It has been said “When it comes to achieving excellence, figuring out what needs to be done isn’t nearly as difficult as continuing to do what needs to be done over the long term.” A recent internal project illustrated this adage all too well.

As we continuously seek to improve the level of excellence of our professional services delivery a friend suggested we review ”Six Disciplines for Excellence” (a system intended to insure that an organization diligently executes on a well formed strategy). In reviewing the methodology, and considering its potential role to our services delivery function, it occurred to me that the methodology was also highly applicable to managing an Information Security Management System.

The system has Six Disciplines that are applied in a linear and continual cycle:

1. Decide What’s Important – Understand what your long term vision is and what your short term priorities are
2. Set Goals That Lead – Identify the initiatives and projects necessary to achieve your priorities and vision
3. Align Systems – Ensure the processes, policies, technologies, metrics, and people are aligned with your priorities and vision
4. Work the Plan – Execute on your priorities and vision
5. Innovate Purposefully – Learn and grow during the process
6. Step back – Based on internal change, external changes, and lessons learned revisit your performance. Now start over …

In thinking about how well we performed in each of these areas, I graded us as follows:

1. Decide What’s Important – B+
   (We have a bunch of smart people that understand what we do — if we didn’t get myopic on occasion this would be an A)
2. Set Goals That Lead – B
   (We usually identify required initiatives — but sometimes don’t flesh them out enough to ensure they will be realized)
3. Align Systems – D
   (This requires time and we are usually busy enough that this often takes a back seat)
4. Work the Plan – C
   (We have a bunch of people that work hard — unfortunately we sometimes need to “work-around” misaligned processes, technologies, etc.
5. Innovate Purposefully – B
   (Smart people innovate — unfortunately the lack of alignment means we’re innovating fixes to underlying problems instead of addressing underlying problems)
6. Step back – A
   (Last year we implemented a program to “close loop” our service delivery process to make sure feedback is captured and flaws are identified.)

Interestingly, I believe these grades closely match with those we see during infomration security assessments. Most entities would get very good grades for Steps 1,2, and 6 (strategy), largely because they usually have smart people. They would get good grades for Steps 4 & 5 because they usually have people that work hard and will find a way to get the job done – despite obstacles.

I think the breakdown we most typically see is in bridging the gap between strategy and execution and making sure that the critical processes, technologies, and personnel are in place to realize the strategy.

Hopefully our efforts to address our “excellence donut” (the hole in the middle of our systematic approach) will yield insights that we can share with our clients…

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.