships and stakeholders. (the right people)

Codify business problems (relevant risk and consequence list)

Diagnose the environments. Anticipate resistance, but avoid SFP. Expect the academic argument. Illustrate relevance and benefits of

security opportunities

20

Techniques togain traction…

Create safe and respectful discussion environments.

21

Techniques togain traction…

Create safe and respectful discussion environments.

Exchange trading currencies.

22

Techniques togain traction…

Create safe and respectful discussion environments.

Exchange trading currencies. Build trust.

23

Techniques togain traction…

Create safe and respectful discussion environments.

Exchange trading currencies. Build trust. Identity incremental opportunities and

clear paths to change.

24

Trading Currencies….

Gaining influence through exchange

25

Trading Currencies

Inspiration Task Position Relationship Personal

Adapted from Allan Cohen & David Bradford:“Influence without Authority”

26

Inspirational Currencies

Vision- Involvement in task of larger significance.

Excellence- Chance to do important things well.

Moral/ethical correctness- Doing what is “right” by higher standard.

27

Task-related currencies

New resources- $, budget increases, people, space

Challenge (Doing tasks that increase skills) Assistance (Getting help) Task support

- Backing or assistance with implementation Rapid response Information (Access to knowledge)

28

Position-related currencies

Recognition (acknowledgement) Visibility to higher-ups Reputation (seen as competent/committed) Importance (sense of belonging) Contacts (opportunity to link with others)

29

Relationship currencies

Acceptance/inclusion (closeness)

Understanding- Having concerns listened to.

Personal support- Personal/emotional backing.

30

Personal currencies

Gratitude- Appreciation/expression of indebtedness.

Ownership/involvement- Ownership/influence over important tasks.

Self-concept- Affirmation of own values/identity.

Comfort (avoidance of “hassles”)

31

Handling yourtrading currencies…

Your optimum/necessary partners are the targets of influence.

To gain influence, one must have and spend valued trading currencies.

32

The Key Relationships:Where to spend your trading currencies

Administrative Faculty Business-Centered Student-Centered External

33

Spending on Administrative Relationships

CIO

34

Spending on Administrative Relationships

CIO Office of University Counsel

35

Spending on Administrative Relationships

CIO Office of University Counsel Internal Audit

36

Spending on Administrative Relationships

CIO Office of University Counsel Internal Audit Human Resources

37

Spending on Administrative Relationships

CIO Office of University Counsel Internal Audit Human Resources External Affairs/University Relations

38

Spending on Administrative Relationships

CIO Office of University Counsel Internal Audit Human Resources External Affairs/University Relations Public Safety

39

Spending on Administrative Relationships

CIO Office of University Counsel Internal Audit Human Resources External Affairs/University Relations Public Safety Student Affairs

40

Spending on Administrative Relationships

CIO Office of University Counsel Internal Audit Human Resources External Affairs/University Relations Public Safety Student Affairs Office of the President

41

Spending on FacultyRelationships

Provost

42

Spending on FacultyRelationships

Provost Faculty leadership

43

Spending on FacultyRelationships

Provost Faculty leadership Individual faculty with specific interests

44

Spending onBusiness-Centered Relationships

Office of the Registrar

45

Spending onBusiness-Centered Relationships

Office of the Registrar Student Customer Service Center

46

Spending onBusiness-Centered Relationships

Office of the Registrar Student Customer Service Center Enrollment Services

47

Spending onBusiness-Centered Relationships

Office of the Registrar Student Customer Service Center Enrollment Services CFO/Controller

48

Spending onBusiness-Centered Relationships

Office of the Registrar Student Customer Service Center Enrollment Services CFO/Controller Risk Management function

49

Spending onBusiness-Centered Relationships

Office of the Registrar Student Customer Service Center Enrollment Services CFO/Controller Risk Management function Division of Research

50

Spending onBusiness-Centered Relationships

Office of the Registrar Student Customer Service Center Enrollment Services CFO/Controller Risk Management function Division of Research Residential Life

51

Spending onBusiness-Centered Relationships

Office of the Registrar Student Customer Service Center Enrollment Services CFO/Controller Risk Management function Division of Research Residential Life “ResNet”

52

Spending onStudent-centered Relationships

Students (1:1) Student representation (RSA) Student media leadership Student advisory groups

53

Spending onExternal Relationships

Peers in higher ed

54

Spending onExternal Relationships

Peers in higher ed Peers in other businesses

55

Spending onExternal Relationships

Peers in higher ed Peers in other businesses Local media (*)

56

Spending onExternal Relationships

Peers in higher ed Peers in other businesses Local media (**)

- Observe policy on speaking with media.

- Carefully identify opportunities to get involved.

- Create positive impression.

- Get on the “experts” lists.

57

Lessons Learned

Security is a shared imperative with shared responsibility.

58

Lessons Learned

Security is a shared imperative with shared responsibility.

Security is not universally understood.

59

Lessons Learned

Security is a shared imperative with shared responsibility.

Security is not universally understood. Risk must be relevant and illustrated.

60

Lessons Learned

Security is a shared imperative with shared responsibility.

Security is not universally understood. Risk must be relevant and illustrated. Resistance is natural.

61

Lessons Learned

Security is a shared imperative with shared responsibility.

Security is not universally understood. Risk must be relevant and illustrated. Resistance is natural. To gain traction, must overcome

resistance.

62

Lessons Learned

Security is a shared imperative with shared responsibility.

Security is not universally understood. Risk must be relevant and illustrated. Resistance is natural. To gain traction, must overcome

resistance. Diagnose the others’ world.

63

Lessons Learned

Security is a shared imperative with shared responsibility.

Security is not universally understood. Risk must be relevant and illustrated. Resistance is natural. To gain traction, must overcome

resistance. Diagnose the others’ world. Know trading currencies.

64

Lessons Learned

Security is a shared imperative with shared responsibility.

Security is not universally understood. Risk must be relevant and illustrated. Resistance is natural. To gain traction, must overcome

resistance. Diagnose the others’ world. Know trading currencies. Calculate your exchanges.

65

Lessons Learned

Know when to give binary vs. analog answers.

66

Lessons Learned

Know when to give binary vs. analog answers.

Encourage evolution…not revolution.

67

Lessons Learned

Know when to give binary vs. analog answers.

Encourage evolution…not revolution. Not everyone is “wired” for these

discussions. Choose optimum partners.

68

Lessons Learned

Know when to give binary vs. analog answers.

Encourage evolution…not revolution. Not everyone is “wired” for these

discussions. Choose optimum partners. Technical, influential and diplomatic

skills not always found together.- Seek participants with these skills.

- Where they don’t exist, grow them.

69

Lessons Learned

Know when to give binary vs. analog answers.

Encourage evolution…not revolution. Not everyone is “wired” for these

discussions. Choose optimum partners. Technical, influential and diplomatic

skills not always found together.- Seek participants with these skills.

- Where they don’t exist, grow them. Be willing to accept small victories.

70

Take-away concept…Influence is key. Gain it by…

Identifying optimum partnerships.

Developing & spending trading currencies.

Illustrate an exciting and mutually-beneficial vision of the post-change environment.