What story are security leaders telling themselves?

Surrounded by negative stories about security, the key to successful leadership is to change the stories we tell ourselves

popup book
Credit: Tom Small

“Welcome to the tech team, Michael. When you do a good job, no one notices. If you screw up, the whole world will come down on you. So don’t screw up.”

That was my greeting at my first job. I think it was meant as a pep talk.

When I share this with audiences and clients, I hear quiet chuckles and see heads nodding in understanding. Did you get a talk like this? Have you given a talk like this?

Recently, I wrote a column that asked security leaders which security story are you telling? I laid out why and how to incorporate 3 basic elements every good story needs to make the connections necessary to advance your security practice.

Good leaders know the importance of crafting and telling the right story.

What happens to the stories we tell when we’re surrounded by negativity? More importantly, what happens to the stories we tell others if they don’t match the stories we tell ourselves?

Awareness: our diet of negative security stories

A scan of the security-focused headlines on any given day are mostly negative. Security is marked more by failures and lapses than by overwhelming successes. Some of it is the nature of our business.

The problem is the headlines and stories present a picture that people are stupid (or the problem), our executives don’t care (or understand), we lack the talent and resources, and we can’t get the funding to fix all the problems we have.  

Each headline that amplifies the failure reinforces these feelings. Over time, we let these concepts take hold -- even when we don’t realize it. We repeat them enough that whether they are true or not, we believe them. More than influencing our thoughts, these negative impressions end up guiding our actions.

It doesn’t have to be this way.

Reality: step back to see how the world is remarkable

On the rough days, when I feel the anger and resentment building, I make a conscious effort to step back. Frequently, I turn off the electronic devices and find a place to sit. Just sit. And watch.

I look around. And I can’t help but be amazed by everything that surrounds me.

The airplanes that fly in the sky. The phone in my pocket that is more powerful than the first computer I ever bought, and a fraction of the price. The tall buildings that withstand hurricanes. Small things, big deals.

All of it remarkable.

We have daily reminders -- easy to overlook -- that people understand and overcome risk. It serves as a great reminder that while sometimes people (as in nameless crowds) are confounding, individuals (each of us) are amazing.

People aren’t stupid. They do care.

While we all deal with some bad apples, most people are good and want to do the right thing. Whatever that is. The challenge is that frequently they - and we - aren’t sure of what the right thing is, let alone how to do it.

It’s a good reminder that we weren’t born with security knowledge. We acquired it. Frequently through the experience of making mistakes -- even when warned about it by others. That’s the way it works.

I don’t know about you, but I wouldn’t trade my experiences for a different path.

Our place in a changing world

A few weeks ago, I hosted an educational session with a former CIO, now chairman of the board of Damballa (disclosure: Damballa hired me to run the series). What stood out from the conversation is the insistence that we stop talking about gaps.

Focusing on gaps suggest we missed something. It signals failure.

For the most part, we don’t have gaps. We face a changing enterprise, shifting technologies, and more determined, disciplined attackers.

What worked in the past -- what got us to where we are now -- might not work in the future. We are at a place where it’s time to change the conversation to build better coalitions. And that’s why the stories we tell (link) are so important.

So what happens if our audience doesn’t believe our stories?

In my experience, it’s more that we don’t believe our own stories… which makes it harder for someone else to believe them. That’s why we need to focus on changing the stories we tell ourselves.

Celebrating our stories (and bottling them up)

While we can’t do much about the steady diet of negative stories about security, we can change our response to them. We can change the story we tell ourselves. We can change the stories we share with others.

What changes for us when we focus - even briefly - on all the things going well? The decisions and actions that worked out?

Take a moment to consider the importance of celebrating our ‘wins.’ Embrace the power of acknowledging and amplifying the wins of others.

Grab hold of the good around us. Bottle it up. Share it out. 

Perhaps late to the game, I finally started a “smile file” a few months ago. It’s the place I put the messages and connections that make me smile. When I need some perspective,  I can skim through the evidence that I made a difference. Lately, just knowing I have it is enough to help me reset.

Changing the stories we tell ourselves absolutely changes the stories we tell others.

What story do you tell yourself? What story do you want?

As the industry continues to shift, the timing is right for us to change the stories we tell ourselves. Take a few minutes today to capture a good story. If you can, I’d like to hear or read it. Then we can add another one next week.

You'll be amazed at how the stories you tell others improve just by telling yourself a better one.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.