Wednesday, February 17, 2010

Governance Part 2: Charters, Visions, and Missions

In my Introduction I listed charters, visions, and missions as the documents that state what you’re trying to accomplish when you set out to do security. I’m going to expand on that here.

In information security, a charter is a statement from management to whatever body it is that is tasked with providing and assuring security. It grants authority and mandates performance. This could be from a CEO to a CISO, a CISO to an architecture group, or two parents agreeing that one of them will make sure that the kids aren’t cruising age-inappropriate sites. This agreement might be written or verbal, though in business as a general rule it’s really the sort of thing that should be written down for later reference. Come to think of it, writing down agreements like this probably has significant benefits to one’s domestic tranquility – the time and effort will pay for itself the first time you avoid an argument about who’s turn it is to do the dishes. (Yes, doing the dishes is a security task. It mitigates the risk that someone will catch a food-borne illness, the risk that the home will smell unpleasantly, and the risk of pest infestation. )

By affirmatively granting specific authority, it also sets boundaries around that authority. For example, does the CEO want the CISO to set policies, advise the CEO regarding which policies to set, simply administer and enforce policies the CEO sets? Is the CISO in charge of physical security for the whole enterprise or just the data center? Some places consider building security someone else’s responsibility. Does the CISO’s team run the firewalls, or does a network group handle that while the CISO’s team monitors and responds to incidents?

A well-written charter lays these matters out clearly and affirmatively.

The benefit, of course, is that if you’re providing security, looking at the charter tells you what you do and don’t have to think about. It reduces the chance that a team of highly paid professionals will spin their wheels doing something that could reasonably be considered part of information security but management has decided to organize differently. It lets you show people like me that you're not making it up as you go along when we're auditing your governance controls.

Visions and missions in this context are similar to a charter, but a statement from the group to the enterprise about its intentions rather than a top-down grant and mandate. It lays out what it is you want to accomplish and (at a very high level) how you want to accomplish it. One might describe the relationship between the two by saying that one’s mission is to accomplish one’s vision. An ambitious acquaintance of mine listed in an online mini-biography that he wanted to achieve financial independence by age 40. That’s a vision. One might infer that his mission was to work a series of very highly paid jobs so that he could achieve financial independence by age 40. Or, depending on circumstances, the mission could have been to avoid antagonizing a wealthy and aged relative so as to be favorably remembered in the will. The mission could even have been to maintain a standard of living far below his earnings.

You can see that having both a mission and a vision provide more clarity than having only one. A mission tells you what you’re doing, a vision tells you why. Most people don’t write either down – I haven’t, though my spouse and I discuss both regularly. A shocking number of businesses think they’re done when they’ve written one.

Many people balk at the idea of even formulating a mission or vision for their lives, and I used to be one of them. As I’ve grown, I’ve come to see the benefit of clearer personal strategy, even if I haven’t yet taken the plunge and written it. For example, my vision is to spend as much quality time with my aforementioned spouse as possible; and my mission is to live a life in which I balance work and leisure so that I can achieve that vision.

Consequently, I have a policy not to accept jobs that take me out of my home over a certain number of hours per week – whether it be to the office or to remote locations. But policies are for the next installment in this series.

Have you established your vision and mission? Is there a charter that governs authority in your life? I bet there is, and I’d love to have you talk about it. If they’re too personal to share, how did you come to them? Who were the stakeholders that had to negotiate what went into them? Have you seen a benefit to coming to these agreements, or even writing them down?

1 comments:

bob h. said...

Nicely put.

Post a Comment