This analogy is based on a true story.
During a work assignment I interviewed a broad range of stakeholders across a business delivering critical services to 3.5 million people.
I bumped into the executive director, who had approved my engagement, in a corridor. Intrigued to know the results, before I’d had time to prepare the report, he asked me what I had discovered.
“I’m afraid” I said “..you have an issue. The problem involves your IT Security Manager”. His face took on a pained expression of resignation. “Ah yes. My colleagues often share theirs and their teams frustration with me about the security function.”
“What do they say to you?” I enquired.
“How inflexible IT security is and how it’s stifling their ability to leverage business opportunities. I keep getting it in the neck.”
“I’m afraid its worse than that.” I said. Now I had his attention. “Your IT Security Manager has a nickname.” Now he looked quizzed. “He’s called Dr.No”.
“ Why?” the Executive asked? I replied “Because he mainly say’s “No” to enquiries from people and subsequently he’s perceived as the “bad guy” spoiling the party and effecting their performance.”
“How can we turn this around?” Asked the executive.
“We need a re-branding exercise” was my response. This caught him totally by surprise. “Isn’t that more to do with marketing?” He replied.
“Not entirely” I replied. “Perception is everything. So, as long as the businesses perception, or as marketing folk would call it “brand” of IT Security remained that of Dr. No you have a problem. ”
“Why does he have to say no so often?” Asked the executive. “It’s a mixture of things..” I replied “.. but mainly self preservation! Business stakeholders are approaching him too late in the project lifecycle or change management process for his input. Last week he was approached to review the outsourcing of HR processes and data with 2 weeks to launch having already chosen the preferred supplier. He naturally said he couldn’t sign this off.
“I’d heard about that. We do have a policy on that!” he exclaimed. I confirmed that was the case but his colleagues weren’t aware of it or choose not to acknowledge it. Either way, when you combined this with severe under resourcing, in this case 1 person to support 3000+, the IT Security Manager had no time to do what he wants to do which is give good advise about risk . He had to say No.”
Anything else?” The executive enquired. “Yes, I’ve actually uncovered a worrying trend for people not to engage with the IT Security Manager at all because of the Dr. No brand.” He didn’t look surprised. I added “This means the risk’s you own and report on to the Board and audit committee are probably not accurate.” His attention was re-focused.
“OK”, said the executive so instead of Dr. No how do we want our IT Security Manager to be perceived?
I replied “The Man from Del Monte”.
For those of you in Generation Y, the Man from De Monte was a character in an orange juice advert who was responsible for letting the fruit pickers know when to pick the oranges. He’d do this by saying “yes”. The crowds would go wild, he was seen as an enabler and also wore a great suit and panama hat. He was liked by all.
With a wry smile the executive got it. “He says YES!!” came his response.
“That’s right” I replied. “Nice analogy.” he retorted.
So how did the story pan out?
The transformation from Dr No to the Man from Del Monte took a little time, but wasn’t a complicated exercise or difficult to sell to the business. All agreed that they wanted to hear less “No’s” and IT Security wanted to be able to say “Yes” more often.
It was understood that so long as IT security was not engaged at the beginning of a project, and resourcing levels remained at the current minimal level, that “No. I can’t approve your request now” would be, by far, the most common answer.
The business didn’t want to increase the IT Security budget. No surprise there! So it had some stark choices to make. Engage IT security at the earliest point in the project life cycle or face the prospect of hearing ,No, more often than Yes. Unsurprisingly the business chose to make enquiries much earlier. This allowed the IT Security Manager to schedule his work load more effectively, to comply fully with the organisations policies and procedures and to support the business to leverage the opportunities where ever possible.
Most importantly, because we measured the number of enquiries received, and the Yes and No responses, over a period of time we were able to demonstrate that the IT Security Manager was much more likely to be the Man from Del Monte than Dr. No if given enough notice.