Developing Information Security Strategy: Conducting workshops and interviews
Introduction
This is Part 3 of our series on developing an information security (InfoSec) strategy. Throughout this series, we will be outlining how to use a design thinking process to help you create systems with which you can confidently secure your organization’s information. If you’re wondering, why you should consider having an InfoSec strategy, we recommend reading Part 1 of this series.
Figure 01: The six phases of the design thinking process for developing InfoSec strategy
In our previous article, we outlined one of the first stages: gathering information about your stakeholders’ daily operations and their corresponding requirements for an InfoSec strategy that will meet their needs. We suggested that you should conduct a workshop withall the relevant stakeholders and then guide them through a Customer Profile Canvas exercise. We also defined the role of the workshop facilitator.
Following this workshop, the next step you should take is to interview stakeholders on an individual or small group basis. In the following article we’ll continue discussing the workshop stage and also introduce you to the next step: interviews.
The workshop: Setting expectations
During the canvas workshop stage, take some time to inform the participants that they can expect to be interviewed in the near future. You can use this venue to begin discussing the purpose of the interview sessions: to gain further insight into stakeholder InfoSec requirements.
Generally, it is not common to conduct such workshops and interviews to collect the requirements. In most of the organizations, the InfoSec strategies are developed in silos and forced onto the business. Even if the responsible IT/security project team does collaborate with non-IT stakeholders, they may already have preconceived ideas and a specific end goal in mind, making them less open to actually considering outside input.
Again, the purpose of the workshops and interviews is to further define what your InfoSec strategy needs to include to adequately serve all of your organization’s stakeholders. What follows is a suggested order of actions to follow to coordinate a productive workshop.
First you’ll want to explain to all the participants why your organization will be developing an InfoSec strategy and what the project entails. Your presentation should be simple (a.k.a. It should be easy for non-IT stakeholders to understand what the project is and why it matters). Highlight the benefits that the organization would gain and emphasize the commitment that you have already received from your directors. Depending on the stakeholders’ past experiences, you could experience either pushback or cooperation. Make sure not to take their comments personally, but rather, ask them the ‘5 Whys’ questions to understand the rationale behind their comments.
Next, call up a volunteer (one that you’ve hopefully already briefed ahead of time) for a mock interview. During the interview, you’ll ask the volunteer a number of questions and record their answers on sticky notes, which you’ll then paste onto the canvas sheet. Using sticky notes helps you easily eliminate statements and replace as you learn more about your volunteer’s jobs, pains and gains. Conducting this mock interview will help all the involved stakeholders appropriately prepare for their interviews.
In your workshop (and your future interviews), drive the conversation towards the activities that are directly impacted by security controls. By employing trigger questions, you can cue your interviewee to think within the context of your question and to provide responses relevant to their job areas. Some examples the trigger questions are:
How is information shared internally and externally?
What access provisions are in place?
Are there periodic reviews of access to the systems used by the business (non-IT staff)?
What are the different classifications you have for your information?
What activities do you engage in that rely on email? Especially ones that are related to sending or receiving money or sensitive information?
Are any non-office locations being used to conduct business (coffee shops, etc…)?
What is the impact when a software application hosted by the organization is inaccessible?
What external applications are you using to conduct business?
After the workshop, you will have your very first completed customer profile. If you find the answers aren’t particularly helpful or relevant, you may need to fine tune your trigger questions before the interview sessions begin.
Conducting the interview
Once you have facilitated the design thinking workshop with your organization’s stakeholders, it is time to conduct small group interviews for each of your organization’s departments. Throughout the interview, be sure to encourage collaborative answers. When you ask a trigger question, your stakeholders can discuss, clarify with you and then provide a response.
The customer jobs you collect in a session could be something like this:
Access the ERP using credentials (username, password) that are different from the one used to login to the laptop
Compress the file with a password and then attach it to an email to an external recipient, to ensure that the file does not fall into the wrong hands
Accept proposals from the vendors on USB drive
Store raw financial data on the department file share system
Ensure each job that is recorded clearly outlines the activity and how it is done. The “how it is done” will help you identify the security requirements around the activities performed by the department users.
The pain areas you collect could be similar to this:
It’s hard to remember a multiple complex password every 30 days across different applications
No control over information once the client decrypts the file
Lack of visibility into sensitive information outside the department
At least 2 legitimate emails have been flagged as spam
Being specific when describing the pain area is also very important. Provide a metric such as “30 days” or “2 valid emails” when articulating the pain area.
Likewise, the gain areas you collect could be similar to this:
We are able to spot unsolicited emails
List of access to the applications used by our departments are sent to us every six months
Awareness is provided to the new joiners as part of the induction process
Yearly mandatory educational videos on Cybersecurity
All of the above information will be extremely valuable to the team responsible for developing the InfoSec strategy and implementing the security controls. Some of them will influence the strategy and some will influence the selection of security control.
For example, let’s say you analyze the following pain areas:
(i) remembering complex passwords every 30 days
(ii) a typical user uses more than one credential to login to the relevant information system,
You can conclude from these that it would be a good idea to streamline employee identities by implementing a single-sign-on system. At the end of the interview, you should have one customer profile per department, similar to the hypothetical profile we had developed in the previous article.
Figure 02: You should have one profile per department after the interview sessions.
Post-interview analysis
Look through all the customer profile canvas sheets. If you discover similar jobs, pains or gains across many profiles, prioritize them. Go back to the stakeholder for clarifications, if necessary.
Once you complete the analysis, summarize the baseline expectations (such as single user name and password for login) and the unique expectations from your stakeholders. Except to spot any anomalies in the data collection, there is no need to deep dive into the interviews and come up with recommendations at this point. Eventually, once you reach the end of the IDENTIFY phase, you will return to these profiles to further analyze them, in correlation with other information you have collected.
Conclusion
In this article, we continued discussing the workshop stage and outlined how to conduct interviews. We also discussed the importance of the trigger questions and gave you some sample outcomes for the customer jobs, pains and gains. In the next article, we will conclude the Identify phase by discussing the other aspects that are important to move to the next phase.