by Martin Fisher

Those who know me have come to expect me to “correct” them whenever they say “manage people”.

“Objects are managed, people are led,” is my usual retort. Sometimes I am met with a blank look, sometimes with a exasperated grimace, and sometimes (and not nearly often enough) by a questioning stare.

“What?” the quizzical friend often asks. “There’s not a difference worth mentioning.”

Nothing could be further from the truth and nothing, in my opinion, has done more to impede the progress of the information security profession.

The abject failure of leadership, from senior ranks, through middle management, to front-line supervisors has led to a culture that glorifies “meeting expectations”, extols the virtue of “accomplishing goals”, and is satisfied with “getting the job done”. Don’t get me wrong – these things are important – but they miss the vital difference: That a dynamic leader can take a group of people and almost always “exceed expectations”, “surpass goals”, and “get the job done better” and still have a happier team and more satisfied customers.

“How does that happen?” asks the still-quizzical friend, “Isn’t meeting expectations what we’re here for? Isn’t that enough?”

Sadly, it isn’t enough.

All people appreciate leadership. Everyone inherently wants to belong to a team that accomplishes exceptional results. Nobody wants to be in an organization that doesn’t excel.

The key to this is the Leader.

Leaders determine, by applying their leadership talents, just how far the team will go. Setting a goal and managing to that goal ensures that any additional capability is forever lost. Managing to a goal guarantees that the exceptional capability that is native to any team will be lost in a desire to just do “enough”. When we manage people, instead of lead them, we are condemning ourselves to forever experience sub-optimal results, never knowing what could have been accomplished.

“But my team is happy and my customer is satisfied. Doesn’t that mean I’m succeeding?” asks the friend as their frustration with the conversations grows. “You’re making more out of this leadership thing than it really is, aren’t you?”

This is the point where the friend has reached an almost Matrix-esque moment…

“Take the blue pill and this conversation ends. Everything goes back to the way it was and you can believe anything you want to believe. But take the red pill, and I’ll show you how you can take the leadership skills and talents you have and use them to transform yourself and your team. I’ll teach you how to truly get more done with more satisfaction.”

Which pill, my friend, will you take?

In my last blog, I talked about how to build trust with a customer, and the advantages of doing so. By building a relationship of trust, communication becomes more open, allowing the customer to feel comfortable sharing their needs, and allowing the IT service provider to better customize service and anticipate needs. This concept also extends to intra-IT interactions – or regular life interactions, for that matter.

Sociologists will tell you that humans are social creatures – even the most introverted of our species require interaction with others. There is also the concept of the “inner circle” – each person has an “in” crowd that they trust and want to interact with. Evolutionarily, having such a group ensured survival: the group would mutually protect each other and they worked together to find food and raise children. The flip side of this evolutionary model is the rest of the world: If you’re not part of the inner circle, you’re not trusted and are thus treated with suspicion, prejudice, or even disdain. Individuals in your inner circle get the benefit of the doubt when they do something wrong, and you are compelled to help them through it. Individuals not in your inner circle are assumed to be malicious when they do something wrong, and you are compelled to be defensive and accusatory toward them for it.

It frequently surprises me how people assume that things in the IT or business world work so differently than they do in daily life, when there is actually little or no difference. We are the same humans with the same genetic make-up whether we’re home in our sweats or at work in our suits. Everyone knows that the best way to get a new job is to network with people at the target company, and many a manager has been accused of favoritism – Mary got a perk that I didn’t get because the boss “likes her better” (i.e., trusts her more) than me. Even security networks are built on trust (e.g., PGP): if I trust you and you trust John, then I can trust John.

So it stands to reason that if we can increase trust in the workplace, everything gets better: issues get resolved faster, there are fewer nasty surprises, there is greatly increased communication, and a strong desire to be inclusive. This then results in better collaboration between IT teams, which increases sense of ownership that in turn decreases errors and improves the overall quality of deliverables. All of this makes the customer – and thus the boss – happier.

But how do you go about this? Theoretically, it’s simple: communicate and include. Practically, it’s quite a bit more challenging. Make it a point to build trust with your coworkers, especially where you know it doesn’t exist today. At work, your inner circle is most likely your immediate team. But you probably work regularly with other teams. Are you accusatory of them? Do you have a less than impressed opinion? Do you think they screw up or are sub-par? Do they point their fingers at you? Those are the individuals you most want to target. Be sure to have face-to-face meetings with them – it’s a lot harder to think someone’s a jerk when they’re sitting right there. When you invite them to the table, ask everyone (including you and your team) to leave their prejudice at the door. Talk about what’s going wrong openly and honestly, with the intent to fix the problem, not lay blame. This may take some time, but have the good will to keep trying, and consider engaging a practiced facilitator if needed (many people are naturally good facilitators, but if you need someone who has been specially trained, try looking in HR or the training department). Extend gestures of goodwill by inviting the other team to an outing (e.g., lunch or drinks after work) or to meetings that they should’ve been invited to but weren’t. Above all, really listen to their perspective and make an effort to see their point of view. It might take a while, but what you’ll notice over time is increased respect and much smoother workings between you.

It may be a bit pie-in-the-sky, but imagine if you had trust with every team you worked with. I guarantee you’d be a happier employee and you’d enjoy your job a lot more. You’d also get work done faster with higher-quality results, making your customers and supervisors happier, too. And in this tenuous economic climate of cost-cutting and down-sizing, that’s maybe as close to job security as any of us can get.

The last article in this series explored the top three reasons why group have a tendency to reinvent the wheel (read it here, or the entire series started here). And now, some solutions:

Beyond the frustration caused by an approach that simply recreates the wheel, the result is often a solution that is not trusted and therefore readily cast aside in favor of the next offering. To put a stop to this cycle requires taking a different approach. Success has to be based to fundamentals and sound principles.

 

How to do it?

A key part of the solution is to enter into deliberate discourse (note: this is a central theme of Into The Breach and a topic I am passionate about). More voices with an opportunity to review, consider and contribute have the potential to lead to a better product. For this to lead to a better product requires a strong leadership team with enough expertise to guide and the skills to help facilitate and negotiate the final result.

Instead of starting with a blank slate, it is a good practice to build on the success of others. When it comes to strategies that protect information, we have plenty of choices – frameworks like ISO 2700x, PCI, FISMA, etc. However, limiting the solution to a narrow set of industry standards may not yield the best results. Sometimes, real progress comes at the intersection of industries (to gain more insight on this approach, consider reading: The Medici Effect) – leveraging how the medical, engineering or other industries have dealt with and handled challenges may bring valuable insight to the effort at hand.

The advantage to building on the validated and transparent work of others is the ability to avoid conjecture and “gut feeling.” This is the challenge: there are few shortcuts to spending the time to outline, think, plan, distill, check, cross-reference. This is an area where transparency really provides a benefit.

When the group of professionals is assembled, here are three steps to harnessing the collective power, building on the wheel (instead of building a new wheel) and reaching a point of success:

 

1. Capture and distill frameworks (or solutions)

Start by presenting a model to work from, based on an existing solution. In general, individuals and groups struggle to create but excel at editing and revising. With this in mind, selecting an initial framework or set of solutions to present to the group acts as a strawman [http://en.wikipedia.org/wiki/Strawman]. This has the added benefit of allowing people to beat on the framework(s) instead of each other.

The frameworks or solutions can either be selected in advance or decided by the team. Allowing the team to decide may provide for more diverse results but requires more time and a stronger facilitator (who possesses deep subject matter expertise). Stronger frameworks and solutions are those that have already been publicly validated and are more transparent. This suggests the “heavy lifting” has already been done and the team can focus on refining and tailoring what already exists from multiple sources into the solution required.

More important that just compiling a list of viable frameworks and solutions is how they are captured and processed. As the elements are suggested, reviewed and documented, look not only for the similarities, but also the distinctions between them. Working to understand why specific elements were either included or excluded may also reveal key insights that aid the development of a stronger solution. Note the intended audience and users of the solution and how it is received. It may be useful to note the level of maturity, too (since that provides some insights).

This process generates a lot of discussion – this is good, and leads to the second point.

 

2. Capture and distill the running dialogue

More important, perhaps, than the solutions selected in the last step is the running dialogue that occurs as part of the process. Yet few organizations take the time or make the effort to capture that solid gold value.

Ultimately, the discussion – the true process of negotiation and coming to a common understanding – is precisely what allows a group to build the final product. While the discussion is natural, here are three important questions to ask, answer and record during this process:

a. What works — and why?

b. What does not work — and why?

c. How is this applied — and why?

Look for specifics. This is an area where people tend to rely on “truthiness” – which, to a certain extent, may be okay. In the overall discussion, however, guide people back to more concrete grounding by asking more questions to ensure everyone shares a common understanding (which is not necessarily the same as a common opinion!). The next segment will explore the benefit of capturing this conversation and making it available in the future.

As the conversation continues, there is one more step to increase the overall value.

3. Capture and distill references

The value of having experts together in a room is their collective knowledge – informed by experience, training and a vast array of resources. Therefore, it is incredibly valuable to regularly ask this group to cite the references they find of value.

As the discussion rages on (if you have been part of a working group, rage is definitely the right word), asking people to take the time to cite the references that support their assertions returns focus to the fundamentals.

Not only does this improve the overall framework, but this also improves how it is applied and verified (as we will explore in the next sections).

 

Bottom Line

Bring together a small, tight team that works well together. Welcome as many voices into the process as reasonable. Take the time to distill and overlay what already works.

 

How this Applies to Trustmark

When Trustmark gets this right, it will essentially be an overlay on the entire industry – explaining where, how and why the different control families and control objectives can be met. This is important, since it allows for additional regulations or efforts to be acceptable without prescribing a set way of working. But whether working on Trustmark or a new process to protect information, following these steps leads to a stronger – and more trustworthy – result.

 

Up Next: the second challenge facing Trustmark and similar efforts is in how the solution is applied. We examine this challenge with potential solutions before moving on to the final challenge of how the solution is measured and verified.

 

If you enjoyed reading this article, please take a moment to either subscribe to the RSS feed (www.securitycatalyst.com/feed/) or sign up for free updates by email. Use the buttons below to print this article or share this with friends and colleagues that will benefit from this.