I am grateful and consider myself fortunate for many reasons. One of those reasons is that my wife and I very much like each other and enjoy spending time together. Unfortunately, not all couples have this, and it is certainly not something that either of us take for granted.
As you may know, when we do something with people we enjoy spending time with, it is far more enjoyable. Indeed, we see this most when doing chores that may not be our favorite activities. Simply put, when we are with people we enjoy, the task at hand seems to pass more quickly and to be less burdensome, regardless of how unpleasant, difficult, or arduous it is.
What does this have to do with security, you ask? I believe we can learn an important lesson from this. When we think about the many different tasks a security team must complete, many of them are challenging and time consuming, to say the least. Logic would dictate that if the security team is of high quality and its members enjoy working with one another, tasks will be completed more efficiently and effectively.
Given this, it is interesting how little focus security professionals give to the people aspect of security. You will routinely hear many around our industry talking about people, process, and technology. However, many of us have likely experienced that much of the real focus is on process and technology. Yet, the team is just as important, if not more important.
In this piece, I’d like to examine five reasons why focusing on people and building a team that enjoys working with one another are just as important to attaining security goals as process and technology.
- Not My Job: When a team has top quality team members and is running like a well-oiled machine, you don’t hear a lot of the phrase “That’s not my job.” The reason for this is that when team members feel that other team members are reliable and working hard for the good of the organization, they don’t mind pitching in to do a little extra work when something needs doing. Unfortunately, the reverse is also true. When a team has several members that are not pulling their weight, many of the team members will begin to feel that other team members cannot be counted on. Sadly, this often results in individuals “hunkering down” and focusing on what they get compensated for, rather than being open to additional work that needs doing. This directly harms the efficiency and effectiveness of the security team.
- Not My Problem: Similarly, when a team has top tier members and is running well, you don’t hear a lot of the phrase “That’s not my problem.” The reason for this is that team members feel safe identifying and solving problems that need fixing, either by themselves or with an impromptu team that has been set up for that purpose. On the other hand, when a team has significant dead weight and is not running well, top team members will not feel safe identifying and solving problems that need fixing for fear of getting blamed when something goes wrong, being seen as negative or a naysayer, and/or being sabotaged/drawing too much attention to themselves. As in the above point, a poorly functioning team results in individuals mainly looking out for themselves as a defense mechanism. This also harms the productivity of the security team.
- Going The Extra Mile: The best security professionals I know continuously greatly exceed expectations when they are working in healthy and constructive environments. Sure, they could finish the task at hand, take a breath, and then move on to something else. Instead, they routinely go above and beyond, extracting and applying lessons learned, analyzing if an issue may be more broad than initially suspected, and looking to improve processes and workflows. This happens because employees know they are being judged and evaluated in the big picture sense. In other words, that the team leadership understands the value they bring, even if they occasionally take a bit more time to step outside the prescribed box of tasks they typically operate in. This most often brings huge value to the security organization. Unfortunately, security organizations that do not provide a healthy and constructive environment will miss out on these benefits.
- Trust: All healthy relationships are built on trust. When co-workers trust one another and can rely on one another, amazing things happen. They begin to build off one another’s work and move forward faster together. They also begin to talk one another up, which raises morale and helps management, executives, and the board see the value of the human resources that make up the security team. Lastly, trust brings about openness, honesty, transparency, and sincerity amongst team members. These qualities contribute to the free exchange of ideas without fear of humiliation, backstabbing, and/or having something you said or did used against you. The security team that has trust amongst its team members sees huge gains from it.
- Representation and Reputation: Have you ever considered the importance of how your security organization is reflected externally? For example, will top talent come work for a security team that is known to have poor leaders? Will the best security professionals want to work at a place that has an antiquated vision and where it is difficult to make progress and have an impact? Will security all-stars want to be part of a team that does not have a healthy and constructive culture? Will customers and partners feel comfortable entrusting their data to a security team that is known to be not running particularly well? Likely not. The security community is a relatively small and close-knit one – people talk and people know which cultures would likely be a better fit for them than others.
While it is tempting to focus on process and technology, people are an important part of security as well. The most efficient and effective teams have healthy and constructive cultures that encourage team members to go above and beyond the call of duty. While creating this type of culture requires substantial investment, it results in a significant return on investment for the security organization and is extremely worthwhile.