Secure Digital Solutions, LLC
13 May 2017

Hiring a Security Rockstar

May 13th, 2017

Secure Digital Solutions CISO, Ed Snodgrass,recently had the privilege of writing for Forbes Technology Council. The title of the piece is “Looking To Sign A Security Rock Star? Money Isn’t Everything“. A summary of the article is given here with the full article located on Forbes.

What follows is a high-level summary of original article posted on Forbes.com May 3rd, 2017:

There’s a cybersecurity talent war going on. Skilled resources are in high demand, and the competition for them is fierce. Big companies pay big money to attract and retain talent, potentially leaving small to mid-size organizations in a tough spot to compete on those grounds alone. In summary

Give them a path forward:. You brought them in for what you need today. Work with them to build a plan for what you’ll need tomorrow. Discuss career aspirations, help them build an individual roadmap based on goals and milestones, and support it. Your people will know they have a challenging and rewarding future ahead. It’s mutually beneficial.

Share the company’s mission and strategy: Knowing how security and their specific role supports the company’s overall mission provides context and creates ownership in the organization’s success. The role they’re currently in may not be glamorous, but it’s critical and they know that.

Support continuing education and networking: Give them time to get that new security certification. The knowledge they’re gaining will make them smarter, and your company will be better off for it. Security conferences are important, too. Security pros need to stay up to date with the latest threats and the latest countermeasures showcased at these events. Yes, they go to network, too, but that’s not necessarily a terrible thing. After all, if they’re happy working for your company and others see that, perhaps a respected and talented colleague will want to be happy working for your company as well.

Respect and acknowledge their expertise: Security professionals are paranoid — and that’s a good thing. When they come in with a discovery or a suggestion (read: “We absolutely have to do this”), make sure you listen. Discuss it.  Weigh pros and cons, and ultimately, if your decision isn’t the course of action recommended, they’ll know why. They’ll know their council was valid and they’ll respect it.

Be real: Engaging in candid discussions about professional development is critical. The pros will take your constructive feedback as a personal challenge to better themselves rather than petty criticism — but only if you’re open to their constructive feedback as well. At the end of the day, they know you call the plays and they respect that.

Recognize their achievements: Security can be a thankless job because “no news is good news.” Much of the demanding work it takes to protect a company goes on behind the scenes and in windowless rooms. Appreciate what they do, and they’ll appreciate it, too.

If they want to leave, help them leave: That doesn’t mean push them out the door; it means set them up for success in their next role. Know what their new opportunity is offering them and why. Talk about the things they’ve learned and their professional growth as a member of your organization and thank them for being a part of the team. Despite the substantial number of security practitioners out there, it’s a small community. With so many open positions available, security pros can pick and choose where they go, and security culture is just as important as compensation. Build a great culture, and you’ll be amazed by the results.

11 Apr 2017

Quest for Excellence in Cybersecurity Management

April 10th, 2017
Adam Stone, Principal, Secure Digital Solutions

Baldrige’s recently-published framework raises the bar for information security leaders by tying cybersecurity program management to performance excellence.

The Baldrige Performance Excellence Program, the venerable organization behind the national award for Performance Excellence® and quality for U.S. firms, released the final version of the Baldrige Cybersecurity Excellence Builder v1.0 (BCEB) self-assessment tool following their annual summit last week in Baltimore. Initiated in response to Executive Order 13636, the BCEB blends two NIST products (the Cybersecurity Framework and the Baldrige Excellence Framework) into a single assessment methodology. The goal of the BCEB is to help security leaders assess the effectiveness of their approach to cybersecurity, as determined by the unique needs, goals, and capabilities of their firm. Organized by seven categories (leadership, strategy, customers, measurement, operations, customers, and results), the BCEB uses process maturity as the key metric for communicating the strengths and weaknesses of an organization’s cybersecurity program.

Process Maturity: The New Standard for Cybersecurity Performance Excellence

The maturity-focused cybersecurity management approach is a paradigm shift that threatens the deeply-entrenched risk- and compliance-focused assessments familiar to most in the industry. We have observed disagreement among security professionals about the what the word maturity actually represents. Some use the word to describe the effectiveness of security controls, while others use maturity to understand their firms’ ability to minimize cyber risk. Authoritative bodies, such as the Federal Financial Institutions Examination Council (FFIEC), appear to be adding to the confusion by blending the notion of process maturity with risk preparedness in the Cybersecurity Assessment Tool. In the end however, the FFIEC approach, along with similar assessment tools, still focus on more traditional controls-based risk management instead of performance excellence and quality.

What is often missed in traditional risk and compliance assessments is a clear understanding of the value that cybersecurity provides to the business. When security leaders communicate in the language of compliance or risk (two inherently negative topics), they miss the opportunity to demonstrate to executives the ways in which mature cybersecurity processes can help enable business growth and sustainability. An emphasis on business enablement – expressed as a function of performance excellence and quality – is what sets the BCEB apart from the traditional cybersecurity assessment tools.

Cybersecurity risk traditionalists will be pleased to know that we do not suggest that process maturity metrics replace established risk formulations. Quite the opposite! We need to understand risk in order to set clear goals and effectively respond to the ever-changing threat landscape for their firms. When communicating the value of cybersecurity to executives however, security leaders will likely find that the BCEB tool kit provides a better picture of the organization’s capacity to identify opportunities and leverage the benefits of effective cybersecurity management.

For Secure Digital Solutions (SDS), the emergence of the Baldrige Cybersecurity Excellence Builder validates the power of the cybersecurity assessment methodology embedded in our TrustMAPP® platform. Both the BCEB and TrustMAPP use process maturity to express the degree to which an organization achieves consistent quality and performance excellence. With clear alignment to the firm’s mission, values and objectives, TrustMAPP helps security leaders bridge the gap between security operations (risk focused) and process maturity (business focused).

To learn more on how cloud-based TrustMAPP® can help you maximize the benefits of the Baldrige Cybersecurity Excellence Builder, ask for your free trial today.

TrustMAPP® is a registered trademark of Secure Digital Solutions, LLC. All rights reserved.

BALDRIGE EXCELLENCE FRAMEWORK™ is a trademark, and BALDRIGE PERFORMANCE EXCELLENCE PROGRAM and Design®, MALCOLM BALDRIGE NATIONAL QUALITY AWARD®, and PERFORMANCE EXCELLENCE® are federally registered trademarks, of the U.S. Department of Commerce, National Institute of Standards and Technology.