Why plan Return on Investment (ROI) before completing design and deployment?
Why do SecuriThink strategies aim from the outset for level 3 or 4 of the 5 Levels of Results? Wouldn’t it be easier and faster to complete level 1 (Design) and 2 (Implement) before tackling level 3 and above? Our experience shows focusing on Level 3+ results from the outset yields a much more powerful outcome while also making the project easier and less risky.
Focus on the customer
Most projects justify funding and engage executive sponsors by offering value and something they care about. Our experience says improving data governance or compliance, protecting privacy or proprietary assets or avoiding inadvertent disclosure (all level 3 results) are valued much more than deploying software or implementing infrastructure (level 2 results).
Reap what you sow
When you plant a seed of wheat, you don’t harvest tomatoes. Projects focused on level 2 results will deliver level 2 results. Projects justified on level 3+ that deliver level 2 will not hear a customer say “You did what you said you would do and I’m pleased with the result.”
A heavy roof needs a reinforced frame
To those who say, “but we have to start at the beginning”, we counter: If a home builder has a customer who wants a slate or tile roof but may not have the full budget up front, it would be a disservice to propose a house with a regular frame and imply the heavier roof can be installed later. A typical frame won’t support the weight; the customer will never be able to get to her stated goal without major rework, even tear down and rebuild.
There is another way. The proposal could be to build a house with a reinforced frame which can initially have a shingle roof that is easily upgraded to heavier material in a later phase. Similarly, a SecuriThink strategy that aims for level 3, 4 or 5 results stays focused on the ultimate goal even as it starts at the beginning.
A more wholistic strategy takes a very different approach to level 1 design and level 2 deployment. It pays more attention to fully engaging stakeholders from the outset and keeping them engaged appropriately throughout. It has a more robust plan for the executive sponsorship coalition and for employee engagement. With a stronger base of support, not only is there greater technical and operational readiness for the bigger picture, this approach also builds more momentum, even eagerness, among the business stakeholders to get the full benefit.
Eyes on the prize
The second strategy above keeps the “eyes on the prize”. Combined with early wins described below, this approach is more likely to carry a project through intermediate budgetary or resource challenges. Keeping executive sponsors focused on Level 3+ goals keeps them engaged with the project so when their input is needed for good design decisions (level 1) or effective deployment (level 2) the business leaders are continuously reminded about how these requests connect with and lead to what they care about (level 3).
Meaningful early wins
An effective strategy for a level 3, 4, or 5 goal can be designed to include early wins that are meaningful to executive sponsors. Project leaders who aim to deliver level 2 results before addressing level 3 may think this is a path to early wins but they risk losing the attention of their executive sponsors along the way. Carefully crafting “crawl, walk, run” phases can more effectively satisfy stakeholders and build momentum.
One size does not fit all. To have the right impact, the plan must be tailored to integrate with the business so it gets results the audience really cares about. This requires a balance of business savvy with technology and project management expertise. For one situation it might be getting a group of 100 people who work with regulators fully deployed with a complete top to bottom proof-of-concept. In another case it might mean deploying a protection only for email or only MS Office files. Meaningful early wins fuel buy-in and enthusiasm while realistically managing risks. In addition to helping minimize organizational noise and pushback, early meaningful wins pave the way for a more rapid roll out.
Rarely a second chance to make a first impression
Aiming a project at level 3+ business results keeps your executive sponsors engaged from the start to the finish. They can be your ambassadors as long as the project provides something relevant to communicate to their departments. When this is done well, the project starts picking up momentum from the outset and never slows down.
Conversely, if a project focuses on software or infrastructure (level 2) before addressing level 3+, it’s taking additional risks. This approach loses the key advantage the project has to attract attention and resources. Business leaders won’t talk about technology as a goal unto itself so, until level 3 topics come on the table, the initiative is relegated to the back burner with the other low visibility projects labeled “IT”. Executive sponsors won’t want to meet as often and won’t pay attention to talking points about level 1 or 2 unless they tie to something they care about (level 3+). By the time the project has completed level 1 and 2 and would like to add the compelling business results of level 3, the entire effort may have been dismissed as “lightweight” that is, having no influence among the executive sponsors. The project will have missed the boat; it won’t get the attention it needs to impact process, mindset or any behavior not directly enforced by the technology. At best, only a fraction of the potential ROI is ever realized; at worst the technology might be uninstalled or disabled by users if it is seen as more of an obstacle than a business enabler.
Begin with the end in mind
Making software and infrastructure deployment a significant goal lowers the bar, which seems like it should make things easier. Since it also reduces the short term and long term benefits while adding risk, it’s a false economy. Our experience has been that pragmatic right-sizing employs tactics such as those described here to build strategies that “begin with the end in mind” and deliver results that satisfy the customer.
More Field Notes
CMMC is a new cybersecurity compliance requirement with third party verification coming soon to U.S. Department of Defense (DoD) contracts.
CMMC in 27 minutes – a video overview of the changes coming with CMMC and why.
Leverage our lessons learned to make your project easier using the SecuriThink Data Classification Complexity Scale.
Actionable distinctions about CISO responsibilities and the skills to master them have been identified by executive recruiters. These distinctions go beyond staffing; they also describe behaviors that increase overall InfoSec maturity.
Rally C-suite ownership with a compelling business case for change
Managing across the enterprise for new security habits
Quick Start the project, cross-train client team, manage risk
23 Workstreams over 2 years deployed many technologies and policy changes in support of a “Defense In Depth” InfoSec strategy
Behavior change and more leverage from Security Education and Awareness (SEA)
Reduce technical support with appropriate employee engagement
Minimize business impact and technical support requirements
High security computer-based test centers