• United States



The key to a successful security project

Feb 23, 20154 mins
IT Leadership

A CISO shares his thoughts on what it takes to make a security project successful

Our organization has been named a CSO50 Honoree this year.  I am very proud of our team, both the immediate and extended groups of people that have worked on this project and helped make it successful.  I have been reflecting on the roots of our project and how far we have brought it in a short time and I believe one thing in particular helped more than any other. 

To understand just what that is and why it worked we need to look back a couple of years ago when we were presented with a common challenge; Find a way to make sense of information security data in business context. Really provide useful information that enables decision making, not just for security projects but for the enterprise.

I knew we couldn’t try and deliver operational security metrics and hope they made sense to our audience. They are great for the day to day operations of a team but do little to gather support and enable decision making. Over the past 15 years I have seen many efforts to deliver the best security metrics available fail. Believing “if they only saw the numbers they’d understand” can’t work because those numbers are anxiety drivers. We also had a very practical reason. We couldn’t fit them all in the provided reporting format, which was one line in a balanced scorecard and a few backgrounder slides.

I have also seen many security programs try and adopt the “speak to them in business language” approach, using phrases like ‘Return on Security Investment’ and other jargon that mimics the people they are trying to reach. This is a step in the right direction, we do need common language to communicate but I don’t think it goes quite far enough. Just disguising security the same anxiety drivers in business words eventually leads to the same rejection.

Both of those approaches would have left us trying to get the rest of the business to pay attention to our needs and listen to our problems. It became clear early on that if we wanted to be part of the business rather than always an outsider we had to shift perspectives. If we wanted to be a part of the business we had to make our program deliver like a business.

To do that we adopted a customer centric mindset, against which to measure every opportunity and action we took. It helped us find out how to report information security risk to the business in a way they could use, but also with every relationship we have formed over the course of the project. I expect it will continue to bring us success into the future.

Five little words

Be First and Be Awesome – I am not exactly sure when it first got distilled to those five words. I know it was first delivered as a bit of humor at our weekly team meeting, and often joked about throughout the last couple of years. Eventually it became something that drove new ideas and helped us gauge how to proceed in pretty much every scenario we found ourselves.

Being first held a couple meanings for us. When working with people – be first to understand what they needed and offer them help getting there. This is how we found out what to report on our scorecard line. We simply treated everyone we interacted with like our most valued customer. No matter where in the org chart, or when in the project cycle, we treated relationships like the success of our project depended on it, because it did. Second, when faced with a new idea – could we be the first to do something in our organization, could we lead it somewhere, improve something?

To us ‘be awesome’ meant that whatever we undertook, we would just simply be the very best at delivering that expected outcome. Not just the best given the circumstances, but the best period. That meant we had to often find innovative ways to do things in offset the  constraints common to a small team and budget.

Dealing with reluctance

A CISO must navigate the cynics. No matter how well the above items are done there will always be people who don’t come on board for some time. These people come in different strengths of resistance and take various levels of proof to get them to believe. Don’t waste too much time with the cynics.

Instead get busy being first and awesome and build a portfolio of successes. As the list of grows it will help erode resistance.  Keep everyone up to date, let the word spread.  Any particular success story can be the one to bring another cynic on board. 


Jamie Rees has centered his career on the championing of information security as an industry, as a profession, and as a provider of value to organizations. Using experience from his time in telecommunications, financial services and government organizations to aid risk management decision making via communicating information security to executives in language they understand. Jamie has a track record of explaining the benefits of information security to various level of stakeholder stretching over a decade and a half. Jamie has built a strong base of business-oriented security, delivering balance between risk outlooks and business outcomes; often establishing new positions and award winning programs along the way..

Starting with a strong technical background as a sysadmin and IT instructor, he later moved to leadership roles, documenting and communicating the value of the craft to secure funding for entire programs including the Security Event Management Center and ITGRC programs he currently oversees as Director of Information Assurance & CISO in the Executive Council Office of Province of New Brunswick.

Always looking to share his focus on transforming information security into a business process treated like any other, and establishing trusted relationships as an enabler for stakeholders rather than a roadblock Jamie speaks on various security topics at events ranging from world & national congresses, to regional conferences, and local chapters and has been featured by national news outlets such as the Financial Post.

The opinions expressed in this blog are those of Jamie Rees and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.