Ask the Right Question to Build your Information Security Program

How are we going to do this?

As leaders in the banking industry, we often find ourselves saying those exact words. We want to be self-reliant—and why not? We’ve gotten where we are today by solving problems with our own ingenuity. It’s why our customers trust us—we know how to get things done.

But what if that mentality is holding us back? What if we need to be asking a different question?

I recently read a book by Dan Sullivan and Dr. Benjamin Hardy titled "Who Not How”. The book describes a mindset shift in approaching problems and situations. The authors suggest that instead of asking HOW we ask WHO.

Specifically:

Who do I already know that can help me with this?

Who do I need to seek out that already has the “how” taken care of? 

This book was great for me because I’m very independent in the way I go about solving problems and building my own business. And I know that most community banks embody this same approach. We’re the type of people that “just get stuff done”. We don’t waste time, we roll up our sleeves and get to work.

In many cases, this is a great thing. And it’s the reason why banking is the bedrock of our communities. Because bankers know HOW to solve problems.

But in some circumstances, HOW can be a burden that doesn’t solve our problems, it becomes a hindrance.

When the problem or situation is very specific, requires unique skillsets or knowledge, and outside of our capabilities to solve on our own, HOW becomes crippling. It’s in those situations that we need to ask WHO not HOW.

Here are 5 tell-tale signs that it might be time to ask WHO:

1. Uncertainty
2. Procrastination
3. Stagnation
4. Frustration
5. Fatigue

Those feelings come from not knowing HOW to solve a problem or reach a goal. They can become very demoralizing to a team.

So, how does this apply to information security?

Information security can be a complicated problem to solve, and the questions begin to sound like this:

How can we properly identify vendor risk?

How do we create effective policies that aren’t so complicated?

How do we secure new technologies?

How do we satisfy increasing regulatory pressure on IT?

How do we communicate all of this to the board clearly?

Without the WHO to build and maintain a program commensurate with the size and complexity of the organization, asking HOW can be very daunting.

So, rather than asking HOW do we build and maintain the program, the question becomes:

Do we have the WHO(S) to be successful?

It can be a difficult conversation, but it’s necessary. In my experience in business, the real work starts when we ask ourselves the difficult questions. Without them, you never reach the goals and maturity level you are seeking.

Once you ask that question, there are generally 3 answers:

1. “Yes.”
   If this is truly the answer, then begin immediately to get that person involved in solving the problem.
   
   
2. “No, but we know who we need to hire.”
   In this case, clearly document the needs and priorities of the position/individual and begin your search.
   
   
3. “We need to partner with a vendor or service provider.”
   When it comes to Information Security, the skills required to build and maintain a comprehensive program at the executive level can be hard to find. That’s why some institutions attempt answers 1 & 2 first before realizing that #3 is their real situation.

That brings me to the conversations we often hear when talking to banks for the first time. They’ll generally describe their situation using one or more of the following words:

1. Uncertainty
2. Procrastination
3. Stagnation
4. Frustration
5. Fatigue

And they ask, "Can you help us?"

At that point, they’ve decided to stop asking HOW and start asking WHO. They’ve come to the realization that an outside partner is their best option for finding that WHO.

I’ve seen with my own eyes and experienced the feedback from those banks when they realized that the right WHO makes all the difference. Instead of uncertainty, procrastination, stagnation, frustration, and fatigue, they start using words like:

1. Confidence
2. Progress
3. Action
4. Satisfaction
5. Energy

So, while this sounds like a plug for vCISO Services, specifically my company Bedel Security, I promise it’s not. Instead, if you want to build your bank’s Information Security Program, I urge you to stop asking HOW and start asking WHO.