I had a professor in college that said: “if you can’t measure it, you can’t manage it”….. And our job is to manage the project success of the cyber security department.

Project management isn’t the sexiest part of cyber security, however, it is an incredibly important aspect of the job, and one that can make the difference between success and failure. As a CISO, you should be able to answer some basic questions about the projects the Cyber Security department is working on:

-What is the complete list of projects?
-What are the expected timelines?
-What are the major tasks associated with the project?
-What resources (inside and outside of the department) are needed to be successful?
-Do the projects match up to the mission of the department? the organization?
-What is the plan for the next 6 months, 1 year, 2 year, 5 year?

Project management is not necessarily ‘fun’, but a successful CISO, or any C-Level officer, will know and understand all the pieces the department is working on to further security of the organization.

There is much discussion on the relationship between IT Security and Privacy.

I believe they can be, should be harmonious in the organization, where Privacy helps determine what information is collected/used and IT Security ensures the confidentiality, integrity and availability of that information.

Remember, our ultimate goal is to protect people. We do that by protecting the information, processes, systems & networks of our organization. We can’t protect if we don’t know what we are protecting!

If you are CISO, get to know your Privacy Team. If your organization does not have one, talk with your legal team, risk managers, data stewards….. Ask questions, offer solutions, be part of the group. At some point you will look around and realize that the group has naturally become the Privacy Team, and the organization has become safer and more secure!

I had a GDPR meeting yesterday with a department, and it normally drives people into the various levels of grief very quickly.

However, I have found that if I start the meeting with the history of the GDPR, and I build the context, people work through the levels of grief much, much faster. I spent a lot of time learning the history of data privacy along with the political & decision-making structure of the European Union for my CIPP/E. And I am very glad I did, because 1) it makes a lot more sense, 2) it really drives home the purpose and intent of the privacy laws, 3) history is important, even the parts we don’t want to remember.

So I recommend that if you are needing to discuss a topic, or train someone, or convince someone of something, its critically important that you know the history and how it relates to the business/processes. Not only should you know it, but you should also be able to articulate the importance and engage in conversation about the subject.

Practice your craft……learn, study, and give back!

We are getting closer to January 2020 and the enforcement of California Consumer Protection Act (CCPA). Here is a quick overview from the IAPP for Colleges and Universities.

https://iapp.org/news/a/what-does-the-ccpa-mean-for-colleges-and-universities/

The IAPP has released the map below that has the current status on privacy laws across the United States. This is good as of 08/2/2019.

A change in leadership is like getting a new job. It’s a new culture, new expectations, and new office dynamic. You are unsure what to do, how to do it, how to make a good impression.

We have recently gone through a leadership change, and the biggest change so far is the boss comes in every day with a smile! 🙂 When they do, everyone else smiles a bit more. The energy of the whole department seems to raise to new levels. It is completely refreshing, almost to the point that I sometimes don’t recognize the place!

We have difficult jobs, with lots of problems…. but with the right leadership, the right colleagues, and the right attitude even the hard stuff can be doable and, dare I say, enjoyable!

I have a section of my yard that is a creek/drainage for the neighbourhood. While it stays wet for most of the year, during July and August, it drys out enough to mow/clear/clean up….

There is a section that I can’t use the mower due to the significant possibility of death on the slope, and its too thick to use the trimmer, so I use a scythe.

Growing up in the country, I was exposed to many tools hanging in old barns, that my younger self looked at with mild curiosity, and not much else. Why use a scythe when I had a mower? Well, skip ahead 40 years and I realized it is the perfect tool to clear that section of the yard safely. And its a great workout!

I regularly have to remind computer people that sometimes the “old way’s” work better. They may not be sexy, or impressive, but in the end they get the job done. As technology people we should learn and deploy new stuff… but should never look on the old stuff as useless tools hanging in the barn.

I am always asked about being a CISO. Some people want to become a CISO, while others wonder why you would ever want to become one!

I enjoy the job, the challenge, and the opportunity to help people…

My hope is to give back to the community by sharing lots of stories, experiences, successes and failures.

This is the new home of my blog, I hope everyone enjoys the content!