James Becker - Easy Steps to Governance so You Can Get Back to Work

good morning everybody uh very excited to be here today talk to you about governance I understand this is probably the most boring topic that you wanted to come out and see today uh do the schedule changes you might have thought you walked into a different uh meeting but either way you're here now we're going to have some fun it's not going to be boring uh so who I am so I'm James I'm an instructor at the Cyber Center of Excellence currently I've been doing specifically cyber security since 2015 doing both offense and defense uh some of the work roles that I've had I've been working in it uh information Tech information security for about 20

years and then a couple of uh a couple of my certificates so you can see them I'm allowed to actually be up here in front of you today so our agendas today we're going to do a quick overview of governance and talk about the culture and culture changes that are necessary in order to embrace this governance culture we'll talk about a couple of Frameworks really quickly we'll get into some policy and then some questions so just to make it clear the boring stuff is labeled obviously this is actually the fun stuff okay this is actually going to be fun today so keep an open mind ah so who cares about governance and policy well everybody does you just might not

know that you care about it yet hey we got one hand I like that so administrators so I've met if maybe if I had a dime for every administrator that I've met who complained about I don't have the tools and the resources to do whatever or they require me to do these other things that aren't really what I want to do I mean I would have like a lot more money than I have now I'd probably still be here talking though so managers so managers whenever they don't have proper governance items in place they can't understand why their people aren't doing whatever it is they want them to be doing the analysts I mean they can't

understand why the manager can't understand anything right but uh that's where we are everyone else so all the executives the lawyers uh Auditors all the people that care about your bottom line right they really care about how you govern your organization why you should care about it I mean whenever you have effective governance effective policies in place you can get back to work and you can do those things you actually like to do and job satisfaction I mean whenever you have a policy or some kind of government document that you can point to and say this is exactly why I'm doing what I'm doing this is how it's helping my organization I mean you can feel really

good about the work that you're doing and you can prove it because you can point to it all right so here's your 30 second nap we're going to talk a little bit about these uh definitions here because if I didn't I might get in trouble so governance so here's a whole lot of words about it um so really it just gets down to saying that you're doing what you must do and you're doing it in a way that's agreeable to everybody so some of the key documents that we'll talk about save your corporate vision mission and strategy who can tell me a difference between a vision and a mission is there a difference let's start with

that is there a difference between a vision and a mission

okay and then how we're going to get there to find the mission okay

good yeah yeah so so they're both future oriented since you uh since you raised your hand there you get the uh you get the first prize of the day so as we're talking about Vision right we're talking very long term so we're talking five to twenty years whenever you talk about a mission statement you're just talking about the next year all right so your mission is going to be your next year these are the things that our company's going to do your vision is where we plan to be five to 20 years from now strategy is just how you're going to get there so standards in law so these things again requirements so these can be

International standards you're going to have different laws depending on what industry you're in policies this can be the fun one we talk about today again this is a mandate for you you have to adhere to policies guidelines these are the things that help you achieve those standards laws and policies so they're not necessarily mandated but there's a lot of good ideas in there they're going to help you to implement what you need to in your your organization to adhere to all these other things and then you have things like procedures your uh your ttps things like that so those are the things that actually tell you how to do your task so governance as a culture so

it takes time to change culture it takes time to actually embrace you know what it is and what you've got to do to get there but whenever you have it it's going to help so I mean I get it we're all busy enough uh we're going to walk through today you're going to see it's actually not that hard uh to enable some uh some good policy in your organization so yes you are busy this is going to free up some of your time as long as you do it right so it has to be supported at all levels so how do you get people to care about it I mean you've got to find some way to

appeal to your boss or whoever's going to sign it and you have to get your peer reviews and then that way you know everybody's on the same page and everybody's sure that you're going to be happy with the outcome and then discipline is required right so you can't write some policy if nobody's going to back it up so here's where you really need that top-down buy-in so Frameworks uh so here's a bunch of Frameworks how many people in here have studied for a certification exam probably the whole room all right so we've all seen these we all know these are incredibly dull so we're going to move on so policy is the Easy Button uh so what we need here

is we're going to think about a bottom-up approach so all the different certifications we study for say policy needs to be top down problem is top doesn't always understand down I mean how are they supposed to make a policy for us if they don't understand what it is we do day-to-day and what we truly care about so we need to find a way in this bottom-up approach to feed that policy up high get them to sign it and then that way we can have what we want and I mean yeah so think about it right if management needs paperwork they need slides they need memos and all these other things because that's what gives them their job satisfaction it proves

their boss that they've done something so we need to feed them the paperwork so that they're happy uh and paperwork really isn't that hard I mean it may seem hard at first and a lot of people I mean we sit down and kind of get like a writer's block and you're like oh I really don't know what I want to say here so we'll walk through that but it's really not that hard so so if you could just take a second close your eyes and think about a manager that you've had in the past so so not not the really good manager that you've had in the past think about the manager that you had you couldn't

believe got dressed every day and showed up to work on time that's the manager I want you to think about and I open your eyes realize that person wrote paperwork I mean if they could do it you've got to be able to do it way better so our steps to get there so we're going to define the problem like every other process right we're going to start by defining the problem so think about a time you want to see your little water cooler conversation and somebody was standing there and they're telling you all about how you know this thing at work is really crappy and I know I could do it way better by doing this

I mean that's really easy and that's actually the first two steps so we're going to define the problem and imagine the ideal solution to that problem

so as we Define that solution I mean just sit back think about whatever it is it doesn't have to be realistic at this point so we know there's a problem and we know that something we want to fix so grab your coffee your monster and your Cheetos and a beanbag chair and sit back and think about how great your life could be if only you could enact this policy for a day write down your thoughts so if you're a doodler start doodling if you like diagrams start making diagrams if you like writing just start writing nothing is wrong at this point these are all the things that you want to get you from your problem to your ideal solution so

just spit it all out on paper or on a whiteboard or however you want to do it and get your thoughts down step four just take a rest I mean leave it sit for a day or two think about what it was you wrote down think about it from different perspectives is this really going to get you there is this is this really going to get signed is anybody going to agree with this step five let's get a peer review in there so pass it around to some of your teammates and see is this good is this actually going to work for our company is this actually going to work for me is this going to get me the time that I

want to be able to get back on keyboard and stop writing these policies and step six so we need to get a signature we don't need your signature right we want to get your boss's boss's signature we got to go up a couple of levels then that way you have some kind of top cover to say I am allowed to do this today because this policy from your boss says I can foreign so step one we're going to define the problem so I just want to ask uh everybody here and give me a couple of ideas what's something that happens in your work week that you feel is a waste of time I mean we got some Chuckles somebody

give me something driving meetings hey look at that you get the second gift I love it thanks submitting sucked the soap for my life that's the problem I mean everybody has been in that situation walking down the hallway and here comes the Grim Reaper probably your boss and says I want you to be in this meeting great here goes the next hour of my life so my ideal solution so this is my Utopia so I get to plan it however I want probably going to be on a beach somewhere not sitting in that meeting probably going to have an awesome desk like this thing it's gonna be so cool let me banging out all kind of code and

programs and scripts to make my life so much easier so I don't have to go to that meeting anymore so this is where I want to get to start writing about it so in this exercise uh you can see autocorrect got a little angry at me but uh this is just one of the methods of brainstorming where you just sit down and you just start typing you might give yourself a five minute time limit time limit you give yourself a 10 minute time limit you start doodling your pictures it doesn't matter but the point is just to get all your thoughts down as I work through this exercise and I'm thinking about it right down somewhere in here

oh they can set that one meeting I actually have something to talk about so I you know describe my Utopia you can see I really need that chair that's written in there a couple of times but I describe my Utopia to frame that problem I considered you know all solutions right you can see me kind of banter about uh probably get sand on my keyboard that's probably not going to work too good uh so I've thought about this thing a little bit and and I thought yeah you know what there is one meeting I should probably go to so this is just a method that you can use I mean again like I said you can

draw it up however you like but make sure you write it down diagram it draw a picture step four we're just going to take a break I mean we're in Augusta right so we're gonna go hit the golf course so during this time just reflect on it did you actually think about it is anybody actually going to sign it uh what are your peers going to think about it so start to formulate it into something a little more coherent than the last bit of gibberish I had up there and we'll move into step five where we get a peer review so what you think bro says me bro says well it turns out you forgot

something really important I mean you kind of talked about you had this meeting but you didn't really Define it very well so make sure you incorporate that into your your policy here so now we get closer to what our policy is going to be very simple policy doesn't have to be big just needs to be clear it needs to be communicated clearly it needs to demonstrate exactly what it is you want and uh that makes it effective right so in this uh so we have I just picked Windows systems analyst for an example they're going to attend the weekly sync that they actually care about uh and if you want to get them to do

something else well then you have to talk to the department lead so let me tell you the best part about policy this is the policy we want so if you notice that second little line there that probably leads us to another policy because there's going to have to be some kind of process and policy procedure to request us at a meeting from the Department lead don't write that policy step six or signature mm-hmm so we put this thing onto the fancy official looking letterhead put a date on it again we defined in here what exactly we want to do everything we don't want to do now we've got to struggle to get somebody to sign this thing

so we're working to get the Big Kahuna how we're going to achieve this is we're going to take some kind of example that proves that this policy is valuable to them and the company so in this situation I've decided I'm going to go to the Big Kahuna and say listen if you sign this policy we're going to gain 39 work hours per week per analyst by not sitting in meetings signed so as long as you can appeal to them then you'll be good to go

some reviews so we went through a quick scenario we talked about policy we talked about how to create a policy how easy it can be to get from you know nothing at all in a bad situation where you're sitting in meetings all the time to get to your ideal situation where you no longer have to be in meetings and it's not that hard I mean again like we talked about paperwork isn't difficult uh it's just you've actually got to you know do a little bit of work and get somebody to sign it I know your life would be better uh so we Define the problem uh imagine that ideal situation write down your thoughts about it and

that's where you just vomit everything out it's going to be okay give it a rest and start cleaning it up pass it around to your peers and then get that signature so what are your questions on policy or what else would you like to talk about yes

foreign right so yeah so so is uh whether or not policy has an expiration date so you could write a policy that says it expires in a year right but ideally uh so in my opinion I think every year everything should be reviewed because if you show up to a new organization and you're a brand new person and you take a look at your policies and these policies are two three years old especially if you're talking cyber security anything that's two or three years old in cyber security might as well be from the 90s or something right it's archaic so really I mean as you can see in this example not much is going to change in that year to

year so you know just go through there change the date take it back to the Big Kahuna and be like hey this is the same policy from last year I changed the date can you get us a new signature and keep it fresh and that way as you have people onboarding it's still it's still fresh right yes so how do you when you're dealing with larger organizations you have multiple stake different organizations what are some approaches you would take to try and get everybody on board your Insurance trained to actually try and make things work yeah so larger organizations can actually kind of be beneficial in this situation because in a larger organization you have even more

systems analysts and you probably have different segments and teams of systems analysts so if you can get all the systems analysts to agree and take a you know again this peer review comes in you've got to take it serious whenever these things come around give your input because that's your your peer uh validation to that so as you have this larger organization now maybe you have two or three hundred people kind of like uh co-signers on this thing saying like yes we agree to this and we need this well now the boss is forced with a decision that's going to affect 200 people if they don't sign this policy is going to negatively affect those 200 people so you actually

have power and numbers in that in that thing but yeah so you have to kind of work I mean again like you said you have more people more personalities and that's where your policy may start as simple as this one was and then it starts to grow legs and it starts to get a little crazy on you but try to keep it back to the to ensure that it's defining that core problem that you defined and as long as you're still meeting that objective and you're you're getting rid of the stuff that you didn't want then now you'll be good yeah the questions we have I'm sorry so that's where we need the top down

approach right so and it depends on your organization uh you know by by not adhering to policy you can be fired right but things like this probably wouldn't be so drastic but you should have some kind of formal review with your teammates at some time during their careers to explain to them like hey here's some things that you're not doing so well and you can also look for positive reinforcements so we don't always need negative reinforcement for things so look for ways to positively reinforce it right so maybe it's your company meetings you know you get an extra little 50 bump in your paycheck or something like that some kind of little bonus or a cake or Donuts that day

because people are doing well and adhering to the things that you want them to so you know through positive reinforcement you can get people to do what you want them to do but they actually want to do it yes

so I mean really in this example in the bottom-up approach doesn't matter to you if it matters to you then it's worth writing I mean if it's going to save you from a couple of meetings I mean I would love to write a bunch of these and save myself from a ton of meetings right but um whatever the work activity is so I mean if it's already in your position description or something well then you're not going to be able to to negate that through a policy but if it's something that you know it's taking your time it's kind of outside of your realm it's not in your position description well then write a policy right so so

it's not only just to get out of work though but it could be silly stuff whereas you know I really need people to follow these procedures and these ttps that I've written but nobody wants to follow them right and now they're going through they're administering your systems and they're not doing it the way you want them to so you define that in a policy and then that way you know it's like hey it's here you being a member of this organization you must adhere to this policy and this policy says you need to follow all these procedures so that's another you know way that you would determine yes this is something worth writing yes

yeah so so trying to get rid of a policy and so I'm crazy about this I read everything I really do so whenever I join a new organization I find all those policies and I look at them and it's like hey this one's a little weird and a lot of times going back to her question here earlier how long is a policy good for a lot of times you're going to find these policies and they've been hanging on a board for a couple of years and you know they're still there but they're stale so nobody's actually passionate about it anymore whoever signed that policy has moved on and in that case it can be really easy I mean it's just draw

attention to the fact that like hey we have this thing it's stale it doesn't apply anymore um you know can we can we reword these little bits here um so that's the best case scenario where it's really easy to do other times you might have somebody that's really passionate about it and they had just written it and it's you know hot off the press but that's where you just need to read it and you know find a way to communicate again like in our example if we get rid of this we're going to increase our work hours or we're going to you know increase our efficiency we're going to increase the bottom line so it's just finding a way to

communicate to the person that wrote that policy whatever they're passionate about so you might have to be a little bit personal with them to understand what makes them tick and then as soon as you can find that thing then that gives you the leverage to be able to you know get that seat at the table to explain how you can do it better and why it needs to be changed so

do we have any other questions here okay well I'm going to close up earlier then everybody's going to get to Chick-fil-A a little faster huh so hey thanks for coming out I really enjoyed getting a chance to talk to you hope this helped you out and uh you can go back write some effective policy for yourself and make your life a little easier all right thank you