The Security Catalyst

Security has a bad name. Whenever I say I work in security, people get paranoid assuming that my job is to block whatever good work they are doing in the name of security. Plus, in many organizations, security is a one way street. Information goes in, but never comes out. There’s no information sharing because neither side wants to discluse their “secrets.” It’s time to change this negative connotation for security.

For my entire security career, I’ve been exploring ways to improve the image and effectiveness of security. Also throughout my professional career, I’ve been studying leadership. Recently it dawned on me (while reading Seth Godin’s The Dip) to put the two together. One of my favorite leadership books is The One Minute Manager by Ken Blanchard, Ph.D. and Spencer Johnson, MD. There is no reason why we can’t use the ideas in The One Minute Manager to improve our security practices.

1. Set Goals – What are you trying to protect? What is your security program trying to accomplish? You can’t protect everything, so you need to pick your battles. In my goals setting, I use the risk equation of risk=impact X probability (see Risky Business post). This helps me determine the lowest hanging fruit that has either the highest impact or is most likely to be affected by a security issue. Write and publish your goals. This lets others see what you’re up to. Also, take a minute every once in a while to read and re-read each goal to determine your progress.

2. Praise Good Security – Praise people immediately to their face (if possible) telling them and others how they improved security for themselves or your organization. Be specific and let them know how good you feel about what they did right and how it helps the organization. Encourage them to do more of the same. This is where we in security often fall short. We only see the bad, where security is lacking and are not catching people doing things right. That’s only half of the picture. This also helps put the overall security of the organization in perspective. In one of my first security jobs, my VP said, “Our security sucks.” I responded, “No sir, we have good security, in pockets. Our challenge is to make it consistent across the company.” By praising good behavior, we are encouraging more of it.

3. Explain opportunities for improvement – We all sometimes fall short of our expectations and goals and need to be reminded of them. In the book, this is referred to as the Reprimand. Security professionals and auditors often fail here and don’t do it right. We either don’t find the root cause, don’t address the right people, or don’t collaborate on solutions. The way to do it is: (a) make sure you have the right people who are responsible for the problem. Sometimes we misplace blame or don’t tell the real person responsible. (b) Tell them immediately, specifically where they fell short. (c) Brainstorm with them on ideas and suggestions for improvement. Don’t tell them how to do it, but collaborate on the opportunities for improvement. (d) Reaffirm how important they are to the security of the organization. It’s critical here to make sure that you are addressing the problem and not the person. Also, you should be working with the people to ensure the correct solution is in place.

Taking these three steps should increase the credibility of your security services and reduce the negative feelings. It will promote collaboration that provides buy-in from critical resources improving the security practices of your entire organization. Of course, I’ve only scratched the surface of The One Minute Manager. All security professionals should read the book and use its techniques to better manage your security program. Lastly, continue to use the SecurityCatalyst forums to share your ideas.

By working together, we all become stronger.

If you enjoyed this post, make sure you subscribe to my RSS feed!