InfoSec Governance: What Success Looks Like

Six Outcomes

#6.  Integration.  When all InfoSec processes work as intended from end to end.

#5.  Measuring Performance.  When all InfoSec processes are monitored and measured to make sure they acheive their goals.

#4.  Optomized Resources.  All InfoSec knowledge and infrastructure are being effectively used as designed.

#3.  Delivered Value.  When security investments support business goals.

#2.  Managing Risk.  Consciously deciding to act.

#1.  Strategic Alignment.  When InfoSec and business strategy align, creates three achievements:

  • The enterprise defines what good strategy looks like.
  • Security matches the company’s DNA, instead of trying to rewrite it.
  • The amount of money spent on InfoSec reflects how important security is to the organization.

\\ JMM

Does Network Cabling Matter ?

Cabling is important. Its need to be good enough. The problem I have with cabling is that people spend way to much time fussing, fretting and fooling themselves that having nice cabling actually has value.

You should be spending time in meetings, writing scripts or buffing up your excel skills to work out the software subscription licensing costs.

Q. Want your advice on a cabling colour scheme for our new data centre ?
A. I DO NOT CARE. IT JUST HAS TO WORK. NO REALLY. I JUST DONT CARE

From Blog Ethermind, June 2018

I read Greg Ferro. I have read his blog for many years. I feel his pain and acknowledge it.  And, although this argument is well written, it is worthy of comment for those who choose to think different.

You see, I do fall in the camp that cabling is important. It’s representative of many things that exist in Information Technology that are under the covers.  Cabling determines how serious you are, how disciplined your IT show is, and the attention to detail your team has.  Yes, cabling says all that.  And when you invite me over to see your data center, it’s what I am thinking when you show off your hard work.

“Network cabling usually only represents 10% of the total technology spend.” – Bill Atkins, during his time at Panduit

Yet, we run the production IT show on that cabling.

“Sometimes you have to do IT two or three times to get it right.” – Former CTO (Name Witheld)

Ouch.  Doing the same things two or three times is not cost efficient and often indicative of culture.  Did you hire the right people and put them in the right seats?  Did we listen to our wiring experts or follow the misguided advice of “this is how we’ve done it for 20 years”?  Two or three times in the wire business is great for the manufacturer and installer, bad for the organization writing the check.

Why Cabling Should Be Important To IT People

I didn’t say critical.  But there should be a standard to hit, as IT craftsmen.  A guide to follow.  Here is my top 5 things I recommend peers to consider when cabling.

#1.  Wiring should be easy to understand.  Color codes and design.  BICSI.  ANSI/TIA/EIA-606-A, Administration Standard for the Telecommunications Infrastructure of Commercial Buildings, or the updated ANSI/TIA/EIA-606-B documents these standards.

#2.  Wiring should be easy to troubleshoot.  As-Builts in all data centers and cable plants.  Consistent labeling throughout the facility.  Velcro over zip-ties.  Basket tray versus cable tray.  Combined wire with slack vs. just letting it hang.

#3.  Quality versus Crap.  Mid-grade wire versus minimally compliant.  Wire for the 20 year plan vs. no plan.  1GB is often plenty.  10GB is overkill if your back end can’t support it.  Think hard about plenum vs. non-plenum.

#4.  Manufacturer and installer proud.  When the manufacturer wants to show your work to their prospects, that’s a good sign they’ve done it right.  Choose certified installers.  Ask the question.  Then choose quality products that align with your team’s standards.

#5.  Wire once.  Your ROI is far better achieved when the installer comes out to do the big job versus coming out multiple times over 2-3 years.  Multiple times often equates to two times the labor cost.  Your not saving money and the chances of mistakes are actually higher.  Wire once, if at all possible.  And then ask the manufacturer to QA your job during your walk through.

\\ JMM

Why You Are Being Asked To Be in CAB

Today’s blog is from the mailbag of notables.  The context of this email is when I was “leading by walking around” and overhearing a few employes not wanting to go to CAB.  Not wanting is putting it nicely.  CAB is “Change Approval Board”, which is mostly a call to talk about the changes happening to the production environment.

From: Jonathan Merrill
Sent: From My Desk
Subject: Why You Are Being Asked To Be in CAB
Importance: High

Just overheard “Why do I need to be at CAB. I don’t have changes”. Not the first time this has been said. And it’s not unnoticed those team members who don’t show up. Before you say, “busy”, I know everyone is busy. We are all busy. Nevertheless, here is why I encourage you to be at CAB every time:

1. If you do have a change, you need to explain to CAB what the change is, what it will impact, and allow architects and SMEs to chime in. We’ve had one over-ride since we started CAB, which saved us from an embarrassing situation.

2. You listen in on what’s changing in our environment. Operations teams must have the pulse on what’s going on. If you don’t know, how can you react? Putting things together is a skill, just like listening and comprehending. All three should be applied in CAB.

3. Opportunities to sharpen your saw putting in changes. Once we get some consistent muscle memory on non-standard changes, let’s talk about standard changes. Until then, let’s learn from each other and ensure we understand the why about change management. I’ll need your help to train other teams once they get incorporated into our change system.

If you’re working on a critical ticket, production outage in flight, or anything affecting a client ability to process, then your at least armed with what changed.

If your actively engaged in a production issue, clear it with your manager and let him or another team member represent your change in CAB.

Any other reason… eh, no. Knowledge culture, folks. Root word is “Know”. We need you to know. I need you to know. This is the culture we are building. Please participate. Everyone…

\\ JMM

When A Leader Told Me To Stop Reading Books…

“Jonathan, you need to stop reading books.  They are hurting your career.  Read the email I just sent you.” – Name Withheld (Obviously)

I would bet in any career field, you run across people who say things that are incredibly damaging in multiple ways.  Causes pause for how toxic or caustic people get into leadership positions.  Nevertheless, the most outrageous comment I’ve ever been told is to stop reading books.

If you know my leadership style, then you know I perpetuate the knowledge culture, which is heavily based on DevOps’ CAMS (Culture, Automation, Measuring, and Sharing).  Working with other teams who don’t embrace that philosophy can and does create friction.  Which is where education is applied.  Culture is critical, we all agree.

So, if your wondering what the email said, I’ve kept it in my personal journal.  Sharing it’s entirety to you editing out business bits:

From: Director, Information Technology
Sent: Long Long Time Ago…
To: Jonathan Merrill
Subject: Communication

I wanted to tell you something I learned a long time ago.  What you did yesterday or last week or last year is almost worthless.  I too have won [people] awards.  They mean nothing.  The business world is focused on what have you done for me now.   The growth of teams is far more important than most anything else.

One of the main things that I desire is that I would rather make progress than simply prove that I am right.   As long as the progress is in the best general direction then it will likely make things better.  In time possibly it will convince people (that aren’t under me) that it was a good idea.  Maybe it shows how it wasn’t.  But I don’t try to emulate anyone.

The people you list (Leonici, Maxwell, Wooten) are mostly wrong in any approach they suggest.  Each approach has to be custom tailored for the situation.  I find that most of the books people write all say basically the same thing.  Many of them are worthless and if they are good I take only a few points from each of them that I have found worked.

For example I remember when everyone said emulate Jack Welch and his leadership style.  I started reading about him and it sounded impressive.  Then I started learning that it wasn’t uncommon for the company to lay off people all the time just to improve stock price.  I found that his words lacked practice.  So he said the right things but practiced a form of management that basically resulted in turn over at all levels (forced or not forced).  In time I figured out that in my opinion he was just another useless manager who had some good ideas but his ideas likely only worked one time in one situation and me saying I would use them was highly suspect.

So really I hate to say it (good or bad) but I don’t study anyone.  I keep a list of things I have learned and try to put who taught it to me.  Outside of that I don’t worry about it.  Graduate school taught me that for the most part.  Good management is 50% how you treat people and how they perceive you and 50% of your ability to define what you want.  Combine those and you likely get progress.

Sounds seat of the pants I know but how I work.

Let’s dig into a few of these statements, as parts of his email is peppered with logic, and where it goes off road.

#1.  What you did yesterday or last week or last year is almost worthless

Leaders are always judged positively by their achievements.  Finding the achievement pattern leads to good hires.  Not tracking your achievements nor having a track record of your achievements is a professional miss in self-development.  I argue all people, from help desk to VP, IT should actively track achievements.  Marry them up with your personal and professional goals.  Minimally, present them annually during the evaluation process so the organization understands what your about and the value you bring.

#2.  As for selling on approaches or styles I rarely if ever do that.  Nor will I start.

Managing a team on democracy and goals is good, but if the culture isn’t set to create the operating context of expectations, then that team is no different than a mob.  People want great cultures.  People desire to know the boundaries so they can freely do their job.  I would argue effective leaders have a style and actively sell/mentor approaches to their people.  Ineffective leaders do not try.

#3.  The people you list (Leonici, Maxell, Wooten) are mostly wrong in any approach they suggest.  Each approach has to be custom tailored for the situation.

How can you argue with the results of those leaders who study and embrace good leadership principles versus those that do not?  We take what is learned and apply it to any situation.  Most situations require customization as no one things fits.  I argue studying principles of success does far better to educate versus only depending on your last leadership experience.

#4.  I remember when everyone said emulate Jack Welch and his leadership style… I found that his words lacked practice.

I too have read Jack Welch and found many things that didn’t align with my leadership philosophy or brand.  I don’t advertise leading this way, but learning how he led isn’t less important.  We should not read any book and apply it to our life prima facie.  Books should educate us, challenge our thinking, and give us opportunity to change us, make us better, or just entertain us.  I argue practicality alone shouldn’t be a reason to not read books about leadership.

#5.  I don’t study anyone.  I keep a list of things I have learned and try to put [into practice] who taught it to me.  Outside of that I don’t worry about it.  Graduate school taught me that for the most part.

I would argue that going to college should just be the beginning of your life long learning journey.  Not the end.

#6.  Good management is 50% how you treat people and how they perceive you and 50% of your ability to define what you want.  Combine those and you likely get progress. 

Of everything said here, this statement rings most true.  And worthy of underscoring as working with this leader for over a year, I can say he wasn’t intentionally “toxic”.  He was a grounded guy, with a family, bills, car, and problems just like us all.

However, looking back on what he got accomplished during his time, he achieved very little.  Not many strategic things got done.  He touched no one.  Influenced little.  And was quickly forgotten as he left.  Does anyone enter a leadership gig with the desire to leave no legacy?  I would argue no.

I ran across this comic today and it reminded me of that leader and his email.

Source: Jake Likes Onions

If anyone knows the author of this book, please let me know.

\\ JMM

Who Is To Blame For The Culture of No?

“If there’s a big problem in corporate America, it’s that we say ‘Yes’ too much at times. There’s a whole lot of yes going around. The problem? Only about 1/2 of the “yes” responses are followed up with action that is representative of all of us living up to the commitment we made. That’s why you need to say ‘no’ more.”  – HR Capitalist

You haven’t experienced all the fulfillment of service delivery management until your told something that is so foreign, so alien, that your first reaction is bewilderment. With a dash of astonishment. What the heck did this guy just tell me?

What could anyone say that would create such a reaction? When someone says someone represents the culture of no.  Traditional help desk, engineering, and information security has thrived in a culture of “no”. To be accused of perpetuating the culture of no.  Seriously?  Let’s break it down…

What is the Culture of No?

“Rather than encountering a world that encourages you to dream big, you may find yourself mired in a ‘culture of no’ — one where fear of failure means that great ideas don’t even get a try” – Wafaa El-Sadr, director of the International Center for AIDS Care and Treatment Program

“We have all met that wall. And when those walls exist, people find ways around them. The workarounds make their lives easier. They implement what they think is best. Their efforts are not intentionally destructive but can lead to unintentional vulnerabilities and, potentially, harm.” – Article from DZone

Let’s unpack the why…

First, is to acknowledge no one in management wakes up in the morning and says, “I’m going to tell 10 people no today”. Talk about a crazy goal. No is a often considered an emotionally negative word, so delivering it is avoided.  Sometimes, at all costs.

Second, is often ‘no’ is grounded in policy and standard. Especially if it’s a politically sensitive subject. In my early career, I’ve been directed, a couple of times, to refresh my memory on a policy as the no was delivered.

Third, Leaders are often asked to get creative to say no without saying no. Wordsmithing ‘no’ is a career maker for many leaders, especially in the public relations functions. I’ve been told this falls into the “interpersonal savvy” characteristic, which is a sought after leadership trait.

So mix all that up in a information security or systems engineering context, and you have an explosive mixture pitting IT against business units and developers alike. It’s not surprising there are movements like DevOps to correct the cultures behavior.

Again, all that said, the why of the problem is commitment delivery and lack of clarity that is so succinctly described by the HR Capitalist’s quote above. It’s far easier to just slide into corporate ambiguity versus a clear response.  Yet clear responses are sometimes not appreciated by types of leaders.

So, Who Is To Blame?

Many employees  who are described as being a part of the culture of no are often swimming to stay alive in a toxic company culture. DevOps won’t solve that problem, nor any other service management framework. If CAMS represents DevOps’s core values, start with the first letter: C = Culture.

If your organization is mired in the culture of ‘no’, look hard at your company’s culture and how you are affecting it.  This article isn’t about saying ‘no’.  It’s about having the right culture so ‘no’ is not political, but academic.

\\ JMM

Constraints, Asking for Money, and Kristin Cox…

“Everyone runs to technology for the answer” – Kristin Cox, Executive Director of the Governor’s Office of Management and Budget

I don’t think she meant that in a good way… Maybe if we used our brain versus technology to solve our problems.  Wow!  That’s crazy talk!

Nevertheless, I stumbled across her articles and posts in my Linkedin thread.  An “Expert at Constraints”, here is the highlights on her video, which I would recommend you go watch:  Kristin Cox’s “How to Ask for Money”.

Four questions:

1. What do you do? What services do I produce?
2. How well do you do that? (Quality – Couple of things: Faster, Outcomes better, etc.)
3. What is your operating expense? (What does it cost to make it)
4. What is my ambitious target? (What % quality for I want? Better Outcomes)
– Get clear on what we are really focused on.

Government is lucky to have her.

\\ JMM

SOC2 vs. ISO 27001 vs. COBIT

It truly is a interesting time to be in Information Technology. Especially on the information security front. Although hacks and breaches consume the media, audit and controls run the IT hallways. This article contains a random sampling of notes acquired on this topic as leaders unpack what to measure and what not to measure.

“SOC2 audit is required to do business with us.” – Prospective Client

SOC2:  https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/cpas.html

Not all auditors charge the same and, just like everything else, many times you get what you pay for. I’ve found quality and consulting come at a higher price, so selecting the right auditor is a key success point.

Found this article from Linford & Co, LLP CPA firm about SOC2 pricing:

Price estimates differ between firms as each will:

  • Estimate the effort / cost required to do the work
  • Have related overhead expenses allocated to the audit
  • Require a certain level of profit from the engagement

Typically, our SOC 1 audits start at $17,500 and our SOC 2 audits start at $19,500 for small, non-complex organizations. And, since everyone needs one, we include a readiness or gap assessment as part of every first time SOC audit. These are starting points and the price of a specific SOC audit may go up or down as we customize proposals to our clients’ specific needs.

“ISO 27001 certification is required to do business with us.” – Prospective Client

ISO 27001:  https://www.iso.org/isoiec-27001-information-security.html

Any idea how much an ISO 27001 certification costs?   Found this article from Pivot Point Security:

  • Precertification Phase I: $20,000 (e.g., Scope Definition, Risk Assessment, Risk Treatment Plan, Gap Assessment, Phase II Remediation Plan)
  • Precertification Phase II: $18,000 (e.g., Gap closure (collaboratively), registrar selection, ISMS Artifact development, Risk Management Committee, Incident Response, Internal ISMS Audit, On-site Certification Audit Support)
  • Certification Audit: $10,000
  • Total cost for ISO 27001 certificate: $48,000

Once you have your certificate you will require a “surveillance” audit in years 2 and 3 to maintain your certificate. You will also need to conduct an Internal ISMS Audit each year – which the “average” company usually outsources to a third party. So figure your year 2 and year 3 costs are likely to be as follows:

  • Surveillance Audit: $7,500
  • Internal ISMS Audit: $7,000

“COBIT as an emphasis for IT governance, control, and risk management” – Prospective Customer

COBIT:  http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx

\\ JMM

Spinning plates as hard as I can…

Routinely, it’s easy to get into deep water with tickets and projects.  Here is an email exchange between one of my team members, JC Foster, and I.


Jon Foster

Where does this fall on my priority list?

  • Tickets
  • AD Project
  • PBX Project
  • Office 365 Project
  • Visual Studio Project
  • Teams rollout

I am spinning plates as hard as I can here.


Jonathan Merrill

Thank you for asking.  My own list is overwhelming.  The organization is hustling.  Projects are piling up and plates are falling as only so much can be done to keep those spun.  Let me turn you onto a recent EntreLeadership podcast, #263 – Thriving in the Age of Overload.  Skip to the Daniel Tardy’s talk about, “The Tyranny of the Urgent”.

Questions Needing Answered When Looking At Your Workload

  1. Does it have to be done?  Can we eliminate it?
  2. If I can’t eliminate, can I automate it?  ß This is where I feel the most work needs to be done.
  3. If I can’t automate it, can I delegate it?  Let someone else do it.
  4. If I can’t delegate it, is it urgent?  Is it a fire?
  5. If it is urgent, how do we approach, getting the right people in the room?   Most often, someone’s fire is not a fire to the organization.

Our temptation is everything is on the list is a fire.  We need to prioritize on impact and urgency based on the most impact to the most people.

If you’ve listened to the pod cast, tasks (or WIP) should be limited 3.  So, looking at this list, here is my recommendation where your head should be at:

  1. Tickets – I agree.  Although take care against this taking up 100% of your day.  Handle Critical and Highs only.  Sometimes, that means contacting customers, negotiating and adjusting the criticality.
  2. Visual Studio Project – Most impact.  Most urgent.  Key to our business.
  3. Office 365 Project  – Most impact.  Most urgent.

This is an exercise everyone can do.  And should be aligned to what is on our team Kanban.

\\ JMM

Hiring in Robert Britten…

“A leader is one who knows the way, goes the way, and shows the way.” – John C. Maxwell

It’s not very often you run into exceptional leaders who believe in what you believe, who care at the same level you too care, and execute at the same level and often better than you. I’ve been in this business for a long time and meeting Robert Britten was one of the high points of my career.

He took the reigns at Santander Consumer USA from another colleague of mine, Shaun Hendricks. The team he took on was troubled and when he got going, I admit I was skeptical. Robert is unassuming, humble, and eloquent. Something is wrong with this guy… After working with him for a couple of months, boy was I wrong. After six months, I knew I had a partnership that I would come to trust and rely on in both my professional and personal faith life.

Robert is a titan leader and I am proud to announce he has accepted the position of Director, Technical Services at Lanvera. Rob is going to head up a operations team which has responsibilities across multiple disciplines: application support, database support, and production services support. His team is central to service delivery, connecting infrastructure, development, and client services teams.

\\ JMM

Why I Cancelled GoDaddy…

“It’s just not right that so many things don’t work when they should. I don’t think that will change for a long time.” – Steve Wozniak

After a ten-year plus relationship with GoDaddy, I’ve closed my account. It felt good as GoDaddy of today isn’t what GoDaddy was ten years ago.  I argue the service has been getting worse as time as gone on, just like Network Solutions.  These companies might be forgetting what got them there in the first place.  Here are my reasons and my next steps.

Why GoDaddy Worked

  1. Lost cost. Very competitive pricing.
  2. Good technical support. I did have a couple of problems and their support was great.  Even restored my DotNetNuke website back to a functional level.  Gave them mad kudos’ for that.
  3. Great DNS Management. I argue the simplest in the business.

Why I Said No to GoDaddy

  1.  My hosted WordPress site was painfully slow using the Economy hosting. Every time I publish, the website would go offline and timeout for 3-5 minutes. Every time. Call up GoDaddy and support would say I am on shared services. If I need more speed, need to upgrade. The speed issue exacerbated module and version upgrades. The last straw was a failed JetPack upgrade due to timeouts. No more.
  2. GoDaddy’s management site is slow. I’d log into my portal and it clocks transitioning between screens. Constant pop ups with new products and ads, but getting to the guts has slowed way down from ten years ago. Super annoying to embed in the management interfaces. Not good.
  3. No support for free SSL. I’ve been talking to them about this for a long time. There are many competitive offers out there offering a free SSL cert for a single WordPress site. If you’re a singular blogger or small business, why not a free SSL cert? No support for Let’s Encrypt. In fact, they’ve designed their system to prevent it without hacking their system. Not supporting these technologies may seem like protecting their turf. I argue it’s an example of legacy companies not getting with modern times. Fail.
  4. On and on sales phone calls. GoDaddy would call me and try to up sell me on products, many I didn’t need.  When I talked about my slow website and lack of support for Let’s Encrypt, the sales guy started dodging.  I’d hang up and get another call a week later, resuming the up sell. Finally, had to tell them to stop calling me. Sales pressure tactics when you’re not trying to fix your product or ease my pain means you don’t care about me.  Bottom line.

And I had to call to cancel. Digital transformation not apparently in effect at Godaddy. I was genuinely worried I would be pressured just like a gym membership. Alas, “Joel” took my call and walked me through. I asked for a refund for my remaining months and got it.  A+ Joel.  I might come back.

Where Did I Go?

I transitioned to Dreamhost. Performance has been far better, although they need to work on their management tools. User interface needs much work. But, it’s very nice to functional without wait times for the same money.

One More Thing…

Colleagues have pointed me to NameSilo as an inexpensive domain name registrar. I’ve been using them for a few domains and really like their interface and pricing.

\\ JMM