In almost any endeavor, success usually comes with additional responsibility. For example, a promotion into a management or executive position comes with the additional responsibilities associated with that position.
Taking a security executive (e.g., a CSO, CISO, CRO, or otherwise) as an example, we know that this position brings with it responsibility for many things, among them the entirety of the security organization and a significant amount of the organization’s risk portfolio. The title does not come for free, and of course, none of us would expect that it would.
Those of us that have been in, are currently in, or have close professional colleagues that are in security leadership positions are familiar with the tremendous weight of responsibility these positions bring. Yet, even given the weight of their responsibilities, most of these security leaders focus most of their energy on improving their respective security programs rather than seeking the limelight. In other words, they are too busy working to worry about press and lauds.
In parallel, there exists a phenomenon in the security profession that, as it turns out, is not particularly unique to our profession. Like many professions, security tends to elevate certain people to celebrity or rock star status. I’m not quite sure why we have this tendency, or how certain people attain this status and others do not, but it is nonetheless something with which we have to contend. Some of our rock stars maximize their status, pushing us and challenging us to think differently about solving problems, providing us with guidance and wisdom based on their knowledge and experiences, and/or using their influence for the greater good. We usually examine their words closely and pay intimate attention to those words, as we should.
But what happens when some of our rock stars don’t live up to these noble goals or lose sight of them entirely? What happens when they may not have written anything new in 5, 10, 15, or perhaps even 20 years? Or when they harp on the news items and buzzwords of the day rather than provoking deep intellectual thought and debate? Or perhaps when they, intentionally or unintentionally, distract the community from the long-term, strategic issues we need to remain focused on in favor of issues that suit their agenda? Or how about when a sound byte or news clip is sought at the expense of the greater good of the community? Or what about when self-promotion and populism are pursued at the expense of outreach, education, communication, and real change?
As someone who travels quite a bit and is fortunate enough to meet with so many security professionals on a continual basis, I have many opportunities to discuss the issues of the day. I have noticed many common patterns and themes during the course of my discussions, but one subject in particular stands out. The amount of bad information, misinformation, biased information, hype, FUD, etc. that exists is overwhelming.
I hear thoughts on this topic continuously from a wide range of people, mainly because the current state of affairs makes the lives of operational personnel and security leaders extremely difficult. This troubles me for many reasons, and many of those reasons are the same reasons that I am troubled by those rock stars who choose not to provide the community with what we need from them.
The message I hear day after day is that it is hard to sift through the noise, difficult to navigate the hype, and nearly impossible to reconcile the misinformation. Bear in mind that this is coming from security professionals. Imagine what this landscape looks like to business leaders who are likely not security professionals but nonetheless have security as a top priority.
For operational personnel looking to mature their security programs and improve their overall security posture, this situation creates a tremendous challenge. It is difficult enough to accomplish this mission in a “clean” environment. But in an environment where bright shiny objects are continually introduced to distract or remove focus from the truly important issues and tried and true approaches, this mission becomes orders of magnitude more difficult.
Security leaders want to and need to focus on vision, strategy, risk mitigation, security operations, incident response, staffing, and any of the other challenges of the day. When rock stars use their platforms to harp on populist issues or bring attention to themselves or their agendas, it comes at the expense of all of these challenges. In my view, this does not help advance the state of security. In fact, it impedes it. Security leaders need their rock stars to work with them, rather than against them.
Although I have a modest following and am no rock star, it is my personal belief that even one reader of my materials puts upon me tremendous responsibility. I have always tried to educate, provide insight, and offer practical suggestions that can be implemented operationally. I can only hope that I am living up to expectations, and I will never know for sure. The feedback I receive from members of the security community regarding my columns, speaking engagements, and articles in various publications indicates to me that there are many in the community who would agree with my perspective and appreciate what I am trying to do. It is certainly not an easy task, and I am well aware of that.
If someone finds that he or she has attained rock star status, it should bring with it a tremendous amount of humility and responsibility. That responsibility should be to the very security community that made someone a rock star. And as members of that community, we should demand better.
With celebrity status, as with every leadership opportunity, comes tremendous potential to influence and advance the state of security. From my perspective, not taking advantage of that potential, or using it for the wrong purposes is a missed opportunity that hurts the community as a whole. In essence, it’s not about any of us in the end – it’s about advancing the state of the security profession one day at a time. That necessitates contributing to the discussion, rather than being a populist. After all, a true leader doesn’t seek to create followers. A true leader seeks to create other leaders.