This chapter describes the process that can be used each year to determine the successes and failures of the cyber security program and organization and a methodology that can be used to correct the failures and to plan for the upcoming years.
This chapter describes the process that can be used each year to determine the successes and failures of the cyber security program and organization and a methodology that can be used to correct the failures and to plan for the upcoming years.
Introduction
The information environment of the corporation is very dynamic and must be so for the corporation to successfully compete in the fast-paced widget business in the global marketplace. Consequently, the world of the cyber security officer must also be very dynamic. The cyber security officer must constantly be looking at where the corporate business is going and modify the cyber security program and its organization accordingly. The cyber security officer cannot sit back and think that the cyber security program is in place, its organization is established, and everything is running smoothly—even when you think it is.
As the corporation’s cyber security officer you must be working every day to provide effective and efficient service and support to the corporation in the future. You must project ahead and look at potential new threats to the corporation’s information and systems and begin now to mitigate those future threats, such as cellular phones with installed digital cameras. The cyber security officer, like all cyber security officers, must establish proactive processes, as today’s corporations depend too much on information and information systems to have those systems fail because the cyber security officer did not see the threat coming. Today’s cyber security officers must be proactive and not constantly reactive. Proactive processes are prepared to mitigate threats before they can occur—and it is cheaper than being reactive.
The cyber security officer must also reevaluate the cyber security program and have processes in place to constantly update it. In addition, all cyber security program functions must be reevaluated and updated as the need arises, but at least annually. The cyber security officer should lead an annual year-end review and analysis of the cyber security program and cyber security program functions. This is done so that the cyber security officers can have some assurance that they are operating in the most effective and efficient way possible and needed changes are in place.
One-Year Review
The corporation’s fiscal year and calendar year both end on December 31. The cyber security officer decides that the beginning of the fourth quarter (October) is a good time to start planning for the coming year and begin evaluating the current year.
To plan for the coming year, the cyber security officer must first determine how successful the cyber security program and the cyber security program staff have been for the past year. Of interest would be:
• What was accomplished?
• What was planned but never completed, and why?
• What was planned but never started, and why?
• What was successful, and why?
• What wasn’t successful, and why?
• What processes are current?
• What processes require updating?
• If a process was outdated, why was it not updated as needed?
• Is the cyber security program organization operating within budget?
• If not, why not?
• What budget is required for the coming year, as well as two or three years from now?
• If more budget is required, why?
• If more budget is needed, are there other measures that can be taken to minimize the need for a larger budget? (Remember that as a cyber security officer, you get paid for results and not the size of your cyber security program staff or the size of your budget.)
Level-of-Effort Activities
The cyber security officer tasked each cyber security program functional lead to form a project team with selected members of the cyber security program functional staff and evaluate the processes used for completing their assigned level-of-effort (LOE) function. Of course, if the cyber security program function was a one-person job, that person would conduct the review by him- or herself and ask for input as needed from other staff members and the cyber security officer. Remember that the LOE activities are those activities or functions that are the day-to-day cyber security program tasks performed by the cyber security program staff. These activities were those identified as the cyber security officer responsibilities previously discussed and included:
• Access control,
• Awareness program,
• Noncompliance inquiries, and
• Security tests and evaluations program, etc.
This is to be accomplished by each functional team sitting down together to determine:
• What worked?
• What didn’t work?
• Why it worked (process may be useful for other functions)?
• Why it didn’t work?
• How much time they spent doing each task or subtask on average?
• How the job might be done better?
• How the processes might be changed, why, and what are the potential savings?
• Which forms, if any, should be modified or eliminated? and
• Other considerations.
The cyber security officer directed that any recommended changes be quantified in time and/or cost savings, as applicable. If the changes could not be quantified, the staff members would have a difficult time changing the process. The cyber security officer reasoned that, with few exceptions, process changes that did not save time or money were probably not worth making, as nonquantified changes cost money with usually no return value.
The cyber security officer directed that all members of each function support their functional lead in this endeavor and provide a briefing to be held the first week in November as part of the cyber security officer’s expanded staff meeting, which all cyber security program staff attended. During that briefing, the functional processes would be discussed and modifications approved where necessary. If the modifications could not be accomplished within 30days, a formal project plan would have to be developed and briefed at that November meeting.
Projects
During the first week of October, the cyber security officer will also begin the evaluation of the cyber security program for the past year. The cyber security officer, in concert with the cyber security program staff, will review the projects that were begun this year, as well as those projects that were begun last year and completed this year.
The cyber security officer will determine the following:
• Did each project accomplish its objective?
• Was the project completed in accordance with the project plan?
• For those projects not completed on time, what was the cause of not meeting the completion date?
• For those projects completed ahead of schedule, why were they completed ahead of schedule? (The cyber security officer wants this information because it may be due to poor project planning, which must be corrected, or it may be due to a unique approach that could be used on other projects.)
• What was the cost of each project?
• Were the projected benefits of the projects realized, and if not, why not?
The cyber security officer will, in concert with the cyber security program staff, analyze all the projects and, based on that evaluation, modify the process used for initiating, determining costs, determining resource allocations, and determining schedules for all new projects.
Also of importance is feedback from corporate employees: their evaluation of service and support provided to them by the cyber security officer and cyber security program staff. The employees’ opinions as to what improvements can be made in the cyber security program to minimize costs and provide the necessary level of information environment protection are also important. The cyber security officer and staff will develop a survey to be sent out to all departments. The feedback received will also be incorporated into the year-end evaluation–analysis. Some cyber security officers may not want to take this survey approach, because they may be reluctant to receive criticism and complaints from non-cyber security program professionals about how the cyber security officer and cyber security program staff can better do their jobs. However, such feedback is important and should be welcomed and considered at all times.
Once the analysis is complete, the cyber security officer and staff members will determine what new projects will be required for the following year. Those projects, once identified, will be assigned to the applicable members of the staff, that is to the project leads. The staff members will then be given 30days to complete a draft project plan. That plan will identify the specific objective to be accomplished, all tasks, milestones, resources required, etc.
During the staff meeting held during the first week of November, all the project leads will present their project plans to the cyber security officer and the staff. The project plans will be evaluated and discussed by the cyber security officer and the staff. Any recommended changes to the project plans will be cause for actions to be taken to change the plans as appropriate. In addition, the overall project plan process will be discussed and modified as needed.
It is the responsibility of the cyber security officer to ensure that adequate resources are allocated for the completion of the projects as planned. Where several members of the cyber security program staff are assigned to lead or support multiple projects, the cyber security officer will prioritize the projects and then allow the project lead and project support staff to work out the details. Where conflicts in work arise, the matter will be discussed with the cyber security officer, who will make the final decision based on the input of all those concerned and the proper allocation of resources.
This approach follows the management philosophy of having decisions made at the lowest possible level where the required information on which to base a decision is known. It also meets the cyber security officer’s philosophy of trusting your professional cyber security program staff and treating them as part of the professional cyber security program team.
Cyber Security Program Strategic, Tactical, and Annual Plans
Once the cyber security officer has been briefed on the above LOE and projects, the results will be mapped against the cyber security program strategic, tactical, and annual plans. The LOE and project results could be identified as some of the specific building blocks of each of the plans.
The cyber security program annual plan’s goals should have been accomplished. If so, the cyber security officer then identifies the links between the successful accomplishment of those goals with the corporation’s annual business plan and the cyber security program and also the strategic and tactical plans as appropriate.
If a direct link between the accomplishments of the cyber security program staff and the goals of the plan cannot be shown, the cyber security officer must question why the specific projects or LOE identified were ever done in the first place. There may be a very valid reason; however, this should always be questioned, as any resource allocations that cannot be directly linked back to the accomplishment of stated goals are probably misallocations. They are an added cost burden on the cyber security program budget as well as an additional overhead cost to the corporation.
Linking Cyber Security Program Accomplishments to Corporate Goals
The cyber security officer believes that the initial reasons for the corporation’s cyber security program and the corporation’s reasons for establishing the cyber security officer position have not changed, but a reverification and validation would probably be a good idea. To be sure that the cyber security program and the cyber security officer’s accomplishments are meeting their stated purpose, the cyber security officer decides on the following course of action:
• Using a link-analysis methodology, the cyber security officer maps all the LOE and project results to all applicable cyber security program and corporate plans and
• The cyber security officer develops a formal presentation to be given to the corporate executive management in which the cyber security program status is briefed (assuming that the cyber security officer’s boss agrees).
If the cyber security officer does a link analysis, it may disclose that overall cyber security program goals, LOE, projects, and objectives were, with some minor setbacks and exceptions over the year, meeting the needs of the corporation.
Let’s look at some possible scenarios: The cyber security officer discussed the matter with the corporate information officer (CIO). The CIO agreed that a briefing would be a good idea, especially since this was the end of the first year of the formal cyber security program under the cyber security officer. The executive management would want to know:
• What was accomplished,
• The cost of the cyber security program,
• The status of the overall protection of the corporation’s information environment, and
• What else was needed to ensure a secure information environment.
The CIO provided several recommendations:
• The briefing should take no longer than 15min and allow 15min for questions;
• The cyber security officer should not use any technical jargon but speak in business terms of costs, benefits, and competitive advantage and give the management some sense of assurance that the information and systems are being protected as needed;
• The briefing charts should be clear, concise, and more of a graphical presentation than text—another reason for “management by metrics”;
• The briefing should be given professionally and objectively; it should not be used as a soapbox for requesting additional resources or to show how great job the cyber security officer is doing;
• All briefing charts should be provided in a package for each member of the audience with supporting detailed charts; and
• At least 5 of the 15min should be used to brief on next year’s projects and goals, their costs, and how they would benefit the corporation.
The cyber security officer had not been prepared to present the new year’s plans and projects as part of the briefing. However, it appeared that the necessary information would be available based on the previous briefings and discussions with the cyber security program staff.
The cyber security officer suggested a briefing to be held the first week of December. The CIO agreed to set it up. The cyber security officer’s rationale for a meeting in December was that the cyber security program staff’s LOE and project input would be available on or about the first week of November, and that would provide sufficient time to develop the briefing.
The cyber security officer wanted to ensure that the briefing accomplished its goals, and that could be jeopardized, not by the material, but by the manner and format used. The cyber security officer had heard of several briefers having their messages ignored because the format, fonts, colors, or whatever was used to present the facts was not liked by one or more of the executive management.
The cyber security officer knew that such trivia should not be a prime concern of executive management, but the cyber security officer also knew that such things did occur. To ensure that the cyber security program briefing was successful, the proper format would be the first item of business.
The cyber security officer stopped by the desks of several of the key executive managers’ secretaries, who provided insight as to the correct format, font size, and color of slides to use. At the same time, the cyber security officer was given some valuable tips from several of the secretaries as to how to present the material in a manner that the executives preferred. (Note: Although throughout this book the cyber security officer actions are discussed, some may be delegated by the cyber security officer, such as this task to the cyber security officer secretary or administrative assistant.)
The cyber security officer long ago learned that the secretaries of the executive managers had great insight into what worked with their bosses and what didn’t. The cyber security officer’s respect for them and informal assistance to them over the year had made them close allies. Now, that friendship would be able to help ensure a successful briefing format.
As part of this briefing, the cyber security officer developed an annual report for each corporate department vice president based on the metrics charts used throughout most of the year. That annual report contained some narrative and analyses supported by metrics charts showing the status of each department’s compliance with the cyber security program and the security of their information environment. It included an executive summary in the front of the report and recommendations for improvements that could be made in the future, as well as the benefits of the recommended improvement versus the potential costs and cost savings.
Metrics Analysis
As part of the year-end review, the cyber security officer did a complete analysis of the metrics charts that had been developed and used throughout the first year of the cyber security program.
The cyber security officer noted that the charts had grown to more than 47 separate metrics charts. The cyber security officer was concerned that some of the charts had outlived their usefulness, while others continued to be of value, and possibly some new charts were needed.
The analysis of the metrics charts indicated that several of the charts had been necessary to track particular problem areas. However, some of the problems appeared to have been resolved and the metrics charts, for the previous 4months, had supported that view.
Some metrics charts were developed and briefed periodically to management because some managers were interested in periodically knowing the amount of LOE being used to support some specific tasks. The cyber security officer decided to identify those charts to the managers who were interested in the information and gain their approval to eliminate those charts, as it appeared the information provided had met their needs. If not, it might be possible to provide that information to management on an annual or semiannual basis instead of the current monthly or quarterly report. The final decision should be made by the cyber security officer’s customer2.
The cyber security officer took all the metrics charts and identified them by their objectives—in other words, their purpose for being developed and used. Those would also be linked to specific areas that support the corporate cyber security program and cyber security program organizational plans. The cyber security officer wanted to be sure that the metrics used to help manage the cyber security program and its organization met the needs of the cyber security program, of management, and of the cyber security program organization.
The cyber security officer knew that metrics charts tend to increase and seem to sometimes take on a life of their own. The cyber security officer was concerned that the time it took to track specific LOEs and projects using metrics was sometimes not cost-effective. By identifying the charts against their purpose in a matrix, the cyber security officer found that it was easy to analyze the metrics charts and their purpose.
Planning for Next Year
The cyber security officer had received the input from the cyber security program staff at the November meetings. Based on that input, the cyber security officer was prepared to write next year’s cyber security program annual plan and update the cyber security program strategic and tactical plans. However, to accomplish those tasks, the corporate plans must be received. After all, the cyber security program plans had to support the corporate plans.
The cyber security officer knew that the draft of the corporate plans would not be available until January. Therefore, the cyber security officer drafted the cyber security program annual plan and updated the cyber security program strategic and tactical plans based on information gathered through discussions with various levels of management involved in developing the corporate annual plan and updating the tactical and strategic plans.
The cyber security officer implemented the cyber security program plans on January 1, without waiting for the draft corporate plans. The cyber security officer did so to begin the much-needed LOE modifications and projects that were time-dependent. If they were not started right after the first of the year, their schedules might have to be slipped. The cyber security officer could not afford to do that and took the risk that the information gathered to date was accurate and that any changes at the corporate level would cause only minor adjustments to the cyber security program schedules—if any.
As part of the cyber security officer and cyber security program staff year-end analyses, a flowchart was developed, which would be used for briefings and also would let cyber security program staff see how their jobs supported the corporation.
The cyber security officer and staff also took all their risk management reports for the year and evaluated what was accomplished to correct cyber security program deficiencies and determine what needed to be done in the coming year to correct other deficiencies. These then were linked through a vulnerabilities–projects flowchart to identify “Strategic Direction: Cyber Security Program Projects to Address Vulnerabilities.”
After completion of all the executive management briefing charts, and one week prior to briefing executive management, the cyber security officer gave the briefing, with additional analysis of the cyber security program and cyber security program functional accomplishments, to the cyber security program staff. The one-week interval was to ensure that the briefing was accurate and that the charts said what needed to be said. The cyber security program staff could evaluate the briefing and provide an avenue for constructive criticism. After all, the cyber security officer wanted, as a side issue, to show executive management the outstanding job done by the cyber security program staff during the past year, without saying so. In other words, let the briefing speak for that.
The CIO was invited to attend the cyber security officer’s “expanded staff meeting” so that the CIO would not have any surprises at the executive management briefing. In addition, the cyber security officer wanted the CIO to attend to say a few words after the briefing, thanking the cyber security program staff for their fine work over the past year. The cyber security officer believed that such visibility of cyber security program staff to executive management would also boost morale, as they would see that their hard work was appreciated.
Upon the completion of the successful briefing, the cyber security officer scheduled another expanded staff meeting to be held on a Friday before the holidays and scheduled to last all day. At that expanded staff meeting, the cyber security officer had a catered lunch brought in as a special measure of thanks to the cyber security program staff. After all, if the cyber security program staff was not successful, the cyber security officer could not be successful.
Questions to Consider
Based on what you have read, consider the following questions and, as a cyber security officer, how you would reply to them:
• Do you have a process in place to conduct a formal year-end analysis of your cyber security program and cyber security program functions?
• If not, why not?
• If so, does it include cost–benefit analyses?
• Do you provide a “state-of-the-cyber security program” report of the corporate information environment at year’s end?
• If so, is it briefed to executive management?
• Are “subreports” provided to each department head addressing specifically the status of the protection of their information environment?
• Do you involve your cyber security program staff in the year-end reviews, analyses, and planning?
• Do you reward your cyber security program staff for a job well done at year’s end—by more than words?
• How would you go about conducting and improving on the process described in this chapter?
Summary
Evaluations and analyses of the entire cyber security program and cyber security program organization help maintain a proactive and current protected information environment. The cyber security officer should remember the following points:
• It is a good idea to evaluate the entire cyber security program and cyber security program functions on an annual basis.
• The evaluation should include all projects and LOEs.
• Changes should be made by which value is added in terms of cost decreases, productivity gains, or time savings.
• Executive management should receive a clear, concise, business-oriented briefing on the state of the cyber security program and the corporation’s current protected information environment at least on an annual basis.
• Metrics charts should be evaluated at least annually and then eliminated or modified as necessary.
• Link-analysis methodologies are useful in determining the success of a cyber security program.