Project Study: Secure the Perimeter
Reduce risk & resistance for a complex InfoSec program supporting “Defense In Depth” Strategy
Results
- Low organizational noise throughout a 2 year Information Security (InfoSec) program with 23 workstreams that spanned 5 autonomous business segments, 15 divisions and 12,000 employees
- Program raised the InfoSec maturity 25%
- “I brought Linda in to help us elevate our enterprise information security (InfoSec) maturity by assisting us with our organizational change efforts. As we have progressed up the maturity curve, we realized …We needed to ‘engage the human element’ across the corporation.” CISO
- “Linda is hardwired to sweat during the planning phase so we don’t bleed during the implementation… We couldn’t have accomplished all that we did, in the short timeframe we had, without her.” CISO
- “She was instrumental in the rapid delivery of a plethora of technical security controls, helping us adroitly navigate the shoals of ‘resistance to change’ from the executive suite to the shop floor.” CISO
Situation
- Federal contract requirements had previously driven InfoSec technology deployment in select areas of the company on a very tight timeline that left many disgruntled employees at the end of the project
- Board of Directors (BOD) interest in protecting all assets equally across the enterprise prompted the CEO to fund this $5M program proposed by the Chief Information Security Officer (CISO)
- Fortune 300 automotive manufacturer with $8B in revenue
- 130 locations included Asia Pacific (China, Hong Kong, Singapore), Middle East (Saudi Arabia, UAE), South America (Brazil, Columbia), and Europe (France, Netherlands, Romania and Russia)
- InfoSec Defense In Depth strategy employed many layers of different technologies to provide more dynamic and comprehensive protection
- Technologies that involved front line employees included hard disk encryption, removable media encryption, laptop geolocation, complex passwords for mobile devices, administrative rights removal, comprehensive software patching, and multi-factor authentication(MFA)
Project Right-Sizing
- Designed change strategy aligned with business strategy and other forces impacting the enterprise, while making the issues personal for each employee
- Messages sometimes very different among businesses. Example: For some business areas, the removable media encryption workstream was a migration, with an unlearn/relearn engagement plan while for other areas it was a new deployment
- Nature of the change varied, sometimes a lot, by workstream and by business area. Example: Removal of administrative rights was a minor event in many areas but a major transformation for one business unit
- InfoSec policies which had been applied inconsistently in some business groups were brought into alignment, driving additional technology and stakeholder engagement requirements
- Integrated tech support and employee engagement plans division by division
- Addressed the needs of specific audiences (e.g. international travelers or newly hired employees) by leveraging information generated by individual workstreams. Selected and integrated content to create modules that better fit Business As Usual (BAU) moving forward
Project Acceleration
- Each business segment president and his leadership team was involved via face-to-face on-site briefings including coming attractions every 60-90 days; talking points sent as follow up were also well-received
- Prepared the mindset of employees from the C-suite to the shop floor by leveraging the phishing simulations and other security awareness efforts to increase understanding of the urgency of the subject, the impact they make personally, and how new habits can benefit them and their families at home
- Integrated messages across workstreams to deepen the big picture for employees. Example: comprehensive software patching communications pointed out that phishing emails sometimes contain attachments disguised as patches so education showed how to tell the bad from the good
- Employed multi-media with a focus on empowering employees. An instructor for new hire training said, “Coming to this site I feel a whole lot better. This is pretty important and there’s all the information I could want.”
- Continuous top down and bottom up engagement and integration strategies included specifics to each workstream, bridged across all workstreams of this project and connected to other major initiatives underway in the enterprise