SlideShare a Scribd company logo

Creating a Results Oriented Culture

Download as PPTX, PDF
Jack Nichelson
Jack Nichelson

The document provides guidance from Jack Nichelson, Director of Infrastructure & Security at Chart Industries, on creating a results-oriented culture. Some of the key points discussed include: - Taking ownership of problems and focusing on influencing outcomes rather than making excuses. Effective leadership requires improving one's own skills and enabling the team. - Beginning with defining practical outcomes and creating a problem statement to provide goals and plans. It is also important to prioritize tasks and focus on initiatives that provide the biggest returns. - Understanding stakeholders and their needs in order to solve the right problems. Customer service is important and security should help others accomplish their work safely. - Being proactive through self-management, setting goals,

Leadership & Management
1 of 31
Creating a Results Oriented Culture Jack D. Nichelson Director of Infrastructure & Security Chart Industries April 26, 2017 @Jack0LopeJack@Nichelson.net
ACKNOWLEDGEMENTS  Steve Holt, CIO - Chart Industries  Craig Shular, CEO - GrafTech  David Hilmer, VP & CIO - Graftech  Erick Asmussen, VP & CFO - Graftech  John Kocsis, Dir. IS Ops - Swagelok  Jason Middaugh, Dir. Infrastructure - Cliffs  Chris Clymer, Dir. Info Sec - MRK  Matt Neely, Threat Manager - Progressive  Bob Kemp, CISO - TA  Chris Prewitt, VP Advisory Services - TrustedSec  Ed Pollock, CISO - STERIS “When the student is ready the master will appear”
JACK NICHELSON  Director of Infrastructure & Security for Chart Industries.  Executive MBA from Baldwin-Wallace University  Recognized as one of the “People Who Made a Difference in Security” by the SANS Institute and Received the CSO50 award for connecting security initiatives to business value.  Adviser for Baldwin Wallace’s, State winner Collegiate Cyber Defense Competition (CCDC) team. I defend my companies competitive advantage by helping solve business problems through technology to work faster and safer. “Solving Problems, is my Passion”
GUT CHECK – TAKE OWNERSHIP If I just had a better team, I would do better. "Wrong" If I am a better leader, my team will be better. That is what I had to learn as a leader and step up to make happen.  Be Proactive – Focus on what you can influence  Begin with the end in mind – Define practical outcomes  Create a Problem Statement – A goal without a plan is just a wish  Put first thing first – Plan weekly, act daily  Chart Performance & Adjust – Shine a light on the problem “There are no bad teams, only bad leaders.” - Jocko Willink
GOOD ADVICE The most important person for you to manage effectively is yourself. To grow personally and professionally you need to know yourself before you can help others. “Think about how you can simplify security – make it easy – and focus on the basics.” - Dave Kennedy Recommendations:  Take a step back and read “REWORK”  Remove complexity – Start small  Start at the epicenter, on what won’t change  Focus on fewer problems that provide bigger returns  Build an audience  Keep score & publish it (Good or Bad)
KNOW YOUR STAKEHOLDERS To make stuff that matters, you have to know what matters so work on solving the right problems. Effective managers take the time to identify stakeholders and know their pain points.  Security is about a lot more than just you  You are taking actions to protect assets in the stewardship of others  You are making choices which will impact the ways those around you conduct their business “No one cares what you know until you show them how much you care”
CUSTOMER SERVICE We often focus on the problem and forget about the customer. They will forget the problem you solved before they forget how you made them feel. “The day people stop bringing you their problems is the day you have stopped leading them” - Colin Powell  Security is a support role…your job is to help others safely do the things that make your organization productive  You cannot do this job without help  Your employees are not subjects for you to dictate rules to…they are your customers  If you treat them well, they will be your “army of human sensors”, bringing you all kinds of useful intel, and helping to enforce policies you've developed to protect them
JUST SAY MAYBE Effective leadership requires collaboration and empathy for the other person. It’s OK to be uncomfortable with the results  Security has often been the Department of “No”  Taking a hard stance as a “cyber policeman” can seem to work…until you become perceived as an obstacle  If you are an obstacle, process will begin to be routed around you
BE PROACTIVE Change starts from within, so you have to make the decision to focus on the things you can influence rather than reacting to the things outside of your control. Manage Yourself:  Where and how are you spending your time & energy throughout the day?  Make a list of the things that concern you and things you can Influence. Ask yourself these 3 questions every day:  Did I do my best to spend my time on things I can influence?  Did I do my best to set and communicate clear goals?  Did I do my best to make progress toward goal achievement? “The 1st metric you need to track is yourself”
CONCERN VS. INFLUENCE Hackers Organized Crime State Sponsored Higher Difficulty ~10% of incidents Security Risks • Advanced Persistent Threat • Zero Day Attacks • The Insider Threat • BYOD • Mobile Malware • The “Cloud” Lower Difficulty ~90% of incidents • Missing Patches • Lost & Stolen Devices • Local Admin Right’s • Phishing • Poor Passwords • MalwareVerizon's 2013 Data Breach Investigations Report (DBIR)
BEGIN WITH THE END IN MIND If your ladder is not leaning against the right wall, every step you take gets you to the wrong place faster. “Try Not to Become a Success. Rather Become a Person of Value.” First, do you know what “good” looks like?  Break down the area you have influence over into functional parts that you and the stockholders can score and rank.  Now that you have an agreed upon heatmap of your current state, set short term and long term goals.
PROBLEM STATEMENT The Problem Statement significantly clarifies the current situation by specifically identifying the problem and its severity, likelihood, and impact. It also serves as a great communication tool, helping to get buy-in and support from others. “A problem well stated is a problem half-solved.” — Charles Kettering Build & Execute plans to drive for results & share successes  Invest more time in project planning and due diligence; time spent defining the problem is NEVER time wasted.  Write a Project Charter, clearly state the scope, objectives, participants, and success measurements.  Create a Work Breakdown Structure to graphically represent the project scope, broken down in successive chunks with defined deliverables.
PUT FIRST THINGS FIRST Focus on the important, not just the urgent. The urgent are not that important, and the important are never urgent. “Effectiveness requires the integrity to act on your priorities” Tips for taking back control of your time:  Stop saying Yes, When you want to say No.  Scheduled your own time with purpose & defend it!  Don’t be afraid to close your email and turn off your phone
CHART PERFORMANCE & ADJUST Gemba (現場) is a Japanese term referring to the place where value is created. The idea of Gemba is that the problems are visible, and the best improvement ideas will come from going to the Gemba. “Good security is not something you have, it’s something you do” - Wendy Nather
SUMMARY – TAKE OWNERSHIP If I just had a better team, I would do better. "Wrong" If I am a better leader, my team will be better. That is what I had to learn as a leader and step up to make happen.  Be Proactive – Focus on what you can influence  Begin with the end in mind – Define practical outcomes  Create a Problem Statement – A goal without a plan is just a wish  Put first thing first – Plan weekly, act daily  Chart Performance & Adjust – Shine a light on the problem “There are no bad teams, only bad leaders.” - Jocko Willink
BOOK REFERENCES Work Smarter and More Easily by "Sharpening Your Axe"”  The Five Dysfunction of a Team – Patrick Lencioni  Leading Change – John Kotter  The 7 Habits of Highly Effective People – Dr. Covey  The 1 Minute Manager – Ken Blanchard  Extreme Ownership – Jocko Willink  The Phoenix Project – Gene Kim  What got you Here won’t get you There – Gooldsmith  Leaders Eat Last – Simon Sinek  The Ideal Team Player – Patrick Lencioni  Death by Meeting – Patrick Lencioni
THANK YOU Jack D. Nichelson Director of Infrastructure & Security Chart Industries April 26, 2017 @Jack0LopeJack@Nichelson.net
NETWORK @Jack0LopeJack@Nichelson.net  No time like the present to put your soft skills to work  Say hi to your neighbor…how can you help each other?
APPENDIX @Jack0LopeJack@Nichelson.net
VISUALIZATION: MULTI-LAYERED DEFENSE
HOW TO BUILD A SQDC BOARD  Key Performance Indicators – Good data can tell a story  Predictive Analysis – Your board should help prevent future issues  Keep the data fresh and useful, address items as quick as possible using LEAN tools and once addressed remove them from the board.
GEMBA BOARD: SECURITY “We measure things that matter” Example Metrics:  # of systems not monitored & tracked in inventory by Location or LoB  # Top Vulnerabilities by Location or LoB  # of Legacy Systems by Location or LoB  # of Users with Local Admin & Accounts with Domain Admin  # of Total Security Incidences by Location or LoB  # of Past Due Security Awareness Training by Location or LoB Security - The current security posture at a glance
GEMBA BOARD: QUALITY Example Metrics:  # of Servers & Workstation missing OS & App patches (30 day SLA)  # of infections/Re-Images tickets (3 day SLA)  # of Security Event tickets (5 day SLA)  # of Security Request tickets (15 days SAL)  Cause Mapping Analysis to find root cause of problems Quality – Results for SLA goals of events & requests
GEMBA BOARD: DELIVERY Delivery – Active Projects & Audits at a glance Example Metrics:  Active Projects Status  Active Audit Status  Remediation Progress by Location or LoB  On-Site Awareness Training by Location
GEMBA BOARD: COST Cost – P&L at a glance Example Metrics:  Operating budget spending plan (OPEX & CAPEX)  ROIC Qualitatively Rating of Perceived Value  Support Agreements Costs & Renew dates  Consultant Support Agreements Costs & Renew dates  Running total of cost savings
GEMBA BOARD: PEOPLE People – Skills matrix at a glance Example Metrics:  Skills Matrix of everyone in Security  Training and development plans  On-Call & Vacation Schedules  Awards
VISUALIZATION TECHNIQUES: THE HEATMAP Impact Low No threat to core business function impact Medium Threat to core business function impact, but has not occurred yet. i.e. ERP system is down but have not yet missed orders High Immediate impact to core business functions. i.e. products cannot be shipped, or core IP is lost. Likelihood Low Happens once every 10 years, or less Medium Happens once every 1 to 10 years High Happens once or more a year • Develop “Likelihood” to fit your org • Develop “Impact” to fit your org” • Score potential risks “high”, “medium”, or “low” for each • Map results to the heatmap
VISUALIZATION TECHNIQUES: RISK REGISTER
VISUALIZATION TECHNIQUES: THE SCORECARD
VISUALIZATION TECHNIQUES: THE SCORECARD  Captures day-to-day operations in security  One-page roll-up that can be presented to CIO, or used internally  “Operations” section captures work being done: creating firewall rules, patching systems, conducting awareness events  The “Risk” section captures visibility into risk at the organization. Number of scans, open vulnerabilities  To the far right is the legend explaining the thresholds for each item

Recommended

The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017
Jack Nichelson
 
Moving Mountains Through Measurement
Moving Mountains Through MeasurementMoving Mountains Through Measurement
Moving Mountains Through Measurement
Jack Nichelson
 
Creating a results oriented culture
Creating a results oriented cultureCreating a results oriented culture
Creating a results oriented culture
Jack Nichelson
 
Nerd herding ntc11nerd - Howe
Nerd herding ntc11nerd - HoweNerd herding ntc11nerd - Howe
Nerd herding ntc11nerd - Howe
Grant M Howe
 
Shaping Tomorrow - Getting Started - Introduction
Shaping Tomorrow - Getting Started - IntroductionShaping Tomorrow - Getting Started - Introduction
Shaping Tomorrow - Getting Started - Introduction
Kerry Richardson
 
Peter f druc
Peter f drucPeter f druc
Peter f drucjpdas54
 
Shaping Tomorrow - Introduction
Shaping Tomorrow - IntroductionShaping Tomorrow - Introduction
Shaping Tomorrow - Introduction
Kerry Richardson
 
Alex Pavlenko “How to achieve to organizational maturity nirvana and overcome...
Alex Pavlenko “How to achieve to organizational maturity nirvana and overcome...Alex Pavlenko “How to achieve to organizational maturity nirvana and overcome...
Alex Pavlenko “How to achieve to organizational maturity nirvana and overcome...
Lviv Startup Club
 

Recommended

The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017
Jack Nichelson
 
Moving Mountains Through Measurement
Moving Mountains Through MeasurementMoving Mountains Through Measurement
Moving Mountains Through Measurement
Jack Nichelson
 
Creating a results oriented culture
Creating a results oriented cultureCreating a results oriented culture
Creating a results oriented culture
Jack Nichelson
 
Nerd herding ntc11nerd - Howe
Nerd herding ntc11nerd - HoweNerd herding ntc11nerd - Howe
Nerd herding ntc11nerd - Howe
Grant M Howe
 
Shaping Tomorrow - Getting Started - Introduction
Shaping Tomorrow - Getting Started - IntroductionShaping Tomorrow - Getting Started - Introduction
Shaping Tomorrow - Getting Started - Introduction
Kerry Richardson
 
Peter f druc
Peter f drucPeter f druc
Peter f drucjpdas54
 
Shaping Tomorrow - Introduction
Shaping Tomorrow - IntroductionShaping Tomorrow - Introduction
Shaping Tomorrow - Introduction
Kerry Richardson
 
Alex Pavlenko “How to achieve to organizational maturity nirvana and overcome...
Alex Pavlenko “How to achieve to organizational maturity nirvana and overcome...Alex Pavlenko “How to achieve to organizational maturity nirvana and overcome...
Alex Pavlenko “How to achieve to organizational maturity nirvana and overcome...
Lviv Startup Club
 
Lec 19
Lec 19Lec 19
Lec 19
Hanakojang Kra Tay
 
Final cycles overview jan 2019 with toolkit
Final cycles overview jan 2019 with toolkitFinal cycles overview jan 2019 with toolkit
Final cycles overview jan 2019 with toolkit
Bryan Cassady
 
The Cycles Toolkit
The Cycles ToolkitThe Cycles Toolkit
The Cycles Toolkit
Bryan Cassady
 
Metrics 3.0 andy cleff mha 2017
Metrics 3.0 andy cleff mha 2017Metrics 3.0 andy cleff mha 2017
Metrics 3.0 andy cleff mha 2017
AgileDenver
 
Problem solving and decision making copy
Problem solving and decision making copyProblem solving and decision making copy
Problem solving and decision making copy
Thiagarajan Sivasankaran
 
Bright Spots for Growth
Bright Spots for GrowthBright Spots for Growth
Bright Spots for Growth
Bryan Cassady
 
Smartcon 2015 – Automated Decisions in the Supply Chain
Smartcon 2015 – Automated Decisions in the Supply ChainSmartcon 2015 – Automated Decisions in the Supply Chain
Smartcon 2015 – Automated Decisions in the Supply ChainLars Trieloff
 
Cycles: The simplest, proven way to build your business
Cycles: The simplest, proven way to build your businessCycles: The simplest, proven way to build your business
Cycles: The simplest, proven way to build your business
Bryan Cassady
 
Communication hack fest-2018-final
Communication hack fest-2018-finalCommunication hack fest-2018-final
Communication hack fest-2018-final
Haydn Johnson
 
5 Cycles Remote Innovation - Systems
5 Cycles Remote Innovation - Systems5 Cycles Remote Innovation - Systems
5 Cycles Remote Innovation - Systems
Bryan Cassady
 
Visual project planning-en
Visual project planning-enVisual project planning-en
Visual project planning-en
SanjeevKumar683794
 
2 Cycles Remote Innovation - Alignment
2 Cycles Remote Innovation - Alignment2 Cycles Remote Innovation - Alignment
2 Cycles Remote Innovation - Alignment
Bryan Cassady
 
Thinking strategically
Thinking strategicallyThinking strategically
Thinking strategically
Kira Greer
 
The Fallacy Of Efficiency
The Fallacy Of EfficiencyThe Fallacy Of Efficiency
The Fallacy Of EfficiencyDan North
 
3 beliefs you need to let go to start you agile journey – Agile EE 2017
3 beliefs you need to let go to start you agile journey – Agile EE 20173 beliefs you need to let go to start you agile journey – Agile EE 2017
3 beliefs you need to let go to start you agile journey – Agile EE 2017
Antti Kirjavainen
 
On Letting go and building your business
On Letting go and building your businessOn Letting go and building your business
On Letting go and building your businessSideband Networks Inc.
 
Automated decision making with predictive applications – Big Data Brussels
Automated decision making with predictive applications – Big Data BrusselsAutomated decision making with predictive applications – Big Data Brussels
Automated decision making with predictive applications – Big Data Brussels
Lars Trieloff
 
Collaboration deep dive Agile India 2020
Collaboration deep dive Agile India 2020Collaboration deep dive Agile India 2020
Collaboration deep dive Agile India 2020
Craig Brown
 
Deep work
Deep workDeep work
Deep work
Multiverseom
 
Building a Strategic Business Case for your Product
Building a Strategic Business Case for your ProductBuilding a Strategic Business Case for your Product
Building a Strategic Business Case for your Product
Joe Raynus
 
Empowering Outcome-Driven Teams by Ibotta PM
Empowering Outcome-Driven Teams by Ibotta PMEmpowering Outcome-Driven Teams by Ibotta PM
Empowering Outcome-Driven Teams by Ibotta PM
Product School
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
Jack Nichelson
 

More Related Content

What's hot

Lec 19
Lec 19Lec 19
Lec 19
Hanakojang Kra Tay
 
Final cycles overview jan 2019 with toolkit
Final cycles overview jan 2019 with toolkitFinal cycles overview jan 2019 with toolkit
Final cycles overview jan 2019 with toolkit
Bryan Cassady
 
The Cycles Toolkit
The Cycles ToolkitThe Cycles Toolkit
The Cycles Toolkit
Bryan Cassady
 
Metrics 3.0 andy cleff mha 2017
Metrics 3.0 andy cleff mha 2017Metrics 3.0 andy cleff mha 2017
Metrics 3.0 andy cleff mha 2017
AgileDenver
 
Problem solving and decision making copy
Problem solving and decision making copyProblem solving and decision making copy
Problem solving and decision making copy
Thiagarajan Sivasankaran
 
Bright Spots for Growth
Bright Spots for GrowthBright Spots for Growth
Bright Spots for Growth
Bryan Cassady
 
Smartcon 2015 – Automated Decisions in the Supply Chain
Smartcon 2015 – Automated Decisions in the Supply ChainSmartcon 2015 – Automated Decisions in the Supply Chain
Smartcon 2015 – Automated Decisions in the Supply ChainLars Trieloff
 
Cycles: The simplest, proven way to build your business
Cycles: The simplest, proven way to build your businessCycles: The simplest, proven way to build your business
Cycles: The simplest, proven way to build your business
Bryan Cassady
 
Communication hack fest-2018-final
Communication hack fest-2018-finalCommunication hack fest-2018-final
Communication hack fest-2018-final
Haydn Johnson
 
5 Cycles Remote Innovation - Systems
5 Cycles Remote Innovation - Systems5 Cycles Remote Innovation - Systems
5 Cycles Remote Innovation - Systems
Bryan Cassady
 
Visual project planning-en
Visual project planning-enVisual project planning-en
Visual project planning-en
SanjeevKumar683794
 
2 Cycles Remote Innovation - Alignment
2 Cycles Remote Innovation - Alignment2 Cycles Remote Innovation - Alignment
2 Cycles Remote Innovation - Alignment
Bryan Cassady
 
Thinking strategically
Thinking strategicallyThinking strategically
Thinking strategically
Kira Greer
 
The Fallacy Of Efficiency
The Fallacy Of EfficiencyThe Fallacy Of Efficiency
The Fallacy Of EfficiencyDan North
 
3 beliefs you need to let go to start you agile journey – Agile EE 2017
3 beliefs you need to let go to start you agile journey – Agile EE 20173 beliefs you need to let go to start you agile journey – Agile EE 2017
3 beliefs you need to let go to start you agile journey – Agile EE 2017
Antti Kirjavainen
 
On Letting go and building your business
On Letting go and building your businessOn Letting go and building your business
On Letting go and building your businessSideband Networks Inc.
 
Automated decision making with predictive applications – Big Data Brussels
Automated decision making with predictive applications – Big Data BrusselsAutomated decision making with predictive applications – Big Data Brussels
Automated decision making with predictive applications – Big Data Brussels
Lars Trieloff
 
Collaboration deep dive Agile India 2020
Collaboration deep dive Agile India 2020Collaboration deep dive Agile India 2020
Collaboration deep dive Agile India 2020
Craig Brown
 
Deep work
Deep workDeep work
Deep work
Multiverseom
 
Building a Strategic Business Case for your Product
Building a Strategic Business Case for your ProductBuilding a Strategic Business Case for your Product
Building a Strategic Business Case for your Product
Joe Raynus
 

What's hot (20)

Lec 19
Lec 19Lec 19
Lec 19
 
Final cycles overview jan 2019 with toolkit
Final cycles overview jan 2019 with toolkitFinal cycles overview jan 2019 with toolkit
Final cycles overview jan 2019 with toolkit
 
The Cycles Toolkit
The Cycles ToolkitThe Cycles Toolkit
The Cycles Toolkit
 
Metrics 3.0 andy cleff mha 2017
Metrics 3.0 andy cleff mha 2017Metrics 3.0 andy cleff mha 2017
Metrics 3.0 andy cleff mha 2017
 
Problem solving and decision making copy
Problem solving and decision making copyProblem solving and decision making copy
Problem solving and decision making copy
 
Bright Spots for Growth
Bright Spots for GrowthBright Spots for Growth
Bright Spots for Growth
 
Smartcon 2015 – Automated Decisions in the Supply Chain
Smartcon 2015 – Automated Decisions in the Supply ChainSmartcon 2015 – Automated Decisions in the Supply Chain
Smartcon 2015 – Automated Decisions in the Supply Chain
 
Cycles: The simplest, proven way to build your business
Cycles: The simplest, proven way to build your businessCycles: The simplest, proven way to build your business
Cycles: The simplest, proven way to build your business
 
Communication hack fest-2018-final
Communication hack fest-2018-finalCommunication hack fest-2018-final
Communication hack fest-2018-final
 
5 Cycles Remote Innovation - Systems
5 Cycles Remote Innovation - Systems5 Cycles Remote Innovation - Systems
5 Cycles Remote Innovation - Systems
 
Visual project planning-en
Visual project planning-enVisual project planning-en
Visual project planning-en
 
2 Cycles Remote Innovation - Alignment
2 Cycles Remote Innovation - Alignment2 Cycles Remote Innovation - Alignment
2 Cycles Remote Innovation - Alignment
 
Thinking strategically
Thinking strategicallyThinking strategically
Thinking strategically
 
The Fallacy Of Efficiency
The Fallacy Of EfficiencyThe Fallacy Of Efficiency
The Fallacy Of Efficiency
 
3 beliefs you need to let go to start you agile journey – Agile EE 2017
3 beliefs you need to let go to start you agile journey – Agile EE 20173 beliefs you need to let go to start you agile journey – Agile EE 2017
3 beliefs you need to let go to start you agile journey – Agile EE 2017
 
On Letting go and building your business
On Letting go and building your businessOn Letting go and building your business
On Letting go and building your business
 
Automated decision making with predictive applications – Big Data Brussels
Automated decision making with predictive applications – Big Data BrusselsAutomated decision making with predictive applications – Big Data Brussels
Automated decision making with predictive applications – Big Data Brussels
 
Collaboration deep dive Agile India 2020
Collaboration deep dive Agile India 2020Collaboration deep dive Agile India 2020
Collaboration deep dive Agile India 2020
 
Deep work
Deep workDeep work
Deep work
 
Building a Strategic Business Case for your Product
Building a Strategic Business Case for your ProductBuilding a Strategic Business Case for your Product
Building a Strategic Business Case for your Product
 

Similar to Creating a Results Oriented Culture

Empowering Outcome-Driven Teams by Ibotta PM
Empowering Outcome-Driven Teams by Ibotta PMEmpowering Outcome-Driven Teams by Ibotta PM
Empowering Outcome-Driven Teams by Ibotta PM
Product School
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
Jack Nichelson
 
Ensuring Project Success Through Automated Risk Management
Ensuring Project Success Through Automated Risk ManagementEnsuring Project Success Through Automated Risk Management
Ensuring Project Success Through Automated Risk Management
Mitchell College
 
What is an IANS CISO Workshop? Factor 1
What is an IANS CISO Workshop? Factor 1What is an IANS CISO Workshop? Factor 1
What is an IANS CISO Workshop? Factor 1
IANS
 
What is an IANS CISO Workshop? Factor 6
What is an IANS CISO Workshop? Factor 6What is an IANS CISO Workshop? Factor 6
What is an IANS CISO Workshop? Factor 6
IANS
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
centralohioissa
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
Jack Nichelson
 
Project Rescue Operations
Project Rescue OperationsProject Rescue Operations
Project Rescue Operations
bdonaldson
 
Lean thinking and the agile culture
Lean thinking and the agile cultureLean thinking and the agile culture
Lean thinking and the agile culture
Alejandro Claro Mosqueda
 
Andy van der Gugten, Agile Tauranga 2018 Presentation
Andy van der Gugten, Agile Tauranga 2018 PresentationAndy van der Gugten, Agile Tauranga 2018 Presentation
Andy van der Gugten, Agile Tauranga 2018 Presentation
Software Education (SoftEd)
 
10 Questions Every Company Should Be Asking Itself About its Business Resilience
10 Questions Every Company Should Be Asking Itself About its Business Resilience10 Questions Every Company Should Be Asking Itself About its Business Resilience
10 Questions Every Company Should Be Asking Itself About its Business Resilience
Michael Bowers
 
What is an IANS CISO Workshop? Factor 2
What is an IANS CISO Workshop? Factor 2What is an IANS CISO Workshop? Factor 2
What is an IANS CISO Workshop? Factor 2
IANS
 
10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers
Jack Nichelson
 
Reframing Leadership Brochure 2016
Reframing Leadership Brochure 2016Reframing Leadership Brochure 2016
Reframing Leadership Brochure 2016Philip Pryor
 
Improving Performance in Operations
Improving Performance in OperationsImproving Performance in Operations
Improving Performance in Operations
GovLoop
 
Chapter07_The+Power+Of+People_Final.pdf
Chapter07_The+Power+Of+People_Final.pdfChapter07_The+Power+Of+People_Final.pdf
Chapter07_The+Power+Of+People_Final.pdf
IrfanAkbarKazi
 
Fundamentals of Agile
Fundamentals of AgileFundamentals of Agile
Fundamentals of Agilesparkagility
 
Mckinsey 7s
Mckinsey 7sMckinsey 7s
Mckinsey 7s
Rohit Upadhyay
 
[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...
[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...
[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...
Pedro Henriques
 

Similar to Creating a Results Oriented Culture (20)

Empowering Outcome-Driven Teams by Ibotta PM
Empowering Outcome-Driven Teams by Ibotta PMEmpowering Outcome-Driven Teams by Ibotta PM
Empowering Outcome-Driven Teams by Ibotta PM
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
 
Ensuring Project Success Through Automated Risk Management
Ensuring Project Success Through Automated Risk ManagementEnsuring Project Success Through Automated Risk Management
Ensuring Project Success Through Automated Risk Management
 
What is an IANS CISO Workshop? Factor 1
What is an IANS CISO Workshop? Factor 1What is an IANS CISO Workshop? Factor 1
What is an IANS CISO Workshop? Factor 1
 
What is an IANS CISO Workshop? Factor 6
What is an IANS CISO Workshop? Factor 6What is an IANS CISO Workshop? Factor 6
What is an IANS CISO Workshop? Factor 6
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
Project Rescue Operations
Project Rescue OperationsProject Rescue Operations
Project Rescue Operations
 
Lean thinking and the agile culture
Lean thinking and the agile cultureLean thinking and the agile culture
Lean thinking and the agile culture
 
Andy van der Gugten, Agile Tauranga 2018 Presentation
Andy van der Gugten, Agile Tauranga 2018 PresentationAndy van der Gugten, Agile Tauranga 2018 Presentation
Andy van der Gugten, Agile Tauranga 2018 Presentation
 
10 Questions Every Company Should Be Asking Itself About its Business Resilience
10 Questions Every Company Should Be Asking Itself About its Business Resilience10 Questions Every Company Should Be Asking Itself About its Business Resilience
10 Questions Every Company Should Be Asking Itself About its Business Resilience
 
What is an IANS CISO Workshop? Factor 2
What is an IANS CISO Workshop? Factor 2What is an IANS CISO Workshop? Factor 2
What is an IANS CISO Workshop? Factor 2
 
10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers
 
Reframing Leadership Brochure 2016
Reframing Leadership Brochure 2016Reframing Leadership Brochure 2016
Reframing Leadership Brochure 2016
 
Improving Performance in Operations
Improving Performance in OperationsImproving Performance in Operations
Improving Performance in Operations
 
Chapter07_The+Power+Of+People_Final.pdf
Chapter07_The+Power+Of+People_Final.pdfChapter07_The+Power+Of+People_Final.pdf
Chapter07_The+Power+Of+People_Final.pdf
 
Fundamentals of Agile
Fundamentals of AgileFundamentals of Agile
Fundamentals of Agile
 
591lecturenotes
591lecturenotes591lecturenotes
591lecturenotes
 
Mckinsey 7s
Mckinsey 7sMckinsey 7s
Mckinsey 7s
 
[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...
[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...
[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...
 

Recently uploaded

在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样
在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样
在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样
tdt5v4b
 
原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样
原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样
原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样
tdt5v4b
 
在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样
在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样
在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样
tdt5v4b
 
Senior Project and Engineering Leader Jim Smith.pdf
Senior Project and Engineering Leader Jim Smith.pdfSenior Project and Engineering Leader Jim Smith.pdf
Senior Project and Engineering Leader Jim Smith.pdf
Jim Smith
 
Training- integrated management system (iso)
Training- integrated management system (iso)Training- integrated management system (iso)
Training- integrated management system (iso)
akaash13
 
Protected Workmen required today for growth
Protected Workmen required today for growthProtected Workmen required today for growth
Protected Workmen required today for growth
rivaraj2711
 
TCS AI for Business Study – Key Findings
TCS AI for Business Study – Key FindingsTCS AI for Business Study – Key Findings
TCS AI for Business Study – Key Findings
Tata Consultancy Services
 
W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...
W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...
W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...
William (Bill) H. Bender, FCSI
 
Case Analysis - The Sky is the Limit | Principles of Management
Case Analysis - The Sky is the Limit | Principles of ManagementCase Analysis - The Sky is the Limit | Principles of Management
Case Analysis - The Sky is the Limit | Principles of Management
A. F. M. Rubayat-Ul Jannat
 
原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样
原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样
原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样
tdt5v4b
 
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
gcljeuzdu
 
W.H.Bender Quote 65 - The Team Member and Guest Experience
W.H.Bender Quote 65 - The Team Member and Guest ExperienceW.H.Bender Quote 65 - The Team Member and Guest Experience
W.H.Bender Quote 65 - The Team Member and Guest Experience
William (Bill) H. Bender, FCSI
 
Leadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact PlanLeadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact Plan
Muhammad Adil Jamil
 
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
juniourjohnstone
 
Founder-Game Director Workshop (Session 1)
Founder-Game Director Workshop (Session 1)Founder-Game Director Workshop (Session 1)
Founder-Game Director Workshop (Session 1)
Amir H. Fassihi
 
CV Ensio Suopanki1.pdf ENGLISH Russian Finnish German
CV Ensio Suopanki1.pdf ENGLISH Russian Finnish GermanCV Ensio Suopanki1.pdf ENGLISH Russian Finnish German
CV Ensio Suopanki1.pdf ENGLISH Russian Finnish German
EUS+ Management & Consulting Excellence
 

Recently uploaded (16)

在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样
在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样
在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样
 
原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样
原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样
原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样
 
在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样
在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样
在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样
 
Senior Project and Engineering Leader Jim Smith.pdf
Senior Project and Engineering Leader Jim Smith.pdfSenior Project and Engineering Leader Jim Smith.pdf
Senior Project and Engineering Leader Jim Smith.pdf
 
Training- integrated management system (iso)
Training- integrated management system (iso)Training- integrated management system (iso)
Training- integrated management system (iso)
 
Protected Workmen required today for growth
Protected Workmen required today for growthProtected Workmen required today for growth
Protected Workmen required today for growth
 
TCS AI for Business Study – Key Findings
TCS AI for Business Study – Key FindingsTCS AI for Business Study – Key Findings
TCS AI for Business Study – Key Findings
 
W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...
W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...
W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...
 
Case Analysis - The Sky is the Limit | Principles of Management
Case Analysis - The Sky is the Limit | Principles of ManagementCase Analysis - The Sky is the Limit | Principles of Management
Case Analysis - The Sky is the Limit | Principles of Management
 
原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样
原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样
原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样
 
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
 
W.H.Bender Quote 65 - The Team Member and Guest Experience
W.H.Bender Quote 65 - The Team Member and Guest ExperienceW.H.Bender Quote 65 - The Team Member and Guest Experience
W.H.Bender Quote 65 - The Team Member and Guest Experience
 
Leadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact PlanLeadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact Plan
 
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
 
Founder-Game Director Workshop (Session 1)
Founder-Game Director Workshop (Session 1)Founder-Game Director Workshop (Session 1)
Founder-Game Director Workshop (Session 1)
 
CV Ensio Suopanki1.pdf ENGLISH Russian Finnish German
CV Ensio Suopanki1.pdf ENGLISH Russian Finnish GermanCV Ensio Suopanki1.pdf ENGLISH Russian Finnish German
CV Ensio Suopanki1.pdf ENGLISH Russian Finnish German
 

Creating a Results Oriented Culture

  • 1. Creating a Results Oriented Culture Jack D. Nichelson Director of Infrastructure & Security Chart Industries April 26, 2017 @Jack0LopeJack@Nichelson.net
  • 2. ACKNOWLEDGEMENTS  Steve Holt, CIO - Chart Industries  Craig Shular, CEO - GrafTech  David Hilmer, VP & CIO - Graftech  Erick Asmussen, VP & CFO - Graftech  John Kocsis, Dir. IS Ops - Swagelok  Jason Middaugh, Dir. Infrastructure - Cliffs  Chris Clymer, Dir. Info Sec - MRK  Matt Neely, Threat Manager - Progressive  Bob Kemp, CISO - TA  Chris Prewitt, VP Advisory Services - TrustedSec  Ed Pollock, CISO - STERIS “When the student is ready the master will appear”
  • 3. JACK NICHELSON  Director of Infrastructure & Security for Chart Industries.  Executive MBA from Baldwin-Wallace University  Recognized as one of the “People Who Made a Difference in Security” by the SANS Institute and Received the CSO50 award for connecting security initiatives to business value.  Adviser for Baldwin Wallace’s, State winner Collegiate Cyber Defense Competition (CCDC) team. I defend my companies competitive advantage by helping solve business problems through technology to work faster and safer. “Solving Problems, is my Passion”
  • 4. GUT CHECK – TAKE OWNERSHIP If I just had a better team, I would do better. "Wrong" If I am a better leader, my team will be better. That is what I had to learn as a leader and step up to make happen.  Be Proactive – Focus on what you can influence  Begin with the end in mind – Define practical outcomes  Create a Problem Statement – A goal without a plan is just a wish  Put first thing first – Plan weekly, act daily  Chart Performance & Adjust – Shine a light on the problem “There are no bad teams, only bad leaders.” - Jocko Willink
  • 5. GOOD ADVICE The most important person for you to manage effectively is yourself. To grow personally and professionally you need to know yourself before you can help others. “Think about how you can simplify security – make it easy – and focus on the basics.” - Dave Kennedy Recommendations:  Take a step back and read “REWORK”  Remove complexity – Start small  Start at the epicenter, on what won’t change  Focus on fewer problems that provide bigger returns  Build an audience  Keep score & publish it (Good or Bad)
  • 6. KNOW YOUR STAKEHOLDERS To make stuff that matters, you have to know what matters so work on solving the right problems. Effective managers take the time to identify stakeholders and know their pain points.  Security is about a lot more than just you  You are taking actions to protect assets in the stewardship of others  You are making choices which will impact the ways those around you conduct their business “No one cares what you know until you show them how much you care”
  • 7. CUSTOMER SERVICE We often focus on the problem and forget about the customer. They will forget the problem you solved before they forget how you made them feel. “The day people stop bringing you their problems is the day you have stopped leading them” - Colin Powell  Security is a support role…your job is to help others safely do the things that make your organization productive  You cannot do this job without help  Your employees are not subjects for you to dictate rules to…they are your customers  If you treat them well, they will be your “army of human sensors”, bringing you all kinds of useful intel, and helping to enforce policies you've developed to protect them
  • 8. JUST SAY MAYBE Effective leadership requires collaboration and empathy for the other person. It’s OK to be uncomfortable with the results  Security has often been the Department of “No”  Taking a hard stance as a “cyber policeman” can seem to work…until you become perceived as an obstacle  If you are an obstacle, process will begin to be routed around you
  • 9. BE PROACTIVE Change starts from within, so you have to make the decision to focus on the things you can influence rather than reacting to the things outside of your control. Manage Yourself:  Where and how are you spending your time & energy throughout the day?  Make a list of the things that concern you and things you can Influence. Ask yourself these 3 questions every day:  Did I do my best to spend my time on things I can influence?  Did I do my best to set and communicate clear goals?  Did I do my best to make progress toward goal achievement? “The 1st metric you need to track is yourself”
  • 10. CONCERN VS. INFLUENCE Hackers Organized Crime State Sponsored Higher Difficulty ~10% of incidents Security Risks • Advanced Persistent Threat • Zero Day Attacks • The Insider Threat • BYOD • Mobile Malware • The “Cloud” Lower Difficulty ~90% of incidents • Missing Patches • Lost & Stolen Devices • Local Admin Right’s • Phishing • Poor Passwords • MalwareVerizon's 2013 Data Breach Investigations Report (DBIR)
  • 11. BEGIN WITH THE END IN MIND If your ladder is not leaning against the right wall, every step you take gets you to the wrong place faster. “Try Not to Become a Success. Rather Become a Person of Value.” First, do you know what “good” looks like?  Break down the area you have influence over into functional parts that you and the stockholders can score and rank.  Now that you have an agreed upon heatmap of your current state, set short term and long term goals.
  • 12. PROBLEM STATEMENT The Problem Statement significantly clarifies the current situation by specifically identifying the problem and its severity, likelihood, and impact. It also serves as a great communication tool, helping to get buy-in and support from others. “A problem well stated is a problem half-solved.” — Charles Kettering Build & Execute plans to drive for results & share successes  Invest more time in project planning and due diligence; time spent defining the problem is NEVER time wasted.  Write a Project Charter, clearly state the scope, objectives, participants, and success measurements.  Create a Work Breakdown Structure to graphically represent the project scope, broken down in successive chunks with defined deliverables.
  • 13. PUT FIRST THINGS FIRST Focus on the important, not just the urgent. The urgent are not that important, and the important are never urgent. “Effectiveness requires the integrity to act on your priorities” Tips for taking back control of your time:  Stop saying Yes, When you want to say No.  Scheduled your own time with purpose & defend it!  Don’t be afraid to close your email and turn off your phone
  • 14. CHART PERFORMANCE & ADJUST Gemba (現場) is a Japanese term referring to the place where value is created. The idea of Gemba is that the problems are visible, and the best improvement ideas will come from going to the Gemba. “Good security is not something you have, it’s something you do” - Wendy Nather
  • 15. SUMMARY – TAKE OWNERSHIP If I just had a better team, I would do better. "Wrong" If I am a better leader, my team will be better. That is what I had to learn as a leader and step up to make happen.  Be Proactive – Focus on what you can influence  Begin with the end in mind – Define practical outcomes  Create a Problem Statement – A goal without a plan is just a wish  Put first thing first – Plan weekly, act daily  Chart Performance & Adjust – Shine a light on the problem “There are no bad teams, only bad leaders.” - Jocko Willink
  • 16. BOOK REFERENCES Work Smarter and More Easily by "Sharpening Your Axe"”  The Five Dysfunction of a Team – Patrick Lencioni  Leading Change – John Kotter  The 7 Habits of Highly Effective People – Dr. Covey  The 1 Minute Manager – Ken Blanchard  Extreme Ownership – Jocko Willink  The Phoenix Project – Gene Kim  What got you Here won’t get you There – Gooldsmith  Leaders Eat Last – Simon Sinek  The Ideal Team Player – Patrick Lencioni  Death by Meeting – Patrick Lencioni
  • 17. THANK YOU Jack D. Nichelson Director of Infrastructure & Security Chart Industries April 26, 2017 @Jack0LopeJack@Nichelson.net
  • 18. NETWORK @Jack0LopeJack@Nichelson.net  No time like the present to put your soft skills to work  Say hi to your neighbor…how can you help each other?
  • 21.
  • 22. HOW TO BUILD A SQDC BOARD  Key Performance Indicators – Good data can tell a story  Predictive Analysis – Your board should help prevent future issues  Keep the data fresh and useful, address items as quick as possible using LEAN tools and once addressed remove them from the board.
  • 23. GEMBA BOARD: SECURITY “We measure things that matter” Example Metrics:  # of systems not monitored & tracked in inventory by Location or LoB  # Top Vulnerabilities by Location or LoB  # of Legacy Systems by Location or LoB  # of Users with Local Admin & Accounts with Domain Admin  # of Total Security Incidences by Location or LoB  # of Past Due Security Awareness Training by Location or LoB Security - The current security posture at a glance
  • 24. GEMBA BOARD: QUALITY Example Metrics:  # of Servers & Workstation missing OS & App patches (30 day SLA)  # of infections/Re-Images tickets (3 day SLA)  # of Security Event tickets (5 day SLA)  # of Security Request tickets (15 days SAL)  Cause Mapping Analysis to find root cause of problems Quality – Results for SLA goals of events & requests
  • 25. GEMBA BOARD: DELIVERY Delivery – Active Projects & Audits at a glance Example Metrics:  Active Projects Status  Active Audit Status  Remediation Progress by Location or LoB  On-Site Awareness Training by Location
  • 26. GEMBA BOARD: COST Cost – P&L at a glance Example Metrics:  Operating budget spending plan (OPEX & CAPEX)  ROIC Qualitatively Rating of Perceived Value  Support Agreements Costs & Renew dates  Consultant Support Agreements Costs & Renew dates  Running total of cost savings
  • 27. GEMBA BOARD: PEOPLE People – Skills matrix at a glance Example Metrics:  Skills Matrix of everyone in Security  Training and development plans  On-Call & Vacation Schedules  Awards
  • 28. VISUALIZATION TECHNIQUES: THE HEATMAP Impact Low No threat to core business function impact Medium Threat to core business function impact, but has not occurred yet. i.e. ERP system is down but have not yet missed orders High Immediate impact to core business functions. i.e. products cannot be shipped, or core IP is lost. Likelihood Low Happens once every 10 years, or less Medium Happens once every 1 to 10 years High Happens once or more a year • Develop “Likelihood” to fit your org • Develop “Impact” to fit your org” • Score potential risks “high”, “medium”, or “low” for each • Map results to the heatmap
  • 31. VISUALIZATION TECHNIQUES: THE SCORECARD  Captures day-to-day operations in security  One-page roll-up that can be presented to CIO, or used internally  “Operations” section captures work being done: creating firewall rules, patching systems, conducting awareness events  The “Risk” section captures visibility into risk at the organization. Number of scans, open vulnerabilities  To the far right is the legend explaining the thresholds for each item

Editor's Notes

  1. A problem well stated is a problem half-solved. —Charles Kettering
  2. A problem well stated is a problem half-solved. —Charles Kettering
  3. A problem well stated is a problem half-solved. —Charles Kettering
  4. A problem well stated is a problem half-solved. —Charles Kettering
  5. A problem well stated is a problem half-solved. —Charles Kettering
  6. A problem well stated is a problem half-solved. —Charles Kettering
  7. A problem well stated is a problem half-solved. —Charles Kettering
  8. A problem well stated is a problem half-solved. —Charles Kettering
  9. A problem well stated is a problem half-solved. —Charles Kettering
  10. A problem well stated is a problem half-solved. —Charles Kettering
  11. A problem well stated is a problem half-solved. —Charles Kettering
  12. A problem well stated is a problem half-solved. —Charles Kettering
  13. A problem well stated is a problem half-solved. —Charles Kettering
  14. A problem well stated is a problem half-solved. —Charles Kettering
  15. A problem well stated is a problem half-solved. —Charles Kettering
  16. A problem well stated is a problem half-solved. —Charles Kettering
  17. A good goal should scare you a little, and excite you a lot.