Patrick Lencioni on Security Leadership: Keep It Simple

Patrick Lencioni is a leading management consultant who has written several books and appeared in the Harvard Business Review. John Hartmann is a leading security practitioner at Cardinal Health. CSO brought these leaders together to tackle the tough questions on a tough problem: effective management in security.

By Scott Berinato

Page 2

Consensus is particularly bad in security because nobody wins any award for keeping his constituents happy if it means not delivering security. It's like, if you wait until there's consensus

Hartmann: You've waited too long. Let's swap the word consensus for implementing standards.

Lencioni: Yes. Somebody has to dictate the final decision. And the only way to do that is to invite and, in fact, demand conflict up front. Waiting until later is a way to doom an effort. If there's been enough conflict constituents will accept that decision.

CSO: So John, the CSO will be that person making the final decision after getting a lot of conflicting opinions. And conflict is

good here?

Hartmann: It is.

CSO: But that sounds like it invites a new management issue. There will be people whoif the final decision John makes is not to their likingare going to be put off by that. Others just don't handle conflict well.

Lencioni: Right. What has to precede conflict is the building of trust. When people trust that the other people are not trying to be selfish or hurt someone else, then there's going to be the ability to engage in conflict without it turning personal or vindictive.

Hartmann: And I think the model that I've seen work well before is where you lay your assumptions and your biases out on the table in advance.

Lencioni: Absolutely. I talk about vulnerability-based trust. And that means you're willing to say, OK, I clearly have this bias, this experience, this self-interest. Now, having stated that, let's talk about this and make the right decision.

Hartmann: I know you've written also about building teams. What advice can you give CSOs who often find themselves in a decentralized organization, drawing on skills and opinions of folks from legal, from human resources, from risk management and so forth?

Lencioni: In security, you're dealing with a matrixed environment; you don't have hierarchal authority over people. So it's critical that you build trust up front. That's not going to come through power politics; it's going to come from collaboration. Not necessarily consensus but collaboration.

CSO: Managing up with something like security is hard. The CEO maybe doesn't understand it. The CFO doesn't necessarily want to pay for it. HR doesn't want to recruit for security because it's expensive. How can CSOs manage up?

Lencioni: In an area like security, nothing speaks louder than passion. You have to believe it in your gut. You have to live it. In securitythis is probably true for people in the CIA or the police department for that matterit's not just a job. There's a larger purpose to this, and if you get discouraged by people who don't get it, you're not going to be successful. Now, you have to combine that with some emotional intelligence so that you're presenting it in a way that people understand. But ultimately, good leaders, good CEOs, are going to understand that passion, and you're going to win them over.