Educause Security Discussion mailing list archives

Re: success stories

From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Thu, 20 Nov 2008 08:58:33 -0500

On the policy front, we've used several methods to achieve support from senior management. When we put a policy in place to
address HIPAA security requirements, we worked up-front with the Office of General Counsel to ensure the policy accurately
reflected regulatory requirements and then it was simply a matter of saying, hey this is required by law. The policy was
accepted by the University without a hitch. It helped that it was our General Counsel that said that to the President's
Council (was approves all policies). We also spent a lot of time building relationships with HR and Student Health since they
were the primary stakeholders.

We're currently having a lot of success with our Information Security Policy proposal. Our technique there has really just been
understanding business requirements, being flexible and selling it in a manner that makes sense for whichever audience we're
presenting to. Letting people talk through their concerns and taking a real interest in addressing those concerns is also very valuable.
We've really had little resistance to this point and we're moving along much faster than I would have originally anticipated. I
guess this fits into relationship building with key players. There are just a lot of key players when dealing with something that impacts
the entire university.

In general, comparisons with peer institutions and industry standards also goes a long way for us in anything we do. Its
pretty much expected that we evaluate what other universities are doing. On occasion, an audit issue or an incident will
also help drive something forward. In my experience though you have to capitalize on those pretty quickly otherwise
priorities will shift and they'll be forgotten about.

Kathy Bergsma wrote:

I'm interested in hearing about your success stories engaging senior
management support for security initiatives.  What methods worked at
your institution?  I've suggested some methods below.  Let me know which
ones have worked for you and identify others ideas not listed.

Fear, uncertainty and doubt
Metaphors and analogies
Comparison with peer institutions
Financial benefits such as ROI (return on investment)
Leverage an incident
Metrics
Working behind the scenes
Ask forgiveness rather than permission
Little by little baby steps
Relationship building with key players?  Who are the key players
Other ideas

Current thread:

success stories Kathy Bergsma (Nov 19)
- <Possible follow-ups>
- Re: success stories Wayne Samardzich (Nov 19)
- Re: success stories Ardoth Hassler (Nov 19)
- Re: success stories Steve Brukbacher (Nov 19)
- Re: success stories Emilio Valente (Nov 19)
- Re: success stories Allison Dolan (Nov 19)
- Re: success stories Brenda B Gombosky (Nov 19)
- Re: success stories Bob Bayn (Nov 19)
- Re: success stories Lazor, Joseph (Nov 20)
- Re: success stories Doug Markiewicz (Nov 20)
- Re: success stories Steve Schuster (Nov 20)
- Re: success stories Suresh Balakrishnan (Nov 20)
- Re: success stories Brian T Nichols (Nov 20)
- Re: success stories Colleen Hurd (Nov 21)