Someone just called my attention to a blog post over on CTOvision.com.  The post was a reprint of an Op-Ed written by Melissa Hathaway, Cyber Coordination Executive for the Office of the Director of National Intelligence.  It is a great post as it draws eerie parallels between information security in the government and information security in the private sector.  She does a great job in highlighting the crossover and why we need to be aware of who our partners and vendors are also connected to. 

I urge you to go over and read it:  Melissa Hathaway Op-Ed on Cyber Security

P.S.  According to recent reports, Hathaway is very likely to be President Obama’s pick to become his cybersecurity chief. 

 

 

 

 

Tags: CTOvision, Cyber Coordination Executive, cybersecurity chief, Melissa Hathaway, Office of the Director of National Intelligence

Mike Smith over on the Guerilla CISO blog has just posted a presentation entitled The Accreditation Decision and the Authorizing Official.  This is an update of a slide deck that Mike, Joe Faraone, and I have been using in our Potomac Forum C&A seminar’s for a few years.  Feedback from the government sector has been pretty good.  If you are in the position of accepting risk for a government system then you might find it interesting as well. 

You can find it at: http://www.guerilla-ciso.com/archives/699

Tags: Accreditation, Accreditation Decision, Authorizing Official, C&A, Certification, Guerilla CISO, Joe Faraone, Mike Smith, Potomac Forum, risk acceptance

“It is a myth that people resist change. People resist what other people make them do,

not what they themselves choose to do. . . .  That’s why companies that innovate successfully year after year

seek their people’s ideas, let them initiate new projects and encourage more experiments.”

~Rosabeth Moss Kanter, in The Vineyard Gazette, 1997

Introduction

Every organization must contend with politics and political maneuvering.  Individuals and groups vie for the ability to influence the distribution of resources in their own favor.  This fact of life has engrained itself into our collective corporate cultures and must be negotiated with skill in order to achieve a stated goal.  This starts a multi-part posting on this topic. 

This is an important point for Information Security (Infosec) Professionals to understand.  We are called upon to stand between Information Technology (IT) and business in order to protect properly the very lifeblood – information – of the organizations we serve. 

The Infosec Professional is in a different world from everyone else. We are technologists who are not really technologists; we are business men and women who are not really business men and women. We live in the netherworld in between both camps, despised by both, clinging to our own for validation.

 

Herein lies the opportunity to do what no technologist and no businessman can do:  unite the two factions for the greater good of both. In order to accomplish this goal it becomes necessary to understand how a social dynamic forms and how it can be leveraged to achieve the ultimate goal of Infosec: the cost-effective protection of the critical information supporting business. 

 

This document explores politics and corporate culture within organizations and provides some lessons learned from organizational behavior and social psychology to affect change.  It is intended as a primer for the Infosec Professional. 

Power

Power consists in one’s capacity to link his will with the purpose of others, to lead by reason and a gift of cooperation.

~Woodrow Wilson (1856 – 1924)

When people get together, power will be exerted.  People want to carve out a niche from which to exert influence, earn rewards, and advance their careers.  When employees in organizations convert their power into action, they are engaged in politics.

Power refers to a capacity to influence others as well as a form of constraint on human action, but one which makes action possible.  Power has its source in two general groupings: formal and personal.  Formal power is derived from an individual’s or group’s position within an organization.  Personal power is derived from an individual’s unique attributes such as the expertise s/he possess or her/his personality and interpersonal style. The exercise of power is the essence of politics within an organization.  This exercise is dictated, for the most part, by each organization’s unique corporate culture.

Corporate Culture

Each organization has a unique persona.  Corporate Culture is a system of shared meaning held by the individuals who make up the corporation.  This system can be expressed as the following:

• Innovation and Risk Taking – the degree to which employees are encouraged to be innovative and to take risks
• Attention to Detail – the degree to which employees are expected to exhibit precision, analysis, and attention to detail
• Outcome Orientation – the degree to which management focuses on results or outcomes rather than the techniques or processes used to achieve those outcomes
• People Orientation – the degree to which management decisions take into consideration the effects of outcomes on people within the organization
• Team Orientation – the degree to which work activities are organized around teams rather than individuals
• Aggressiveness – the degree to which people are aggressive and competitive rather than easygoing
• Stability – the degree to which organizational activities emphasize maintaining the status quo in contrast to growth

Corporate culture is concerned with how the individuals within the organization perceive the company in terms of these characteristics.  Much like product branding, it conveys a sense of identity for its employees and facilitates a commitment to an overall goal or objective rather than individual goals and objectives.  It is important to understand fully this aspect of an organization because the exercise of power by any group or individual is likely to be influenced heavily by this culture. 

 In Part Two of this series we’ll look at influencing Power and Culture by diving into some psychology and social science.  Part Three will wrap everything up by addressing the practical application of these concepts.

Tags: agressiveness, change, corporate culture, influence, innovation, Office Politics, outcome orientation, political maneuvering, power, Rosabeth Moss Kanter, The Vineyard Gazette, Woodrow Wilson

I’d like to ask you to please consider me for nomination in the inaugural Social Security Awards!  The awards will be awarded at the Security Bloggers Meet-up at RSA this year.  The categories are:

• Best Security Podcast;
• Best Technical Security Blog;
• Best Corporate Security Blog;
• Best Non-Technical Security Blog; and
• Most Entertaining Security Blog.

Even if you don’t feel that Ascension Blog qualifies as one of the best (Non-Technical Security Blog) please still vote for who you feel is the best.  It isn’t always easy coming up with blog entries and I can tell you that it certainly doesn’t pay anything but it is rewarding in its own way – especially when you know that someone out there appreciates your work. 

You can find out more by clicking below or by going to www.socialsecurityawards.com.  Please take the time to vote for your favorite blogs (and I sincerely hope that I number among them.)

 

Thank You.

Tags: RSA, Security Bloggers, Social Security Awards