Are You the Party Pooper?
How to upgrade your image with business clients
By Dan Lohrmann
January 23, 2006 — CSO — Kindergarten Cop is one of my favorite movies. I especially like the opening scene where Arnold Schwarzenegger, with guns blazing, breaks into a backroom party full of drugs and booze. After single-handedly disposing of numerous body guards and other bad guys, someone asks, "Who are you?"
"I’m the party pooper!" Arnold guns down a few more people before finding the girl he’s looking for and talking her into identifying a murder suspect.
Awhile back, I learned that many internal customers thought of me as the party pooper. I was the guy who always said, "NO." The Office of Enterprise Security (OES), which I directed, was to be "kept in the dark" if at all possible. When forced to comply with policies and procedures on new projects, business staff were doing the minimum possible to get through "that darn security process." Despite concerted efforts at cracking the whip, my intelligence network was reporting that staff kept going around us.
After doing lunch with several colleagues—including both friends and foes—a few trends started to emerge. "Give us solutions, not problems," was one theme. "You guys are too slow, too inflexible," was another. Security needed a facelift.
OES had a bad name. We were a cost pool. We were a tax. While no one in their right mind wanted to come out and say, "I’m against computer security," actions were speaking louder than words. True, no one wanted to end up in the newspaper as another headline. But otherwise, the business benefits of cybersecurity weren’t real.
I started pondering. How did we get to this point? Our security group was formidable. We built an award-winning strategic security plan, called the Secure Michigan Initiative. We generally followed guidelines from NIST, CERT, SANS and every other cybersecurity best practice we could find. We issued policies, procedures, edicts, threats, advisories, reminder e-mails, etc. We trained people all over the place. We even showed them a large "return on security investment" (ROSI). In short, we followed all the textbook rules.
Now, before I go on, some of you may be thinking...exactly right, security is a necessary evil—just tell them to get over it. Or, maybe you’d rather be feared than liked, and you think CSOs can’t do their job effectively by trying to "win friends and influence people."
Well, over the past 18 months, I’ve learned that there is another way. A way to get your security team invited to those project meetings by business choice, and not just policy mandate. A middle way to keep that hard-earned respect, and at the same time gain wider executive influence. This list may not seem like rocket science, but spending time on these "softer side" activities will definitely help both your personal career and your organization’s security effectiveness.