Our agile journey towards a fancy ISMS - Part 2

We, Avisi, have started an agile journey. A journey with one destination: a fancy ISMS for Avisi. I gladly take you along on our trip, by blogging about the adventures we've been through. So fasten your seatbelt, we will travel through a roadmap to remember.

Elaborating on our trip

In my previous post I explained why we choose to go on this trip together. Now, a few weeks later, I made some new discoveries which I would like to share with you. The main discovery is that I have to 'exploit' my planning skills. What activities do we encounter along the way? Are they sequential or can some be done parallel to each other? What are our milestones and what and who do we need to achieve them? Having a preliminary long term planning allows you to indicate certainties into your project, which in turn brings trust and grip. Share your planning and don't panic when planning changes, because that's what plannings do. The important aspect of change in planning is to emphasize that milestones will move as well. When that movement is acceptable and everyone agrees, there is nothing to panic about.

We have also elaborated on how we are going to approach our journey: from beginning to end or rather step by step? We chose the latter. As we have agile blood running through our vains, we believe in change and more important, we believe in new insights as we travel. Thus, we have chopped our project into several phases. Phase 1 contains activities like scoping of our company, executing a risk analysis, and determining our baseline for the purpose of polishing our security, where necessary.

Packing our bags

Time has come to pack our bags. What do we need to successfully complete the first phase? We need time: from management, from employees and from experts in ISMS implementations. We use these moments to collect information about our strategy and how that relates to current workflows, to determine what security measures we already take into account and what aspects we can polish to improve ourself. We also use our time to write down all acquired and required information to ultimately come up with our baseline. This baseline will be our starting point in our journey to a fancy ISMS. Lastly, we need financial resources to enable external expertise and to cover the internal efforts. So, we're bringing time, information and financial resources in order to pack our bags with all necessities to take Avisi's information security to a higher level.

As said, we need some expert fellow travelers to show us the hotspots, but also the unsafe areas along our journey. In my previous post I mentioned that we have invited several consultants. In advance we made a list with criteria, which the consultancy firms had to live up to. During the first meetings I asked each consultant kind of the same questions. I listened carefully to what they had to say and whether their philosophy fits ours.

Some things I liked in presentations of consultants:

• Bringing concept action plans
• Taking time for the first meeting
• Asking a lot of questions about Avisi, what we do, and our culture
• Giving 'free' advice about questions I had afterwards
• Well specified and clear proposals

Some things I disliked in their presentations:

• Sales tactics like "We are the cheapest". I am not looking for cheap, I am looking for security experts with a shared mindset to commonly find the best way in increasing Avisi's information security.
• Being fuzzy or hurried when talking about price tags. It's okay that quality requires a certain quantity of financial resources. When being fuzzy when things get serious, you really make me wonder whether your prices are fair.
• Saying you are an information security specialist, but behaving unlike one.
• Proposals with language errors. Yes, I am a language purist.

Eventually, all meetings and additional contacts through the phone brought us to a shortlist of potential matches. I enumerated these findings to enable decision-making in collaboration with our management and we succeeded in choosing our fellow traveler. The second milestone has been reached. Hip Hip Hooray!

Lunch meeting

Our bags are packed now. We know what to do and what we need for the next phase. But wait, does everybody else at Avisi know the same as we do? No, not yet. This journey can only become a success when we have commitment of management, but it also requires commitment and understanding of all employees, including me. Each one can not live without the other. That's why I am planning a lunch meeting to involve my colleagues, inform them, and give them the opportunity to speak out. I will tell you more about this first step in creating awareness next time. Otherwise this post would spoil the fun ;)

Lessons learned

What did I learn the past couple of weeks? These are my tips for you:

• Make process appointments: I have agreed with members of the management team who I report to, when to report, and what approach we follow.
• Plan sprint demos: every two weeks I share my findings from the past sprint during a demo. A great advantage of sprint demos is that it allows me to structure all that is accomplished past sprint and it allows me to gain better insight into the next steps. In preparation to these demos I invite some regular guests, but I always invite someone 'new' from another team. Main reason for inviting new guests is informing my colleagues about what I am working on and how that might (or might not) affect them. I choose a guest based on the topics covered in my sprint demo, to ensure that it's interesting for him or her as well.
• Build in a safety boundary when you say you'll get back to someone about something. Several times now I had to tell some people that I needed more time. Not a fashionable thing to do and only brings time pressure.
• Call references of the consulting parties you have invited. It's great to hear about success stories and it allows you to ask for common pitfalls which we should avoid.

These were my tips for now, which is also the closure of this second post. Thanks for joining and until next time!

Did this post on our agile journey make you hungry for more or would you like to share your story with me? Please keep up with this blog or feel free to contact me. I would be happy to talk to you.

This is part 2 of the series. Below you can navigate to the other parts:

• Part 1
• Part 2 -IOS
• Part 3
• Part 4