Building Relationships – Administrative Staff

Successful Information Technology teams are guided by a common purpose – to use technology to make business processes and service delivery more efficient and feature rich. Information Security professionals, by extension, succeed when they provide the business with the tools and techniques they need to do their job effectively while reducing risk to confidentiality, integrity, and availability.

Information Security professionals probably have limited interaction with administrative staff, aka personal assistants, executive secretaries and department administrative support. In my experience the ways an Information Security team enables or hinders the administrative staff from doing their jobs creates a companywide perception of how efficient and supportive the security team is to the business. Investing the time to listen to the administrative staff, understand their needs, and educating them, is one important step toward improving your team’s reputation.

1. Develop robust proxy rules – There’s a dirty secret in the executive suite, and it’s called password sharing. Most executives readily share their passwords with their administrators so they can manage their calendars, file expense reports, approve time sheets, and other administrative tasks. Telling the administrators “no” puts them in a position of conflict with their bosses. Telling their bosses “no” will likely fall on deaf ears. Develop the entitlements and rule sets – along with instructions on how to set them up – and then educate the administrators and executives why proxy and “on behalf of” access protects both of them, whether they understand Sarbanes Oxley or not.
2. Create user access subject matter experts – User establishment and entitlement management is supposed to be a management role. In reality, it often falls to the administrative staff to
   set up new users, change user roles, and resolve requests for additional access. Make sure that the responsibility lies with the manager, but give the administrator the tools they need to submit accurate requests for access as well as a clear understanding of standard processing times. Translating Standard Access Definitions into a set of 3-5 roles, the administrator should understand detailed instructions on how to request changes; perhaps arm them with templates to follow to reduce complexity and frustration for the administrators which streamlines the systems administration process as well.
3. Define an escalation process – Administrators know their bosses, and when their bosses ask about a delayed status their next request will be to escalate the task. Give the administrators
   the contact information on whom they should call if a request is stuck in processing, or if they need expedited handling for a sensitive issue. You can’t head off all escalations, but you’ll have done better at creating allies in the executive suite and reduce the number of calls you get on issues that come as surprises. Chances are you can use a few less “fire drills” every week.
4. Encourage communication – Administrators often are among the earliest to know about major organizational changes. Organizational changes usually mean changes in location, role, and
   function. Advanced notice of these changes can help you get at the table in developing the ways these teams will share documents, work papers, and applications. The executive staff may not remember your role when everything goes smoothly, but they will when they start to hear complaints that their new team can’t share documents, access file and print resources, calendars, etc.

Administrators and Information Security are the unsung enablers of the business. They take care of the nitty gritty details required for the business teams to do what they need to each day to service the customer, sell products and services, and maintain the books and records of the business. Providing those administrators with clearly defined, easily repeatable processes (along with a clear means of calling for help when necessary) builds satisfaction and increases a sense of teamwork and cooperation. In addition, when you need access to those team leads and executives to develop support for new initiatives and process changes, you have a ready champion who can help you get coveted calendar space.