I’m happy to be back after digging out from RSA. In lieu of a separate post, I’ll sum my RSA experience as “more wow, less how.” I must disclose I only made a fraction of the sessions due to networking. Plus I heard from reliable sources many of the sessions were Great. However I chose poorly, and I promise I’m not bitter because they turned down my session proposal... But really, if you’re going to pack a hundred people in a room, please share how you actually measure security, communicate risk, integrate with the business, run compliance programs, etc. We can read “what” needs to be done almost anywhere. Take a chance and share what you’re actually doing! After 55 minutes of blah, blah, 5 minutes are left for questions. And every time some brave soul would ask, “so how do you actually do…”
Time to walk my talk, let’s get on with the CISO tools series. Again we start with my friend the Security Service Catalog. The ability to communicate your team’s capacity is another floor built on the great catalog foundation. We used the catalog to define what we do and organize our roles (RACIs). Now we’ll use it to set expectations where our teams will focus. I like to call this Capacity Management.
To the position statement: Capacity Management is a tool to set expectations for time allocation. It enables managers to proactively lead by setting direction vs. over-commit. It enables team members to know where to invest their time and understand what will slip if demand rises in another area. Capacity Management is better than hourly tracking because we’re not prisoners and it’s better than nothing because it demonstrates leadership and improves morale.
I’m not talking about hourly tracking for project back-billing or accounting. Capacity Management to me is setting expectations above and below you where you’re investing your time. Security Leaders may not always recognize it, but security teams have some of the most experienced and diverse skill-sets in IT. I like to take advantage of this and simply manage across three buckets of time:
Business as usual (BAU): executing your defined process to make the business a more profitable place.
Project Work: those long-term “assignments” we get in addition to our job e.g. build that new DLP service.
Short-term projects or unplanned work: time set aside for reacting to demands outside your planned activities.
Simple percentages in these buckets do wonders:
Set executive expectations: where is your team focusing its energy.
Set expectations with your team: you shouldn’t be approving tasks, just enabling and measuring efforts based on communicated goals.
Limit yourself: I’m very guilty of trying to fix something while it’s in use. Doubling up work isn’t fair to anyone so if you want to improve another bucket has to give. And no, you can’t go over 100%.
The obvious theme above is opportunity cost e.g. ”Of course we can implement a new centralized identity directory: we just need $3million for backfill or reduce capacity in these buckets."
Set Them Free
I once managed a team who took the above one step further. They spun up a spreadsheet tracking the number of internal service engagements. When they hit capacity, it was time for me to pick the slip: disappoint customers or delay process improvement work. Of course this was my opportunity to fight for more people… (shout out to you-know-who)
Just as the Service Catalog organizes Capacity Management, this tool sets up SLA negotiations. Operational processes get squeezed the most. Leverage your capacity plan to set expectations what you’ll need to maintain your SLAs as projects and improvement areas spring up. We all have to react now and then but it’s a lot easier if you know you won’t be punished for it come review time.
If this all sounds a bit corny to you, run a couple experiments. See if your team’s morale improves and if you have less stress asking folks to pivot onto something else. Just make sure you respect the %’s. See if you enjoy the feeling of making your boss choose between one bucket or another.
Capacity Management also has a close tie into metrics. Our final Magnificent tool covers Operational Scorecards and I can’t wait to write about it.