In touch with your inner consultant
August 31, 2011 Leave a Comment
While helping folks build fun, cool processes like assessing risks with fancy web apps, a nagging trend emerged. Security pro’s are often overwhelmed with random requests to provide advice or approve designs to support internal projects. Some of these requests come early to support official projects e.g. we need your help designing the next ERP implementation. However most are ad hoc, random, and disrupt an already over-crowded work week. Or worse yet, the security team isn’t engaged until the day before go-live! How can under resourced security pro’s get in front of all this?
Simple. No free lunch.
Internal consulting, project support, business enablement, whatever you want to call it, is a service. This service should be recognized, advertised, resourced, and measured. At one point in my history, we put engagements into time buckets e.g. < 4 hours, < 1 week, 1-3 weeks. Each security pro then had a certain % of their time assigned to internal consulting. When they became overwhelmed, it was their job to escalate to me. We had a published process to assign, gauge, and prioritize the work effort. During a time of layoffs and cost cutting, we actually justified and earned another FTE because we could show the demand and value. I said we either start saying “we’ll have to get to you in xx days” or we need more quality folks. Magic.
Lots of anecdotes to share but I’ll spare you. I will leave you with some of the tools we used to formalize the process. Mind you, not everyone on the team supported this formality. Some folks liked being the Go-To-Guy. They didn’t appreciate having to say, “I’d love to help you directly but we have a standard way to serve you, please visit <portal url> and enter your request. We’ll get back to you within 1 day.” The magic happened when the go-to folks were totally swamped. They got to remain focused and the business was served.
In a bit of self-promotion, we recently added a template in Risk Communicator to support general consulting requests. This template is a bit different because it contains a set of questions to identify risks, similar to control based templates like PCI. The goal is to provide a consistent set of questions enabling assessors to quickly understand the solution and key control requirements. Once you define a well formed risk statement (impact and likelihood evidence), you have the option of completing the workflow to help the business improve their decisions where to spend.
This approach isn’t a substitute for a comprehensive assessment, it’s a quick hit and can/should be customized. Here are the base questions in the Risk Communicator template: (apologies but I can’t convince wordpress to get the table in html, here’s the pdf)
Of course having a slick risk assessment application pales in comparison to a well defined process. Here are a few generic deliverables to get you started:
Project Support Overview Slide
Simple RACI for Project Support roles
Some of these may be too basic or even complex for your group. Recall that one person may play multiple roles.
Few more notes:
- A great way to get started is to simply formalize how the security team is engaged. An internal portal is best e.g. custom sharepoint site, but a shared mailbox will do at the start.
- Be sure to enforce the process. Ignoring the engagement point defeats the purpose.
- Get exec support and market your service. The engagement point, process, and key SME’s should be advertised like rock stars.
- Project support should be recognized in the list of services your team provides, whether or not you have a fancy service catalog.
- Metrics: how about
- % requests served within SLA
- # of requests +/- predicted per quarter e.g. we anticipated 30 but received 60!
- Get credit. Internal consulting should be included in your perf goals and review. cha-ching.
The ultimate goal is to serve the organization while enjoying your job.
I hope you find these useful. Please contact me or leave a comment with feedback or questions.
