Guiding the helmsman


Every so often, I find myself working with clients that "get it" - not just the individual people I'm collaborating with, nor even their functions/departments: I'm talking about entire organisations with a cadre of supportive and enthusiastic managers who understand and appreciate the genuine business value of sound information risk management.

It's a real pleasure for me, a welcome relief from the usual slog.

In contrast to those who don't get it, the nature of my involvement as a freelance consultant changes from constantly cajoling, persuading and hopefully convincing them to put in the effort, any effort ... to encouraging them. They provide bags of energy: I simply help them direct it along the most productive outlets, using my experience to lead them swiftly through the maze while avoiding diversions and dead ends.

Instead of having to thrash the poor oarsmen down below, it is as if I'm piloting the galleon, quietly guiding the helmsman at the tiller through the treacherous ocean.

It has got to the point, now, that I consciously avoid assignments that I just know are going to be hard work with little reward. 

Maybe you think I'm getting lazy in my old age. Maybe you find my attitude arrogant and offensive. And maybe you're right. I'm simply expressing an observation here, a personal opinion that stems from 30 years' experience in the field. 

Unless management - particularly senior management - truly understands and appreciates the business value of information risk and security, they are less inclined to embrace it enthusiastically. Other than perhaps approving the infosec budget (or, more likely, some fraction of the requested amount), they prefer to deal with Other More Important Stuff - and that, in a nutshell, is the root of a serious problem. Sound information risk management doesn't just reduce the probability and/or impact of incidents: it also supports and enables the business to do more. It provides assurance, supports conformity and compliance, is demonstrably cost-effective, and frees up management time to push on with that Other More Important Stuff. If a client's senior managers don't appreciate that, I generally find Other Stuff More Important!