Recently, while speaking at a customer event, I encountered some technical difficulties. First the projector began flickering on and off. Then the power went out. Then the clicker went on the fritz. I guess it just wasn’t my day.
Anyone who speaks regularly has no doubt encountered situations like this. Of course, the trick is to keep the audience engaged and with you while you work through the technical difficulties. This can involve storytelling, humor, a bit of improvisation, and a number of other techniques. In the end, regardless of your message, those listening will remember different amounts of what you told them. What they usually remember quite well, however, is how you made them feel.
This is why keeping the audience engaged is so important when speaking. You know what else? It is something that an imposter will have tremendous difficulty with. Why is that? I tend to think of imposters as MP3 players or YouTube videos – they hit play on their talk track. Much of the time, perhaps to the detriment of our field, all is well and good with that. Yet on the occasion when they are forced to go off script, it isn’t pretty. Over the course of my career, I’ve seen it more times than I would have liked to.
There is a humorous quote that captures this in my opinion. It is often attributed to Groucho Marx, George Burns, and others: “The key to success is sincerity. If you can fake that you’ve got it made.” This quote makes light of how imposters can sometimes woo an audience. That is, until something goes wrong and they are forced to go off script.
I believe that most people can see and feel sincerity. They expect an intelligent, interactive conversation, not just hitting play on the talk track. Further, I believe that there is an important security lesson that we can learn from this. Namely that better security starts with sincerity.
What do I mean by this? Let’s take a look at some ways in which sincerity benefits security programs:
- Building relationships: A successful security program leverages more than just technology. Indeed, people, process, and technology are all important when it comes to properly defending the enterprise. The people component is more important than many people realize. Part of that is the security team itself, which I’ll discuss in the next bullet. But another extremely important part of that involves key stakeholders, both within the enterprise and externally. A huge part of the security program’s success involves building relationships with key stakeholders, such as application owners, developers, IT, networking, cloud, and various other teams. Sincerity is fundamental to building and maintaining these relationships. Sincerity builds confidence, leads to trust, and ultimately makes stakeholders comfortable working together as partners with the security team. This is crucial when it comes to improving the overall state of security in the enterprise.
- Building teams: The security program is heavily dependent on the quality of its team members. The better the team, the better the program. When it comes to recruiting and retaining security personnel, sincerity should not be underestimated. Sincere security leaders tend to attract, hire, and retain sincere security managers. Those managers, in turn, have the sincerity it takes to attract, hire, and retain sincere security team members. Most people have the ability to see sincerity and insincerity, and the top talent will want to work for an organization that is full of sincere people. Thus, it’s no surprise that the best security programs I’ve seen have sincere, dedicated leaders, managers, and individual contributors.
- Reducing risk: Reducing, mitigating, and managing risk to the enterprise should be the aim of any security program. A key part of reducing risk is accurately enumerating, measuring, and mitigating risk. Not just in word, but also in deed. This involves a level of sincerity and honest analysis that some people and some organizations lack. When the risk exercise is taken on sincerely, the results can often be quite significant. On the other hand, when this exercise is taken on insincerely, the enterprise often ends up deluding itself regarding whether or not it is reducing risk. The results of this delusion can be catastrophic, resulting in unmitigated risks that wind up falling through the cracks waiting for the attackers to pounce on them.
- Improving security posture: Reducing risk is part of improving the enterprise’s security posture, but there are other components as well. There will be many strategic initiatives that the security team will undertake towards this purpose. If these initiatives are undertaken with sincerity, they will be far more likely to produce results that actually improve the overall security posture of the enterprise. On the other hand, if these initiatives are undertaken with insincerity, they will most likely result in a false sense of progress. For example, in some insincere corporate cultures, people feel the need to falsely represent progress and success. The result of this is that the organization believes that it is making progress and having success in improving the overall security posture, when in reality, it is not. This can have disastrous consequences for an enterprise.
- Communicating with executives: Communicating the value that the security team is bringing to the enterprise is an important component of maintaining and receiving additional headcount, maintaining and receiving additional budget, and building confidence in the security team and its abilities. Sincerity goes a long way towards achieving this. While executives may not be technology or security experts, they have been around the block more than once or twice. Most of them can smell sincerity or lack thereof when speaking to someone. If the executives think that the security team is leading them on or is untrustworthy, at the very least, that won’t bring about the desired results. Worst case, there could be more harsh impacts for the security team that result from the lack of sincerity. Definitely not a good place to be.
While it may be humorous to joke about faking sincerity, it is seldom a good idea in practice. Sincerity is a key foundation to many things, including the overall success of a security program. Sincere security leaders, managers, and individual contributors can build successful security programs that build relationships, mitigate risk, and accomplish strategic objectives on the basis of sincerity. Insincerity, on the other hand, can have devastating consequences for a security program. Simply put, better security starts with sincerity.
