Questions from a decade ago . . .

That rhyme!
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

So this article starts in my bedroom; cleaning out my closet. I finally decide that yes, I’m will never grow back into the size of these suits.  I’ve lost a few pounds, and for way too long I worried that the day after I relinquish my suits, I will abandon all my new good habits, and grow right back into the larger size again. 

It’s happened before. 

So I’m going through these suits, pulling various things out of their pockets, including that pen I thought a certain person had borrowed from me, or those sunglasses I swore I left on the beach. 

Then — holy blazer Batman — I pull out a folded napkin, with a list of questions a Client and I had developed over a lunch.   I didn’t recognize her handwriting, but I did recognize the notes. She had left them at the table, and I had intended to return them to her; an intent I never met.  

I remember the lunch well.  It preceded a user awareness talk to about three hundred people.  I was nervous, because I wanted to focus on the upcoming talk, so she took notes.  We were trying to work out a list of questions we would pose to management, in the committee meeting scheduled for the following day.  Then we could focus on the user awareness talk.

You can see by the picture of this napkin, that I folded the napkin.  Like normal napkin-note-taking practices, she started taking notes on one side, then had to unfold it to take more notes, upside down to the first set of notes.  Then the tenth note was put under the 4th.  You can see that, unfolded, she wrote on a nice, large paper napkin.  (I take my Clients to nice restaurants)!  Very easy to write on. 

[Editor’s note:  we blurred the picture, to prevent  identity from being revealed.  While
the company she worked for no longer exists, we were not able to
reach our Client prior to publishing this blog post.]

I know exactly when this lunch and awareness training occurred, because a certain nephew’s funeral was held on the day after, and since I had agreed to provide training to 300 busy people, I was not going to get out of this particular engagement.  I had hoped to run up to that funeral right after the committee meeting.  I would miss the funeral, but still be with family afterwards.

So that’s how I know it was the spring of 2013. 

How interesting it is now, in 2023, to unfold a napkin full of questions for management, ten years ago.  How we were taking notes on napkins, instead of our phones.  How she started out phrasing question three one way, then softened it.  How the concern was awareness, and how that awareness was contingent on the need to start budgeting information security.  Don’t forget, in the spring of 2013, we still hadn’t experienced the “parade of breach news,” as I called the weekly drip-drip of breach news that started with the Target Breach of December 2013.  While the first incident of ransomware was in 1989, it sure hadn’t reached the radar of even most information security people.  We were still trying to convince non-banks that there was a need for security.

The management team meeting was postponed.  I don’t remember why, but postponing meetings to discuss security with management was not out of the ordinary back then.  I was able to see my family in our grief, but I never did give that napkin back to her. (I suspect I typed the questions into an email, after returning from the funeral, so that she could pose them to management in the committee meeting that I never did get to attend.)

Here are the questions she wrote, for her management team, in 2013.  Anything striking?

1. Do you have visibility into how important security is for us?
2. How do we think about go about deciding the likelihood that our reputation could be destroyed with just one security incident?
3. Do you How you have go about have addressing he legal and other requirements to have the ability to detect if an incident occurs?
4. How does our team know how to respond if an incident does occur (use if, or should we use when???)
5. What are the unique aspects of our business that could be affected by a security incident?
6. How do we measure the risk exposure of new information technology actions such as new applications or vendors?
7. Is the risk shifting to the endpoints now that we’re starting to access our systems remotely?
8. How do we protect ourselves from those threats?
9. What are the unique threats, not only from the a confidentiality perspective, but also what if our systems went down for a long period of time?  
10. What are unique ways we can be aware of these threats?  How do we know and how do we monitor them?

Some of you might know I have ascribed the term CyberPoet – to not only myself, but other members of the infotex team who I am actively coaching.  Go ahead, roll your eyes! Dan’s New Leaf is now weekly, because it’s all in fun!

But you have to admit, the questions on that napkin – from ten years ago – prove that my organic advice – at least about information security strategy- RHYMES!

How poetic is that?!

Oh, by the way. Stacey won’t let me take those suits to Goodwill. Says it’s been too long since I had ’em cleaned.

What???

Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex.

Dan’s New Leaf is a “fun blog to inspire thought in the area of IT Governance.”