Kindergarten Cop is one of my favorite movies. I especially like the opening scene where Arnold Schwarzenegger, with guns blazing, breaks into a backroom party full of drugs and booze. After single-handedly disposing of numerous body guards and other bad guys, someone asks, "Who are you?"
"I’m the party pooper!" Arnold guns down a few more people before finding the girl he’s looking for and talking her into identifying a murder suspect.
Awhile back, I learned that many internal customers thought of me as the party pooper. I was the guy who always said, "NO." The Office of Enterprise Security (OES), which I directed, was to be "kept in the dark" if at all possible. When forced to comply with policies and procedures on new projects, business staff were doing the minimum possible to get through "that darn security process." Despite concerted efforts at cracking the whip, my intelligence network was reporting that staff kept going around us.
After doing lunch with several colleagues—including both friends and foes—a few trends started to emerge. "Give us solutions, not problems," was one theme. "You guys are too slow, too inflexible," was another. Security needed a facelift.
OES had a bad name. We were a cost pool. We were a tax. While no one in their right mind wanted to come out and say, "I’m against computer security," actions were speaking louder than words. True, no one wanted to end up in the newspaper as another headline. But otherwise, the business benefits of cybersecurity weren’t real.
I started pondering. How did we get to this point? Our security group was formidable. We built an award-winning strategic security plan, called the Secure Michigan Initiative. We generally followed guidelines from NIST, CERT, SANS and every other cybersecurity best practice we could find. We issued policies, procedures, edicts, threats, advisories, reminder e-mails, etc. We trained people all over the place. We even showed them a large "return on security investment" (ROSI). In short, we followed all the textbook rules.
Now, before I go on, some of you may be thinking...exactly right, security is a necessary evil—just tell them to get over it. Or, maybe you’d rather be feared than liked, and you think CSOs can’t do their job effectively by trying to "win friends and influence people."
Well, over the past 18 months, I’ve learned that there is another way. A way to get your security team invited to those project meetings by business choice, and not just policy mandate. A middle way to keep that hard-earned respect, and at the same time gain wider executive influence. This list may not seem like rocket science, but spending time on these "softer side" activities will definitely help both your personal career and your organization’s security effectiveness.
- Relationships, Relationships, Relationships Take key business partners out to lunch and listen to their priorities. The "CSO stereotype" is that we only focus on compliance issues at project meetings. We give out lists of Dos & Don’ts. By looking deeper at business needs, we can be more customer-focused and help clients solve their problems. Remember who’s paying the bills.
- Don’t Stay in the Box Regardless of the organization we’re in, our security role has a box placed around it. Break out of the box. Look more broadly at the organization to see if you can increase your organizational value by joining or helping steering committees, user groups or other key project oversight boards. If opportunities are not available locally, look enterprisewide.
- Under-Commit, Over-Deliver Information technology projects are notorious for being late and over budget. The security office is often seen as part of the problem. Project managers love to blame late deliverables on "that darn security office" if they can, since that excuse often works in the short term. Over time, this will damage the reputation of the CSO, especially if problems are caused by a lack of planning and coordination and not real risk. What can you do? Agree on metrics for security functions, such as scanning servers for vulnerabilities, and exceed expectations for deliverables.
- Have a Party—Celebrate Success If you’re known as the party pooper, what better way to change that perception than to throw a party? The tendency for CSOs is to think that we never "arrive," since security is never finished. We always want more, so celebrating success, which is common in most other parts of the business, may not be happening within security offices/projects. Thank teams for their support in reaching key objectives. When you reach a significant deliverable or milestone on a security infrastructure project, bring in a lunch for the entire project team.
One final thought: Sometimes CSOs do still need to be the party pooper. But just like Arnie in Kindergarten Cop, sharpening softer skills can improve your performance.
Dan Lohrmann is Michigan Chief Information Security Officer (CISO), and Director, Office of Enterprise Security.