5W-2H is a classical management tool usually used for process improvement, which helps in analyzing the problem/process in a holistic manner to suggest possible solutions. This approach brings in a 360 degree perspective, which doesn’t stop with implementation of a single or pointed solution but more of a continuous improvement concept to be used for improvisation. Let’s use this concept for information security, which when process improvised will lead to enhanced governance in place with technological aspects inevitably falling in line.
Consider the situation of Enterprise Vulnerability Management (EVM) to be implemented in an organization, and let’s see how this 5W-2H tool enables us to connect the dots and formulate a plan of action.
Why: The need for an EVM program, whether it’s a compliance requirement, business differentiator or a process enabler to bring in tangible/intangible benefits. The clarity to this question would facilitate the top management’s approvals, support and funding.
Who: The question of who will be the stakeholders. Need to understand who should be driving this initiative, do we need external experts of internal consultants to implement and drive the program? The response to this will help us to channelize the efforts and look for the right SME’s to initiate and institutionalize.
Where: This dimension brings forth the clarity of which element(s) need to be considered as part of this EVM program. Should we start with the applications (web/mobile), or network infrastructure elements or put process governance in place etc. This helps us to narrow down on exact scope of work and take up this program through phase-wise prioritization.
When: One needs to understand when should an EVM program be established? Is it during the initial stages of SDLC, during operations/maintenance or after the first roll-out when one gets to know the project’s success/failure? Depending on this thought process this program would be a proactive initiative or a reactive one.
What: The EVM cycle can have various activities knitting together to form a large program depending on the magnitude of the overall solution. It can start off with a solution risk assessment, proceed to periodic security testing of applications, network infrastructure & then extend to a continuous monitoring & reporting activity.
How: How will an organization take up this program and how will an EVM cycle be established will be the outcome of this dimension. It can be taken up in-house by internal consultants or outsourced to external SME’s from other organizations. This program can be in phases or a continuous cycle.
How much: The costs incurred and investments for this program needs to be worked out to apportion budget by the top management. We need to carve out the exact scope of work and the timelines to estimate the efforts and costs accordingly.
This 5W-2H activity will be a deciding factor to pick and choose among the various security activities to be implemented as part of the overall EVM program and achieve the best possible security posture proportional to the spending expended.
Views by Dinesh Sawrirajan