While watching Alice in Wonderland today with the kids I was reminded of dealing with Cyber Security in Healthcare Organizations. No, not because I think everyone in IT is mad! Although the cyber scene will make even the most sane person at least a little nutty. A conversation between Alice and the Mad Hatter got me thinking:
Alice: Would you tell me, please, which way I ought to go from here?
The Cheshire Cat: That depends a good deal on where you want to get to.
Alice: I don’t much care where.
The Cheshire Cat: Then it doesn’t much matter which way you go.
Alice: …So long as I get somewhere.
The Cheshire Cat: Oh, you’re sure to do that, if only you walk long enough.”
Often in IT, we fix things. We have a million things on our list and so we start working. The cyber risk landscape is ever changing and often as we are working to just get somewhere we find that we are falling behind with the times. In order to change our approach and make sure we are meeting goals and continuing to react to the changing times, we need to make sure our strategy for where we are going is effective.
The easiest way to get nowhere is by all of your staff just getting somewhere independently. Superiors need to make sure goals are set out and the path to get there is shared by the whole team. Creating a linked system that tracks who is doing what and what progress is being made helps with organization and planning. Regular reviews should be in place to give yourself checkpoints. Encourage staff to report with transparency and honesty. Checking your egos at the door will mean data is reported accurately. When risk is not appropriately reported upstream then priorities are disillusioned, resources aren’t made available and goals get altered. Quickly, you are headed somewhere but not where you need to go.
Simply put, you’re going to end up just going somewhere if you don’t have goals. To achieve goals we must have both the resources and the plan to use them. To get resources we have to accurately communicate risk upstream. To accurately communicate risk we have to perform risk assessments and extract quality data. Discover, Analyze, Treat, Monitor. We all know the steps but sometimes we get in our own way.
Make sure you take the time to analyze your security status, analyze yourself and how accurately you are reporting and analyze your team to make sure you are all working on the same plan.
Here’s wishing you a good trip thru wonderland.