tre smith - from decision to implementation: who's on first?
TRANSCRIPT
From Decision to Implementation…who’s on first?
Agenda
The Challenge Governance Structures (NIST) Obstacles Know Your Audience Desired Outcomes
3
What to do with unmanaged risk?
s
Physical
Technology
Administrative
Controls?
4
Governance Structure
A common flow of information and decisions at the following levels within an organization:
• Executive • Business/Process • Implementation/Operations
5
Risk Management to Implementation
6
Negative Influences Unrealistic Expectations Decentralized IT Resource Availability Architecture Limitations Priorities
7
Priorities - typical
ExecutiveBusiness/Process
Implementations/Operations
8
Priorities cont…
Transform: Acquisitions, New Service Lines, Research and Development
Grow: Do more with less, more revenue, Staff Development
Run: Deploy new systems, upgrade applications, fix desktops, timesheets and status reports
9
What can you do?
Know your audience:• Executive• Business• Operations
What’s your desired outcome at each level?
Use words they understand…
10
Is it really top down?
Decisions
Controls
Each process is more linear with various stops and starts…
Who’s on first?
11
…You have to decide:Who do you need to talk to?What do you want to happen?How do you need to say it?
Decisions
Controls
12
Translation May WILL Be Required…
We need Advanced Malware Protection and Next Generation Firewalls!!!
Your Boss Said…Deploy a Sandbox Tool!!!
The Board Said…Stop the Bad Guys!!!
13
Try a different approach…
…You have to decide:Who do you need to talk to?What do you want to happen?How do you need to say it?
REMEMBER: They all have different priorities!!!
14
Buy in…From Executive Level to Transform
Who do you need to talk to? Executive LevelWhat do you want to happen? Documented support to invest in Next Generation Tools to combat current threatsHow do you need to say it? The bad guys are using more sophisticated attacks, I need IT Leaders to allocate resources to identify tools that will reduce our threat surface!!!
15
Resources…From the Business Level (Growth?)
Who do you need to talk to? Business LevelWhat do you want to happen? Staff assigned to identify tools that will reduce our threat surfaceHow do you need to say it? The Board expects IT Resources will be assigned to investigate tools that address the latest types of malicious attacks. I need to report back next month!!! Who can I work with?
16
Results…Operations…this is the NEW RUN!!!
Who do you need to talk to? Operations LevelWhat do you want to happen? A tool is identified that will integrate well in our environment and address current threats.How do you need to say it? Your boss said get a list of tools that can be used to prevent/detect ransomware…I need the list in 2 weeks…
17
Governance Structure – New Outlook
18
Recap1) Take the Time to Know your audience2) Define your desired outcome before starting the
conversation3) Ask for what you want in terms that they
understand4) ACTIVATE YOUR SUPER POWER!!!
19
QUESTIONS?