If you're anything like me, you're always trying to make your life more interesting, and trying to add that bit of value back into your organization (for purely selfless reasons of course). Here's a conclusion I've come to if you work for anything larger than a few-person company.
Whatever you're doing it ain't worth jack if it's not backed up by a process.
Here in vendor land, I can create the best presentations in the world, but they aren't worth jack if they're not backed up by a process to distribute and socialize them with customers, partners, sales folks or whomever. I can have the best ideas for new initiatives, but they aren't worth jack if there's no process for submitting, prioritizing and getting budget for those ideas (without those processes, the squeaky wheel gets the grease, and that sometimes works in my favor)
Same goes for security - you can never show how good a job you're doing it you haven't got a process that you can track and measure. Whether that process be around identifying threats, dealing with audit findings, dealing with incidents, managing identities and privileges, evaluating new business initiatives, reviewing new applications for security bugs, whatever. "But what about policy?" I hear you ask. Policy becomes that thing that only you refer to, without a process to distribute it and track who's working towards complying with it.
In the absence of a process, you get judged on those events that people hear about - and in security those events seldom work in your favor.
Yeah, yeah, yeah, we've all heard the spiel about people, process and technology, but you seldom get kudos for hiring new people, and you're seldom in a position to eliminate people voluntarily (and which of us really wants to do that anyway?). Implementing technology alone - while interesting - seldom gets us where we want to be (because for technology - more often that not it ain't worth jack without a process to make the product work as it should). Besides, these days budget for technology is hard to come by.
So - process is where the likes of you and me can really make a difference. And what's awesome about processes, is that while everybody loves having a good process in place (don't laugh - if you've ever worked in a medium to large organization, the lack of a process can be the most frustrating thing on earth), few people really step back to look at what processes you can put in place to eliminate your frustrations. Even an attempt at formalizing and tracking the processes you're carrying out on a daily basis will make you look like a rock star.
So love your processes. Embrace them - it's a way to get on.
Whatever you're doing it ain't worth jack if it's not backed up by a process.
Here in vendor land, I can create the best presentations in the world, but they aren't worth jack if they're not backed up by a process to distribute and socialize them with customers, partners, sales folks or whomever. I can have the best ideas for new initiatives, but they aren't worth jack if there's no process for submitting, prioritizing and getting budget for those ideas (without those processes, the squeaky wheel gets the grease, and that sometimes works in my favor)
Same goes for security - you can never show how good a job you're doing it you haven't got a process that you can track and measure. Whether that process be around identifying threats, dealing with audit findings, dealing with incidents, managing identities and privileges, evaluating new business initiatives, reviewing new applications for security bugs, whatever. "But what about policy?" I hear you ask. Policy becomes that thing that only you refer to, without a process to distribute it and track who's working towards complying with it.
In the absence of a process, you get judged on those events that people hear about - and in security those events seldom work in your favor.
Yeah, yeah, yeah, we've all heard the spiel about people, process and technology, but you seldom get kudos for hiring new people, and you're seldom in a position to eliminate people voluntarily (and which of us really wants to do that anyway?). Implementing technology alone - while interesting - seldom gets us where we want to be (because for technology - more often that not it ain't worth jack without a process to make the product work as it should). Besides, these days budget for technology is hard to come by.
So - process is where the likes of you and me can really make a difference. And what's awesome about processes, is that while everybody loves having a good process in place (don't laugh - if you've ever worked in a medium to large organization, the lack of a process can be the most frustrating thing on earth), few people really step back to look at what processes you can put in place to eliminate your frustrations. Even an attempt at formalizing and tracking the processes you're carrying out on a daily basis will make you look like a rock star.
So love your processes. Embrace them - it's a way to get on.
Comments