1 / 28

Information Assurance Services

velvet
Télécharger la présentation

Information Assurance Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Seccuris is Canada’s premier Information Assurance integrator. We enable organizations to achieve business goals through effective management of information risk.We are agile, innovative, flexible, and responsive. We assist your organization in managing all aspects of information risk. We specialize in end-to-end services, comprehensive solutions, and tailored programs.

  2. Information Assurance Services • Information Security Consulting, Security Architecture, PCI, Vulnerability Assessment, Penetration Testing, Information Security Audit… • Managed Security Services • Managed Threat Monitoring Services, Managed Vulnerability Assessment… • Training and Education • SABSA Certification, TOGAF, Information Security Core Fundamentals… • Research and Development

  3. Selling Security Presented by Leo Thrush

  4. Agenda Introduction What is the problem? Find the decision maker So many personality types Problem solving Being the expert However, this is a discussion… Please ask questions as they come to mind.

  5. Introduction Leo Thrush PhD Candidate, MBA, Masters in Strategic Resourcing, CISSP, PMP, ISSEP, ISSMP, CBCP, SCF, GCSC, CISM, CAP, NSA-AO • Managing Security Consultant, Seccuris • Professor, University of Fairfax • Previous roles: • Chief Instructor, (ISC)2 • White House IT Security Advisor • Senior IT Security Advisor, Pentagon • NSA/CIA Senior Security Architect • Focus on management consulting, enterprise architecture, IT strategy, IT service management, and teaching • Relevant Certifications: • SABSA Security Architect • Information System Security Engineer

  6. The Problem How do I sell securityto the boss? …and get them to support and fund it?

  7. Start with Applied Psychology c. 590 BC Ezekiel's four living creatures:lion (bold), ox (sturdy), man (humane), eagle (far-seeing) c. 340 BC Plato's four characters:artistic (iconic), sensible (pistic), intuitive (noetic), reasoning (dianoetic) c. 325 BC Aristotle's four sources of happiness: sensual (hedone), material (propraietari), ethical (ethikos), logical (dialogike) c. 1958 Myers‘ Jungian types:SP (sensing perceiving), SJ (sensing judging), NF (intuitive feeling),NT (intuitive thinking)

  8. Myers-Briggs Type Indicator • Favorite world: Do you prefer to focus on the outer world or on your own inner world? This is called Extraversion (E) or Introversion (I). • Information: Do you prefer to focus on the basic information you take in or do you prefer to interpret and add meaning? This is called Sensing (S) or Intuition (N). • Decisions: When making decisions, do you prefer to first look at logic and consistency or first look at the people and special circumstances? This is called Thinking (T) or Feeling (F). • Structure: In dealing with the outside world, do you prefer to get things decided or do you prefer to stay open to new information and options? This is called Judging (J) or Perceiving (P).

  9. Dichotomies

  10. The Decision Maker • Who is the decision maker? • Your boss? • Your boss’s boss? • Someone else? • Brief your way to the right person—no shortcuts • Staff work is critical

  11. The Decision Maker’s Personality Type • ISTJ: Serious and quiet, interested in security and peaceful living • ESTJ: Quiet and reserved, interested in how and why things work • ISFJ: Usually put the needs of others above their own needs • ESTP:Doers who are focused on immediate results

  12. The Decision Maker’s Personality Type • Risk takers: Early adopters, easy to motivate once convinced • Risk adverse: Doing this brings risk, not doing it brings risk… Is the difference worth the resources? • Many ways to categorize, and none are perfect; everyone is an individual. However…

  13. The Decision Maker’s Personality Type • Temperament gives insight to their decision-making: • NT and SJ individuals tend to be more linear and serial, more structured, more rational and analytical, and more goal-oriented in their approach to problem solving • NF and SP individuals demonstrate a preference for an approach that is more holistic and parallel, more emotional and intuitive, more creative, more visual, and more tactual/kinesthetic

  14. Temperament Based Techniques • NT and SJ • Analysis • Backwards planning • Categorizing/classifying • Challenging assumptions • Evaluating/judging • NF and SP • Brainstorming • Imaging/visualization • Incubation • Outcome psychodrama • Outrageous provocation • Synthesizing

  15. The Problem Solving Process • The Input Phase: Gain a clearer understanding of the problem or situation • The Processing Phase: Develop, evaluate, and select alternatives and solutions that can solve the problem • The Output Phase: Develop plan and implement solution • The Review Phase: Evaluate implementation of the solution; this should be an ongoing process

  16. Case Study • The Input Phase: Security of Wireless Devices • NT and SJ: • Analysis: How many? • Backwards planning: If we want to implement this solution in January, when must I make the decision? • Categorizing: Big risk not a big risk • Challenging assumptions: How do we know it is a problem?

  17. Case Study • The Input Phase: Security of Wireless Devices • NT and SJ: • Brainstorming: What do each of you think is the cause? • Imaging/visualization: Show me how this happens • Incubation: Let me think about this • Outrageous provocation: Only stupid people lose devices

  18. What is the Motivation? • Achievement of goals • Promotion (power, money, title, parking…) • Personal Recognition • Company/Team/Department Recognition • Avoidance of pain

  19. Experience in IT/IT Security • Been there, done that or new to field • Leader or manager • Techie or … • Position in organization • Authority and budget

  20. Maturity (not Age) • Closely linked to previous considerations • Confidence in personal decision making • Experience • Frequency • Level of difficulty and responsibility of previous decisions • Confidence in recommendation and who is making it

  21. You are the Expert • What is of the very most importance to the business? • Short-term versus long-term • If you were the boss, what would you do? • If you had one dollar, what would you do with it? • Facts versus assumptions—how do you know?

  22. Solve the Boss’s Problems • IF the boss does what you want, then what are the issues for the boss? • Money • Politics • Timing • Personalities • Program management • Legal

  23. Solve the Boss’s Problems • Speak my language • Know my problems • Provide solutions to MY problems

  24. The Boss Cares… • If the boss didn’t care, you would be working somewhere else • You would not have the boss’s time • It’s not personal • Don’t become emotional • “Don’t become so attached to your position that if it falters your ego goes with it” • General Colin Powell, U.S. Army

  25. Summary: The Answer to the Question • Work your way to the correct decision maker • Learn as much as you can about them, and use that to select the best strategies and tactics • Be the expert and be ready to prove it • Know the alternatives and why they are not better than your recommendation • Work the roadblocks before the briefing • Don’t let the decision maker say “No” • Use formal change management strategy and tactics

  26. References • Adickes, E. (1907). Character und weltanschauung. Tubingen. • Huitt, W. (1992). Problem solving and decision making: Consideration of individual differences using the Myers-Briggs Type Indicator. Journal of Psychological Type, 24, 33-44. • Lawrence, G. (1984). A synthesis of learning style research involving the MBTI. Journal of Psychological Type, 8, 2-15. • Whimbey, A., & Lochhead, J. (1982). Problem solving and comprehension (3rd ed.). Philadelphia: Franklin Institute Press. • Wonder, J., & Donovan, P. (1984). Whole-brain thinking: Working from both sides of the brain to achieve peak job performance. New York: Ballantine Books. • Woods, D. (1987). How might I teach problem solving. In J. Stice (Ed.), Developing critical thinking and problem-solving abilities (pp. 55-72). San Francisco: Jossey-Bass.

  27. Thank You. Leo Thrush lthrush@seccuris.com Seccuris Inc. 704-10 Kingsbridge Garden Circle Mississauga, ON L5R 3K6 (905) 361-3273

More Related