Security leadership with three “Roadhouse” rules

Last summer I spent a few days with a company to assess the human side of their operation. As part of the process, the CSO and I walked the hallways, talked with people and then discussed our observations. During lunch on the second day, I asked about his team — specifically how he managed his team to get the results he was responsible for.

As I listened to his response, I couldn’t help but smile: he employed “Roadhouse” rules.

One of the greatest “B movies” of all times, Roadhouse is the tale of Dalton, a professional bar bouncer (technically, the “cooler,” the leader of the bouncers), and how he cleans up corruption in a town as he restores a bar with a rough reputation to a hotspot.

In a memorable — and colorful — scene, Dalton gathers the bar staff and explains his three simple rules:this link. The “rules” start at 2:10 into the clip, but the entire scene contains coarse language not necessarily suitable to watch at work.

1. Never underestimate your opponent; expect the unexpected

2. Take it outside, never start inside

3. Be nice

Note: to see the clip in context, check out

Roadhouse has some parallels to the role many of us face as security leaders in our respective organizations: we’re the cooler head, paid well and called upon to produce change and protect the organization. To support the process, we have a team of people to work with us and face a constant (dare we say “persistent”) series of attackers.

While introduced in a bar, the “Roadhouse Rules” work for security teams, too. Here are some insights with each of the rules in context:Never underestimate your opponent

While it seems like this rule is a given for security, it helps to step back and consider the opponent. While the stress and frustration of daily operations leads to the feeling that our colleagues and clients are the opponent we face, they are on our team.

Our opponents are varied, and they are always active.

Most security professionals are already vigilant, so this rule is an opportunity to keep focus on the real opponent. Better, consider it an invitation to engage colleagues in the process of exploring opponents — get their help to discover the unexpected so that everyone is more prepared.

Plus, having colleagues on the lookout makes it easier for everyone to manage risk.

Take it outside, never start inside

In the movie, there is a scene where an unruly patron wants to fight Dalton. He “agrees” and offers to take it outside. Once they all walk outside, he smiles, turns around and walks back into the bar.

By taking it outside, there was no fight.

Fighting inside generally results in damage; in the movies, it’s generally broken bottles, tables and bones. In the organization, it tends to be reputations, budgets and the success of necessary initiatives. With this in mind, “take it outside,” can be applied in a variety of ways, including:

• Take a break and take the concern outside, literally. Go for a walk to get some perspective.
• Instead of fighting with insiders about their perspective, “take it outside” to shift their perspective and introduce the view of an attacker, and work to gain common ground on how to best address that challenge.
• Get some outside help to clarify the point, support the assertion or otherwise address the issue, without fighting.

Regardless of the approach, be wary to start anything inside without first thinking about taking it outside.

Be nice

Like saving the best for last, this rule packs the biggest punch and is the most important.

After introducing this rule, the bouncers offer their colorful challenges — in an attempt to prove why this rule doesn’t work.

With some equally colorful responses, Dalton explains, “This is just a job, nothing is personal.”

In security, take the same approach: be nice. Realize this is just a job (or at least others see it as such) and when people fight, attack and undermine, it is more likely a function of them doing their job — or trying to — and not a personal attack.

This rule has a corollary: be nice, until the time comes to not be nice. When asked when that is, Dalton explained they wouldn’t know. It wasn’t their job to determine when to not be nice; instead, it was his job to tell them. The same goes for security.

As part of a team, the responsibility to be nice is paramount. If — not necessarily when — it is time to not be nice, that is the call of the executive, probably the CSO. As the security leader, this responsibility is something that cannot be taken lightly.

In my experience, being nice always provides additional outlets and sets the stage for future elements. However, we have all experienced times when niceness just doesn’t work. In that case, have at. But exercise caution.

Final advice: watch my back, and each other’s, and we’ll be fine.

A good reminder that our role is to look out for each other — and everyone on the team needs to protect the leader. Incorporated into this advice is the need for the leader to follow the rules outlined above and provide for the career progression and management of their team.

Successful security leadership requires effective connections and a solid team. “Roadhouse rules” is a simple approach that brings immediate benefits.

About Michael SantarcangeloAuthor of Into the Breach, Michael Santarcangelo is the founder of Security Catalyst, a practice devoted to harnessing the human side of security. Michael offers keynote presentations, seminars and consulting on security awareness, effective communication of security, security career management for teams and support for security leadership. Learn more at https://www.securitycatalyst.com or engage with Michael on twitter (@catalyst).