In my previous column, I discussed how many security leaders today are being thrust into the lime light and the resulting pressures on both careers and security needs. As I previously stated – being in the spotlight and suddenly accountable to the company for enterprise security is a double-edged sword.
Let me talk through some of the things successful security executives have shared with me from their accomplishments and challenges. I believe sharing struggles and failures is just as important as sharing successes, because I’d rather learn from someone else’s mistakes. With that in mind here are some lessons learned and advice for not just surviving this situation if you find yourself in it, but actually shining and growing your career.
1. Learn and understand your business goals. In my experience, successful security leaders take quick steps to learn the business when they are put into leadership positions. This is not to say that other security professionals in the organization don’t know their business, because many do, but as a leader this must be the foundation of everything you do. One fantastic piece of advice that someone shared with me recently is the notion of learning the organization’s key strategic goals. Security isn’t an end, but a means to your organization’s success. It’s important that this simple mantra be front-of-mind in all security-related decisions.
Sometimes it feels like we’re dragging our business into a more secure state kicking and screaming. It’s important to understand why. Are you solving problems that don’t exist? Are you spending a million on a thousand-dollar problem? Cliché, yes, but true even more. If the desire to improve security doesn’t culturally exist from the chief executive on down – you will forever struggle against the current no matter how hard regulators and clients push on your company for security. This doesn’t mean you should quit, but rather, it suggests an alternate approach. Just remember, at the end of the work day, your job as a security leader is part enabling the business and part keeping its critical assets secure. You can’t execute that role effectively if you don’t understand the goals of your business.
2. Leave your comfort zone. As someone who is likely of a technical background it’s relatively easy to settle into the technical minutia of your day-to-day job and ignore the other players as outside your purview. It feels natural to think little of other roles like the chief risk officer, general counsel, enterprise risk management (ERM) lead, and others. Don’t make this mistake. These are your peers in keeping the enterprise assets appropriately secure.
Stepping outside your comfort zone and joining risk management, legal, procurement and others builds the bridges you will need at some point in the future. Whether you find yourself wrestling with a stubborn business leader who doesn’t share your vision of security, or you’re in the middle of a catastrophic breach event, you will need these peers to support you and guide you along through dangerous waters. More than just speaking with others and making relationships, you’ll want to start learning some new things from those departments. What are the top legal issues that may relate to security, and how does the ERM function treat security risks in the overall risk model for the enterprise? You’ll want to have a working knowledge of these things so you can speak intelligently when required.
3. Define your desired level of security. What does “good enough” mean to you? At what point do you believe that you’ve implemented enough security to match the acceptable level of technical risk the enterprise is willing to undertake? These are tough questions and they require dedication to the business goals.
For us in security, the concept of “good enough” can be very foreign, but in board rooms this is a relatively known and accepted concept. To the board, “good enough” isn’t an abstract idea, it’s a financial model which pits spend versus risk. If you don’t have the proper training it can be terrifying and overwhelming. This is why your relationships are so important.
When you decide that you know what good enough means, you then have to be able to defend it. Drawing a line in the sand and deciding that adding more security layers beyond this line produces diminishing returns is one thing. However, being able to explain why that line is there, and showing some concrete evidence and mathematical models is another. Anecdotal evidence suggests that enterprise risk—when it incorporates security properly—is the strongest backer of the “good enough.” Spending time to understand the business, what makes it run, and how it functions will help you decide the point at which more security “stuff” starts to strangle productivity and business agility while adding minimal value on its own.
4. Fail fast, recover faster. Lastly, one piece of advice I’ve heard several times is that a successful leader of any part of the business must take risks but realize when they’ve made a mistake and recover quickly. When as the security leader you make a decision that steers you wrong, you need metrics to help you understand as quickly as possible that you’re hurting the organizational mission. The ability to objectively determine that you’ve taken the wrong course of action is one of the most critical things you can develop. Once you discover that you’re moving in the wrong direction it takes grace and intelligence to admit to it and plot a course correction to this error. Own the failure. Don’t spin it, but own it. Explain that you’re taking a risk and that you quickly discovered the improper direction and show how an adjustment will be better. You will earn the respect of your peers and the admiration of your team members. Leadership isn’t about always being right but rather about knowing when you’ve made a mistake with certainty and being able to take corrective action.
Now that you have the spotlight, you have a tremendous opportunity. Hopefully, you’ll find a solid balance of success and failure which moves the organization’s mission forward and your career goes along for the ride. Be a great leader!
Related Reading: Security Leaders – Be Mindful What You Wish For
Related Reading: What CISOs, InfoSec Pros Have on Their 2015 Wish Lists
