Creating a results oriented culture

Creating a Results Oriented Culture
Jack D. Nichelson
Director of Infrastructure & Security
Chart Industries
April 26, 2017
@Jack0LopeJack@Nichelson.net

ACKNOWLEDGEMENTS
 Steve Holt, CIO - Chart Industries
 Craig Shular, CEO - GrafTech
 David Hilmer, VP & CIO - Graftech
 Erick Asmussen, VP & CFO - Graftech
 John Kocsis, Dir. IS Ops - Swagelok
 Jason Middaugh, Dir. Infrastructure - Cliffs
 Chris Clymer, Dir. Info Sec - MRK
 Matt Neely, Threat Manager - Progressive
 Bob Kemp, CISO - TA
 Chris Prewitt, VP Advisory Services - TrustedSec
 Ed Pollock, CISO - STERIS
“When the student is ready the master will appear”

JACK NICHELSON
 Director of Infrastructure & Security for Chart Industries.
 Executive MBA from Baldwin-Wallace University
 Recognized as one of the “People Who Made a Difference
in Security” by the SANS Institute and Received the
CSO50 award for connecting security initiatives to
business value.
 Adviser for Baldwin Wallace’s, State winner Collegiate
Cyber Defense Competition (CCDC) team.
I defend my companies competitive advantage
by helping solve business problems through
technology to work faster and safer.
“Solving Problems, is my Passion”

GUT CHECK – TAKE OWNERSHIP
If I just had a better team, I would do better. "Wrong"
If I am a better leader, my team will be better. That is what I had to learn as a
leader and step up to make change happen.
 Be Proactive – Focus on what you can influence
 Begin with the end in mind – Define practical outcomes
 Create a Problem Statement – A goal without a plan is just a wish
 Put first thing first – Plan weekly, act daily
 Chart Performance & Adjust – Shine a light on the problem
“There are no bad teams, only bad leaders.” - Jocko Willink

GOOD ADVICE
The most important person for you to manage effectively is yourself. To grow
personally and professionally you need to know yourself before you can help
others.
“Think about how you can simplify security –
make it easy – and focus on the basics.” - Dave Kennedy
Recommendations:
 Take a step back and read “REWORK”
 Remove complexity – Start small
 Start at the epicenter, on what won’t change
 Focus on fewer problems that provide bigger returns
 Build an audience
 Keep score & publish it (Good or Bad)

KNOW YOUR STAKEHOLDERS
To make stuff that matters, you have to know what matters so work on
solving the right problems.
Effective managers take the time to identify stakeholders and know their pain points.
 Security is about a lot more than just you
 You are taking actions to protect assets in the
stewardship of others
 You are making choices which will impact the ways
those around you conduct their business
“No one cares what you know until you show them
how much you care”

CUSTOMER SERVICE
We often focus on the problem and forget about the customer. They will
forget the problem you solved before they forget how you made them feel.
“The day people stop bringing you their problems is the day you have
stopped leading them” - Colin Powell
 Security is a support role…your job is to help others
safely do the things that make your organization
productive
 You cannot do this job without help
 Your employees are not subjects for you to dictate
rules to…they are your customers
 If you treat them well, they will be your “army of human
sensors”, bringing you all kinds of useful intel, and
helping to enforce policies you've developed to protect
them

JUST SAY MAYBE
Effective leadership requires collaboration and empathy for the other person.
It’s OK to be uncomfortable with the results
 Security has often been the Department of “No”
 Taking a hard stance as a “cyber policeman” can
seem to work…until you become perceived as an
obstacle
 If you are an obstacle, process will begin to be routed
around you

BE PROACTIVE
Change starts from within, so you have to make the decision to focus
on the things you can influence rather than reacting to the things
outside of your control.
Manage Yourself:
 Where and how are you spending your time & energy throughout the day?
 Make a list of the things that concern you and things you can Influence.
Ask yourself these 3 questions every day:
 Did I do my best to spend my time on things I can influence?
 Did I do my best to set and communicate clear goals?
 Did I do my best to make progress toward goal achievement?
“The 1st metric you need to track is yourself”

CONCERN VS. INFLUENCE
Hackers Organized Crime State Sponsored
Higher Difficulty
~10% of incidents
Security Risks
• Advanced Persistent Threat
• Zero Day Attacks
• The Insider Threat
• BYOD
• Mobile Malware
• The “Cloud”
Lower Difficulty
~90% of incidents
• Missing Patches
• Lost & Stolen Devices
• Local Admin Right’s
• Phishing
• Poor Passwords
• MalwareVerizon's 2013 Data Breach Investigations Report (DBIR)

BEGIN WITH THE END IN MIND
If your ladder is not leaning against the right wall, every step you take gets
you to the wrong place faster.
“Try Not to Become a Success. Rather Become a Person of Value.”
First, do you know what “good” looks like?
 Break down the area you have influence over into functional parts
that you and the stockholders can score and rank.
 Now that you have an agreed upon heatmap of your current
state, set short term and long term goals.

PROBLEM STATEMENT
The Problem Statement significantly clarifies the current situation by
specifically identifying the problem and its severity, likelihood, and impact. It
also serves as a great communication tool, helping to get buy-in and support
from others.
“A problem well stated is a problem half-solved.” — Charles Kettering
Build & Execute plans to drive for results & share
successes
 Invest more time in project planning and due diligence; time spent
defining the problem is NEVER time wasted.
 Write a Project Charter, clearly state the scope, objectives,
participants, and success measurements.
 Create a Work Breakdown Structure to graphically represent the
project scope, broken down in successive chunks with defined
deliverables.

PUT FIRST THINGS FIRST
Focus on the important, not just the urgent. The urgent are not that important,
and the important are never urgent.
“Effectiveness requires the integrity to act on your priorities”
Tips for taking back control of your time:
 Stop saying Yes, When you want to say No.
 Scheduled your own time with purpose & defend it!
 Don’t be afraid to close your email and turn off your phone

CHART PERFORMANCE & ADJUST
Gemba (現場) is a Japanese term referring to the place where value is created.
The idea of Gemba is that the problems are visible, and the best improvement
ideas will come from going to the Gemba.
“Good security is not something you have, it’s something you do” - Wendy Nather

SUMMARY – TAKE OWNERSHIP
If I just had a better team, I would do better. "Wrong"
If I am a better leader, my team will be better. That is what I had to learn as a
leader and step up to make happen.
 Be Proactive – Focus on what you can influence
 Begin with the end in mind – Define practical outcomes
 Create a Problem Statement – A goal without a plan is just a wish
 Put first thing first – Plan weekly, act daily
 Chart Performance & Adjust – Shine a light on the problem
“There are no bad teams, only bad leaders.” - Jocko Willink

BOOK REFERENCES
Work Smarter and More Easily by "Sharpening Your Axe"”
 The Five Dysfunction of a Team – Patrick Lencioni
 Leading Change – John Kotter
 The 7 Habits of Highly Effective People – Dr. Covey
 The 1 Minute Manager – Ken Blanchard
 Extreme Ownership – Jocko Willink
 The Phoenix Project – Gene Kim
 What got you Here won’t get you There – Gooldsmith
 Leaders Eat Last – Simon Sinek
 The Ideal Team Player – Patrick Lencioni
 Death by Meeting – Patrick Lencioni

THANK YOU
Jack D. Nichelson
Director of Infrastructure & Security
Chart Industries
April 26, 2017

NETWORK
 No time like the present to put your soft skills to work
 Say hi to your neighbor…how can you help each other?

APPENDIX

VISUALIZATION: MULTI-LAYERED DEFENSE

Creating a results oriented culture

HOW TO BUILD A SQDC BOARD
 Key Performance Indicators – Good data can tell a story
 Predictive Analysis – Your board should help prevent future issues
 Keep the data fresh and useful, address items as quick as possible
using LEAN tools and once addressed remove them from the board.

GEMBA BOARD: SECURITY
“We measure things that matter”
Example Metrics:
 # of systems not monitored & tracked in inventory by
Location or LoB
 # Top Vulnerabilities by Location or LoB
 # of Legacy Systems by Location or LoB
 # of Users with Local Admin & Accounts with Domain
Admin
 # of Total Security Incidences by Location or LoB
 # of Past Due Security Awareness Training by Location or
LoB
Security - The current security posture at a glance

GEMBA BOARD: QUALITY
Example Metrics:
 # of Servers & Workstation missing OS & App patches
(30 day SLA)
 # of infections/Re-Images tickets (3 day SLA)
 # of Security Event tickets (5 day SLA)
 # of Security Request tickets (15 days SAL)
 Cause Mapping Analysis to find root cause of problems
Quality – Results for SLA goals
of events & requests

GEMBA BOARD: DELIVERY
Delivery – Active Projects & Audits at a glance
Example Metrics:
 Active Projects Status
 Active Audit Status
 Remediation Progress by Location or LoB
 On-Site Awareness Training by Location

GEMBA BOARD: COST
Cost – P&L at a glance
Example Metrics:
 Operating budget spending plan (OPEX & CAPEX)
 ROIC Qualitatively Rating of Perceived Value
 Support Agreements Costs & Renew dates
 Consultant Support Agreements Costs & Renew dates
 Running total of cost savings

GEMBA BOARD: PEOPLE
People – Skills matrix at a glance
Example Metrics:
 Skills Matrix of everyone in Security
 Training and development plans
 On-Call & Vacation Schedules
 Awards

VISUALIZATION TECHNIQUES: THE HEATMAP
Impact
Low No threat to core business function impact
Medium
Threat to core business function impact, but
has not occurred yet. i.e. ERP system is down
but have not yet missed orders
High
Immediate impact to core business functions.
i.e. products cannot be shipped, or core IP is
lost.
Likelihood
Low Happens once every 10 years, or less
Medium Happens once every 1 to 10 years
High Happens once or more a year
• Develop “Likelihood” to fit your org
• Develop “Impact” to fit your org”
• Score potential risks “high”,
“medium”, or “low” for each
• Map results to the heatmap

VISUALIZATION TECHNIQUES: RISK REGISTER

VISUALIZATION TECHNIQUES: THE SCORECARD

VISUALIZATION TECHNIQUES: THE SCORECARD
 Captures day-to-day operations in security
 One-page roll-up that can be presented to CIO, or used internally
 “Operations” section captures work being done: creating firewall rules,
patching systems, conducting awareness events
 The “Risk” section captures visibility into risk at the organization.
Number of scans, open vulnerabilities
 To the far right is the legend explaining the thresholds for each item

Creating a results oriented culture

More Related Content

What's hot (20)

Similar to Creating a results oriented culture (20)

More from Jack Nichelson (7)

Recently uploaded (20)

Creating a results oriented culture

Editor's Notes