I'm back from a new starters induction day. After six months in the company I was surprised to be invited along, but I'm glad I was. The day took the form of a team exercise where each team had to plan and organise a new, imaginary, exhibition (as is the nature of the business I work for) - going about the conceptualization, planning, marketing, and sales side of things. At the end of the day there was a presentation and the winning team won a prize.
From my perspective the day was extremely valuable. I got an insight into how the business works that I didn't previously have. This is very important for managing risk because if you don't know and understand the business then it's unlikely that your security plans are going to be in its best interests.
This is also particularly important when trying to articulate the value of security. One of the things we need to avoid doing is basing information security expenditure requests on undefendable financial projections. Instead we need to clearly articulate balanced value propositions and so must know the potential loss impacts we're dealing with and understand them in business terms.
So, a good lesson learnt today. And did my team win? Not quite.....but we had fun trying!
