Developing Information Security Strategy: Conducting workshops and interviews

Introduction

This is Part 3 of our series on developing an information security (InfoSec) strategy. Throughout this series, we will be outlining how to use a design thinking process to help you create systems with which you can confidently secure your organization’s information. If you’re wondering, why you should consider having an InfoSec strategy, we recommend reading Part 1 of this series.

Figure 01: The six phases of the design thinking process for developing InfoSec strategy

Figure 01: The six phases of the design thinking process for developing InfoSec strategy

In our previous article, we outlined one of the first stages: gathering information about your stakeholders’ daily operations and their corresponding requirements for an InfoSec strategy that will meet their needs. We suggested that you should  conduct a  workshop withall the relevant stakeholders and then guide them through a Customer Profile Canvas exercise. We  also defined the role of the workshop facilitator. 

Following this workshop, the next step you should take is to interview stakeholders on an individual or small group basis. In the following article we’ll continue discussing the workshop stage and also introduce you to the next step: interviews. 

The workshop: Setting expectations

During the canvas workshop stage, take some time to inform the participants that they can expect to be interviewed in the near future. You can use this venue to begin discussing the purpose of the interview sessions: to gain further insight into stakeholder InfoSec requirements. 

Generally, it is not common to conduct such workshops and interviews to collect the requirements. In most of the organizations, the InfoSec strategies are developed in silos and forced onto the business. Even if the responsible IT/security project team does collaborate with non-IT stakeholders, they may already have preconceived ideas and a specific end goal in mind, making them less open to actually considering outside input. 

Again, the purpose of the workshops and interviews is to further define what your InfoSec strategy needs to include to adequately serve all of your organization’s stakeholders. What follows is a suggested order of actions to follow to coordinate a productive workshop.

First you’ll want to explain to all the participants why your organization will be developing an InfoSec strategy and what the project entails. Your presentation should be simple (a.k.a. It should be easy for non-IT stakeholders to understand what the project is and why it matters). Highlight the benefits that the organization would gain and emphasize the commitment that you have already  received from your directors. Depending on the stakeholders’ past experiences, you could experience either pushback or cooperation. Make sure not to take their comments personally, but rather, ask them the  ‘5 Whys’ questions to understand the rationale behind their  comments. 

Next, call up a volunteer (one that you’ve hopefully already briefed ahead of time)  for a mock interview. During the interview, you’ll ask the volunteer a number of questions and record their answers on sticky notes, which you’ll then paste onto the canvas sheet. Using sticky notes helps you easily eliminate statements and replace as you learn more about your volunteer’s jobs, pains and gains. Conducting this mock interview will help all the involved stakeholders appropriately prepare for their interviews.

In your workshop (and your future interviews), drive the conversation towards the activities that are directly impacted by security controls. By employing trigger questions, you can cue your interviewee to think within the context of your question and to provide responses relevant to their job areas. Some examples the trigger questions are:

  • How is information shared internally and externally? 

  • What access provisions are in place?

  • Are there periodic reviews of access to the systems used by the business (non-IT staff)?

  • What are the different classifications you have for your information?

  • What activities do you  engage in that rely on email? Especially ones that are related to sending or receiving money or sensitive information?

  • Are any non-office locations being used to conduct business (coffee shops, etc…)?

  • What is  the impact when a software application hosted by the organization is inaccessible?

  • What external applications are you using to conduct business?

After the workshop, you will have your very first completed customer profile. If you find the answers aren’t particularly helpful or relevant, you may need to fine tune your trigger questions before the interview sessions begin. 

Conducting the interview

Once you have facilitated the design thinking workshop with your organization’s stakeholders, it is time to conduct small group interviews for each of your organization’s departments. Throughout the interview, be sure to encourage collaborative answers. When you ask a trigger question, your stakeholders can discuss, clarify with you and then provide a response. 

The customer jobs you collect in a session could be something like this:

  • Access the ERP using credentials (username, password) that are  different from the one used to login to the laptop

  • Compress the file with a password and then attach it to an  email to an external recipient, to ensure that the file does not fall into the wrong hands

  • Accept proposals from the vendors on USB drive

  • Store raw financial data on the department file share system

Ensure each job that is recorded clearly outlines the activity and how it is done. The “how it is done” will help you identify the security requirements around the activities performed by the department users.

The pain areas you collect could be similar to this:

  • It’s hard to remember a multiple complex password every 30 days across different applications

  • No control over information once the client decrypts the file

  • Lack of visibility into sensitive information outside the department

  • At least 2 legitimate emails have been  flagged as spam

Being specific when describing the pain area is also very important. Provide a metric such as “30 days” or “2 valid emails” when articulating the pain area.

Likewise, the gain areas you collect could be similar to this:

  • We are able to spot unsolicited emails

  • List of access to the applications used by our departments are sent to us every six months

  • Awareness is provided to the new joiners as part of the induction process

  • Yearly mandatory educational videos on Cybersecurity

All of the above information will be extremely valuable to the team responsible for developing the InfoSec strategy and implementing the security controls. Some of them will influence the strategy and some will influence the selection of security control.

For example, let’s say you analyze the following pain areas: 

(i) remembering complex passwords every 30 days 

(ii) a typical user uses more than one credential to login to the relevant information system,

You can conclude from these that it would be a good idea to streamline employee identities by implementing a single-sign-on system. At the end of the interview, you should have one customer profile per department, similar to the hypothetical profile we had developed in the previous article.

Figure 02: You should have one profile per department after the interview sessions.

Figure 02: You should have one profile per department after the interview sessions.

Post-interview analysis

Look through all the customer profile canvas sheets. If you discover similar jobs, pains or gains  across many profiles, prioritize them. Go back to the stakeholder for clarifications, if necessary.

Once you complete the analysis, summarize the baseline expectations (such as single user name and password for login) and the unique expectations from your stakeholders. Except to spot any anomalies in the data collection, there is no need to deep dive into the interviews and come up with recommendations at this point. Eventually, once you reach the end of the  IDENTIFY phase, you will return to these profiles to further analyze them, in correlation with other information you have collected.

Conclusion

In this article, we continued discussing the workshop stage and outlined how to conduct interviews. We also discussed the importance of the trigger questions and gave you some sample outcomes for the customer jobs, pains and gains. In the next article, we will conclude the Identify phase by discussing the other aspects that are important to move to the next phase.

Previous
Previous

Developing Information Security Strategy: Concluding IDENTIFY phase

Next
Next

Developing Information Security Strategy: Planning for stakeholder requirements