Patrick Lencioni on Security Leadership: Keep It Simple
Patrick Lencioni is a leading management consultant who has written several books and appeared in the Harvard Business Review. John Hartmann is a leading security practitioner at Cardinal Health. CSO brought these leaders together to tackle the tough questions on a tough problem: effective management in security.
October 07, 2002 — CSO —
Patrick Lencioni? When we asked Cardinal Health's security chief John Hartmann whom he'd like to see us interview, we weren't surprised to see former FBI head Louis Freeh on his list. But we were surprised to see Patrick Lencioni. Turns out Hartmann took five pages of notes while reading The Five Temptations of the CEO, one of Lencioni's books on effective management. What questions would a CSO pose to a management guru? We asked Hartmann to do the interview himself, with CSO Senior Writer Scott Berinato moderating. Excerpts from the conversation follow.
John Hartmann: Patrick, the CSO deals with a slew of issues that aren't easily communicated. You've said that often things aren't necessarily complicated, but people make them complicated.
Patrick Lencioni: Right. People overcomplicate things sometimes because they're overeducated or because they're looking for a silver bullet or a subtle, sleek solution to a problem, when what is really needed is consistent mastering of some simple behaviors over a long period of time. Unfortunately, when it's simple, people sometimes get bored with it, and they think, Well, there must be something more here, which is difficult to prevent from happening. So success is simple, but simplicity is difficult.
The best companies are not the most intellectually sophisticated and complex ones. It's the ones that have the courage to make things simple. Jack Welch, they said, had five major initiatives in 25 years. Most companies have five major initiatives every quarter.
CSO: Is security particularly vulnerable to this overcomplicating? Technically it is quite complicated, even if management of it shouldn't be.
Lencioni: Yes. It's easy to fall prey to the flavor of the day because there's always a new product coming out. But the first place where security is important is in attitude and behavior. I would take a company with a security mentality but slightly outdated technology over one with great technology but not the security attitude.
Hartmann: Developing a consensus across the decentralized organization is a huge challenge for many CSOs.
Lencioni: First of all, I think that consensus on its own is a largely dangerous concept. I don't think that it's usually a good thing. When it comes about naturally that's wonderful, but generally, consensus is a way of ensuring mediocrity. You need conflict, an airing of opinions so that the leader of the organization can make a decision having factored in all of the various ideas and opinions of all the constituencies. But the leader should not try to make a decision that pleases everyone. Consensus is trying to develop a decision that's equally palatable to everyone or, often, equally unpalatable. Consensus fails to meet anyone's desires, but it does so equally, and so it's accepted. And that's how we get mediocrity.