Working for and with many CISO's I've had the benefit of learning many approaches to manage teams and programs. In 2009 I started to formalize the most effective practices. A question I continue to struggle with is why doesn't everyone manage their program proactively? The reasons vary and most are legitimate e.g. culture, resources, expertise. At the end of the day all these practices are discretionary. Companies can operate for years without investing in program management. As someone who's worked too many hours with too few resources, I definitely emphasize. My commitment is to reduce the time and effort to improve by sharing how I and others manage programs, so the return is obvious to CISO's, executives, and staff.
Over the years the number of management practices remains at seven: Security Strategy, Balanced Scorecard, Security Risk Prioritization, Service Catalog, Role Definitions, Resource Allocation, and finally, Operational Scorecard.
I'll spread the details across 7 posts sprinkled in with other newsworthy items. I'm excited to share how I've used them and seen them used in my travels. I'll also share which can benefit by evolving into software for efficiency and consistency. I'll also emphasize the standardization and usability that software offers aren't the key success factors - you are. There's lots to write on this topic and here's a preview: the faster we standardize security management deliverables and processes, the faster you can spend more time on your unique technical and political realities.
My guess is almost every CISO and experienced consultant has templates and versions of these tools lying around in excel and powerpoint. I hope we all continue to share and improve.
Links to the other Magnificent 7 posts.
Magnificent 7 - 1/7 Security Strategy
Magnificent 7 - 2/7 Balanced Scorecard
Magnificent 7 - 3/7 Risk and Investment Prioritization
Magnificent 7 - 4/7 Security Service Catalog
Magnificent 7 - 5/7 Know Your Role (RACI)
Magnificent 7 - 6/7 Capacity Management
Magnificent 7 - 7/7 Metrics and Scorecards