What leadership persona do you want to project as a security manager?
While attending a security conference keynote recently, I grimaced when the speaker concluded by comparing security professionals to dentists. We both fill cavities. Ouch! This struck a nerve. How many people look forward to visiting their dentist? Even today, when most dentists have video screens, games and soft music, a visit isn’t anticipated with joy. But was the speaker right? Are we looked on as “dentists”? Do we want this persona? I recently had two dentist appointments that made me think about this presentation.
If not dentist or janitor, then what? In this post I want to outline a different way to understand security leadership and hopefully help you get to such a position. Michael Santarcangelo covers leadership regularly in his blog and I recommend you check it out.
Many prospective security leaders did not grow up in the security field. This might be different in 10 years. But for now, we have people from network administration, systems administration, legal, law enforcement and even fields like community relations and business management. In other areas, like marketing, the prospective vice president of marketing probably started in an entry level sales job. If you are in a security leadership role and come from one of the backgrounds mentioned, you may feel you have to transform yourself into a different person to be an effective leader. You certainly can’t approach enterprise security leadership from an exclusively tech viewpoint and geek persona. As for me, I have read many leadership books and found them pretty intimidating. How do you summon your inner Colin Powell or Jack Welch?
Recently, I read a well-known book "Leadership and the One Minute Manager", by Ken Blanchard. It crystallized the leadership challenges faced by security managers who want to govern an enterprise security program. The book is based on the concept of “situational leadership”, the idea that each situation requires a different style of leadership.
This applies 100% to the information security officer (ISO). ISO’s deal with a broader range of situations than anyone else in an organization, except a CEO. So following this idea, if you arrive at a security leadership position from a tech background, you don’t need to change into a different person, just add some skills to address the different types of situations you may find yourself in. To my way of thinking, adding to what I have is a lot easier than transforming myself into a charismatic uber-leader.
Let’s look at some details. I’m calling my interpretation “The One Minute Security Manager”. Blanchard’s book describes four generic leadership styles that are applied in different situations. There are probably more, these are just the four he focuses on. They are: “directing”, “coaching”, “supporting” and “delegating”. When would you need each of these in an ISO role? I summarize where in the table below. Directing is handing out orders with specific instructions. This is needed in an incident response situation. You need to take charge (of course, you have a rehearsed plan) and direct the investigation, remediation and recovery. Time is of the essence. How about coaching? If you want to implement an effective awareness campaign, you will be coaching your users on the right thing to do. You can’t dictate to them, nor can you just check off that they have read the policy.
Supporting behavior applies to all of the many business leaders the ISO interfaces with. They are all customers and fundamentally need your support to get their jobs done. Delegating is something you need to do for your security operations center (SOC). If you get stuck in the weeds of tech issues, you will not have an effective program. Of course, you need to make sure you have hired people who can run the SOC. The alternative is a service provider SOC.
To sum up, if you are transitioning to a leadership position, you do not need to reinvent yourself. You may need to add some skills to those you already have. "Leadership and the One Minute Manager" can be read in a few hours and will help you define those skills and where to use them.
* Editor's note: Title borrowed from Jeff Bardin’s great post.
This article is published as part of the IDG Contributor Network. Want to Join?