Re: success stories

[Steve Schuster <sjs74 () CORNELL EDU>]

We are engaged in most of the activities listed below with some being
more successful than others.  Hands down the activity that has shown
the most success and has proven the most beneficial to our security
cause is our incident response strategy when an incident involved
confidential data.  When this is the case I stand up our Data
Incident Response Team (DIRT) to talk through the situation and
determine what actions the university needs to take.  Since the DIRT
team involves the appropriate data steward, Dean or unit head where
the incident occurred, technical staff in that unit, CIO, University
Counsel, Audit, Risk Management, Police and a couple of others, all
the right people get to hear first hand our challenges and the
consequences of when things don't go right.

After doing this for well over three years I don't need to spend much
time around campus trying to sell the need for security.

sjs

Steve Schuster
Director, IT Security Office
Cornell University
sjs74 () cornell edu




On Nov 19, 2008, at 2:21 PM, Kathy Bergsma wrote:

> I'm interested in hearing about your success stories engaging senior
> management support for security initiatives.  What methods worked
> at your institution?  I've suggested some methods below.  Let me
> know which ones have worked for you and identify others ideas not
> listed.
>
> Fear, uncertainty and doubt
> Metaphors and analogies
> Comparison with peer institutions
> Financial benefits such as ROI (return on investment)
> Leverage an incident
> Metrics
> Working behind the scenes
> Ask forgiveness rather than permission
> Little by little baby steps
> Relationship building with key players?  Who are the key players
> Other ideas
>
> --
> Kathy Bergsma
> UF Information Security Manager
> 352-392-2061