5 things to consider for managing your security program, Part 1

I will in this blog to try to give my perspective on things. Most come directly from my experience and I would like to share them with you, even if you have been a manager for a while.

Sometimes you don’t reflect on the road you are following, as you are busy with solving daily issues. In this post I will list a number of questions you should ask yourself as a manager in software and security. And yes, I will get down to technical aspects later…



1. Are you sure that upper management is aware that you exist?

Well it sounds strange for you but surely that it’s important. In larger organisations that might be the case – they don’t really know that you are there. So how can they then act or react? Your manager might have a problem of explaining other things and therefore you are not highlighted. When it comes to budget your manager will have a problem of getting resources or money for you. At the end of the day, in this setup nobody in upper management cares if you leave or stay.

You have to get them to be aware and understand.

It’s up to you to make sure that the upper management are aware of your team. They read abut issues that are in the press, and they certainly think about that. Normally they have no clue on how they should act and what questions they should ask. Help them with that. Invite to a short seminar, a breakfast information meeting or what is best at your company.


2. What is the company’s goal for your area?

Are there any goals, are they relevant, what time frame do they cover? If there are no relevant goals, how can you then defend your existence when asked?

You have to make sure that the goals are there and are relevant to your company’s business, the competition and what will happen if your company is attacked really hard. I would say that this is the most important thing to make sure it’s done, even if you have to do it yourself. The goal must be possible to measure and include metrics and/or KPI.


3. How do you report what you are doing and to whom?

This is connected closely to the questions above. You must naturally report budget and HR matters to your manager, but what else and to whom?

The less you inform about what you are doing the less the company knows and you are not relevant anymore. Do you place info on the intranet, do you have a dashboard? Do you send short e-mails to important receivers? Make sure you create information about issues & preferably the solved ones, what is going on in the market, General Data Protection Regulation (GDPR) problems, and how you mitigate issues. Are you presenting statistics, can you show that things are managed or needs more attention? This is how you tell what you are doing. You can inform of what progress you are doing and what is missing.


4. What competences do you have access to?

The competence map is really important as a lot of the things that has to be done needs really competent people. This will be a problem area for you. There will always be less people and budget than you require.

The competence profile must cover not only your team, but also the teams your work with and have access to. Every developer has a competence that might be important to you and do not forget that. You must also consider your manager’s competence and that manager’s management. You must also set goals both long term and short term for where you want the company to be. Out of this you can start with your actions to get things right. Remember that this is a continuous process that never stops as people are leaving or changing jobs.


5. Training

You will by now know that there are things lacking by reading and thinking about the above. Do not start a huge training program, that will kill everything else, but…

You need to consider that lack of security training/info puts companies at risk. Employees must get get:

Info, rules to follow, things to check for, what not to do, what always to do and specific training & follow up in the area. This is an on-going process.



Per-Olof Persson


Leave a Reply

Your email address will not be published.