The last article in this series explored the top three reasons why group have a tendency to reinvent the wheel (read it here, or the entire series started here). And now, some solutions:

Beyond the frustration caused by an approach that simply recreates the wheel, the result is often a solution that is not trusted and therefore readily cast aside in favor of the next offering. To put a stop to this cycle requires taking a different approach. Success has to be based to fundamentals and sound principles.


How to do it?

A key part of the solution is to enter into deliberate discourse (note: this is a central theme of Into The Breach and a topic I am passionate about). More voices with an opportunity to review, consider and contribute have the potential to lead to a better product. For this to lead to a better product requires a strong leadership team with enough expertise to guide and the skills to help facilitate and negotiate the final result.

Instead of starting with a blank slate, it is a good practice to build on the success of others. When it comes to strategies that protect information, we have plenty of choices – frameworks like ISO 2700x, PCI, FISMA, etc. However, limiting the solution to a narrow set of industry standards may not yield the best results. Sometimes, real progress comes at the intersection of industries (to gain more insight on this approach, consider reading: The Medici Effect) – leveraging how the medical, engineering or other industries have dealt with and handled challenges may bring valuable insight to the effort at hand.

The advantage to building on the validated and transparent work of others is the ability to avoid conjecture and “gut feeling.” This is the challenge: there are few shortcuts to spending the time to outline, think, plan, distill, check, cross-reference. This is an area where transparency really provides a benefit.

When the group of professionals is assembled, here are three steps to harnessing the collective power, building on the wheel (instead of building a new wheel) and reaching a point of success:


1. Capture and distill frameworks (or solutions)

Start by presenting a model to work from, based on an existing solution. In general, individuals and groups struggle to create but excel at editing and revising. With this in mind, selecting an initial framework or set of solutions to present to the group acts as a strawman []. This has the added benefit of allowing people to beat on the framework(s) instead of each other.

The frameworks or solutions can either be selected in advance or decided by the team. Allowing the team to decide may provide for more diverse results but requires more time and a stronger facilitator (who possesses deep subject matter expertise). Stronger frameworks and solutions are those that have already been publicly validated and are more transparent. This suggests the “heavy lifting” has already been done and the team can focus on refining and tailoring what already exists from multiple sources into the solution required.

More important that just compiling a list of viable frameworks and solutions is how they are captured and processed. As the elements are suggested, reviewed and documented, look not only for the similarities, but also the distinctions between them. Working to understand why specific elements were either included or excluded may also reveal key insights that aid the development of a stronger solution. Note the intended audience and users of the solution and how it is received. It may be useful to note the level of maturity, too (since that provides some insights).

This process generates a lot of discussion – this is good, and leads to the second point.


2. Capture and distill the running dialogue

More important, perhaps, than the solutions selected in the last step is the running dialogue that occurs as part of the process. Yet few organizations take the time or make the effort to capture that solid gold value.

Ultimately, the discussion – the true process of negotiation and coming to a common understanding – is precisely what allows a group to build the final product. While the discussion is natural, here are three important questions to ask, answer and record during this process:

a. What works — and why?

b. What does not work — and why?

c. How is this applied — and why?

Look for specifics. This is an area where people tend to rely on “truthiness” – which, to a certain extent, may be okay. In the overall discussion, however, guide people back to more concrete grounding by asking more questions to ensure everyone shares a common understanding (which is not necessarily the same as a common opinion!). The next segment will explore the benefit of capturing this conversation and making it available in the future.

As the conversation continues, there is one more step to increase the overall value.

3. Capture and distill references

The value of having experts together in a room is their collective knowledge – informed by experience, training and a vast array of resources. Therefore, it is incredibly valuable to regularly ask this group to cite the references they find of value.

As the discussion rages on (if you have been part of a working group, rage is definitely the right word), asking people to take the time to cite the references that support their assertions returns focus to the fundamentals.

Not only does this improve the overall framework, but this also improves how it is applied and verified (as we will explore in the next sections).


Bottom Line

Bring together a small, tight team that works well together. Welcome as many voices into the process as reasonable. Take the time to distill and overlay what already works.


How this Applies to Trustmark

When Trustmark gets this right, it will essentially be an overlay on the entire industry – explaining where, how and why the different control families and control objectives can be met. This is important, since it allows for additional regulations or efforts to be acceptable without prescribing a set way of working. But whether working on Trustmark or a new process to protect information, following these steps leads to a stronger – and more trustworthy – result.


Up Next: the second challenge facing Trustmark and similar efforts is in how the solution is applied. We examine this challenge with potential solutions before moving on to the final challenge of how the solution is measured and verified.


If you enjoyed reading this article, please take a moment to either subscribe to the RSS feed ( or sign up for free updates by email. Use the buttons below to print this article or share this with friends and colleagues that will benefit from this.

About the Author Michael Santarcangelo

The founder of Security Catalyst, Michael develops exceptional leaders and powerful communicators with the security mindset for success.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.