10 Critical Habits of Effective Security Managers
41
How to Secure Things & Influence People 10 Critical Habits of Effective Security Managers
-
Upload
jack-nichelson -
Category
Leadership & Management
-
view
511 -
download
0
description
How to Secure Things & Influence People: 10 Critical Habits of Effective Security Managers Have you ever felt that the security problems you're faced with would be so simple to solve if only your colleagues had your perspective on them? Are you frustrated that security does not have a more prominent seat at the table? Often times identifying security problems and developing the appropriate controls is the easiest part of the security job. Getting our peers and superiors to buy-in to those solutions and understand the risk decisions they're making is an under-appreciated but arguably much more important part of our jobs in security. Chris and Jack will share techniques that help to turn your employees into an army of human security sensors, to get security done regardless of where it sits on the org chart, and to earn major security victories even with a meager budget and a small team. Along the way you’ll learn about the “10 Critical Habits” which we have observed effective security leaders using to achieve their goals.
Transcript of 10 Critical Habits of Effective Security Managers
How to Secure Things & Influence People
10 Critical Habits of Effective Security Managers
Introduction
Why are we here?
What are our goals?
Chris Clymer
Architect of information security program for Swagelok
Formerly outsourced CISO for a variety of organizations while managing the Advisory Services practice at SecureState
Former board member for NEOISF & co-host of the Security Justice podcast
I collaborate with my peers to identify and effectively manage risks which my company is confronted with
Jack Nichelson
Director of Infrastructure & Security for Chart Industries.
Executive MBA from Baldwin-Wallace University
Recognized as one of the “People Who Made a Difference in Security” by the SANS Institute and Received the CSO50 award for connecting security initiatives to business value.
Adviser for Baldwin Wallace’s, State winner Collegiate Cyber Defense Competition (CCDC) team.
I defend my companies competitive advantage by helping solve business problems through technology to work faster and safer.
“Solving Problems, is my Passion”
Acknowledgements
Dennis Sommer, COO SecureState
Steve Hendricks, CMO RedIron
Steve Holt, CIO Chart Industries
David Hilmer, VP & CIO Graftech
Matt LoPiccolo, VP & CIO Swagelok
Chuck Norman, Sr. Mgr. Swagelok
Matt Neely, Dir. Strategy SecureState
Rich Wildermuth, Manager PWC
Craig Shular, CEO GrafTech
Tom Wojnarowski, CIO RITA
Troy Thomas, SVP Wells Fargo
Erick Asmussen, VP & CFO
Special thanks to all of the mentors who have helped us through these lessons
The Ten Habits
Listening
Positivity
Know Your Stakeholders
Service
Just Say Maybe
Don’t be the Smartest Guy in the Room
Keep it Simple
Execution
Walk the Talk
Self-Reflection
Habit I: Listening
Habit I: Listening“Listen, Learn and Then Lead”
Leading by Listening – Desire to help others
High Emotional Intelligence (EQ) is key, you need to care about everyone succeeding at personal & career goals
The day people stop bringing you problems is the day you stop leading
Act decisively, be firm yet sensitive and empathetic
People want to be successful, so take the time to listen, respect, be humble and then help them reach their goals.
Your IQ got you in the door, your EQ will get you to the boardroom
Putting it into action“Good Leaders Ask Great Questions”
Listen to the total message
Prove your understanding by using nonverbal signals
Use open-ended questions & probes
Paraphrase what you hear and show understanding
Don’t just say “hi”, have a more personal conversation
Effective managers spend a good part of their workday listening to other people and asking good questions.
Effective listening includes a four-step process to ensure understanding:
Habit II: Positivity
Habit II: Positivity
Security is often fixated on finding the negatives: missing patches, misconfigured systems. It becomes very easy to be Mr. Negativity
Security is often in a position of asking others for help, not dictating to them
Who would you rather help…someone encouraging, or discouraging?
Perpetual optimism is a force multiplier…if you provide positive energy, those around you will be willing to work much harder towards your goals
To motivate those around you to take action, positivity will always trump negativity
“Perpetual Optimism is a Force Multiplier” – Colin Powell
Putting it into action
Aim to make “heroes” not “zeroes” Actively look for ways to encourage and help your peers Actively avoid “beating them up” with negativity
People want to be successful, help them accomplish their personal goals Have conversations to learn what their personal goals are Find projects that will help them achieve these If you have knowledge or connections that could help, share them
Using positivity to achieve your security goals takes several steps:
Habit III: Know Your Stakeholders
Habit III: Know Your Stakeholders
Security is about a lot more than just you
You are taking actions to protect assets in the stewardship of others
You are making choices which will impact the ways those around you conduct their business
No one cares what you know until you show them how much you care
To make stuff that matters, you have to know what matters so work on solving the right problems.
Putting it into action
Identify stakeholders in your security program This is anyone affected by what you are doing
Could be execs, IT, sales, marketing, manufacturing, customers…anyone
Learn what their drivers are, both personal & professional “Know their pain”
Plan to have “The meeting before the meeting” Meet with stakeholders individually before bringing them together
for a decision.
You’ll know the decision before the real meeting even happens
Effective managers take the time to identify stakeholders and know their pain points.
Habit IV: Service
Habit IV: Service
Security is a support role…your job is to help others safely do the things that make your organization productive
You cannot do this job without help
Your employees are not subjects for you to dictate rules to…they are your customers
If you treat them well, they will be your “army of human sensors”, bringing you all kinds of useful intel, and helping to enforce policies you’ve developed to protect them
We often focus on the problem and forget about the customer. They will forget the problem you solved before they forget how you made them feel.
Putting it into action
Know who your customers are
Aim to create “stark raving fans”
Make sure they feel comfortable
Make sure they feel “heard”
Create a positive feedback loop
To take care of your “customers”, keep the following steps in mind:
Habit V: Just Say Maybe
Habit V: Just Say Maybe
Security has often been the Department of “No”
Taking a hard stance as a “cyber policeman” can seem to work…until you become perceived as an obstacle
If you are an obstacle, process will begin to be routed around you
Effective leadership requires compromise and empathy for the other person.
Putting it into action
Identify the core requirements (Yours & Theirs)
Facilitate a Risk vs. Reward conversation to balance security
Resist the urge to be a “cyber policeman.”
Empathize with other’s problems…but still be comfortable taking a stand
Collaborate on the solution where everyone can win
Don’t take a hard line on a topic before you have determined everyone's “must's” and “want’s”. This approach will ensure clear commutation, fair compromise and a better solution.
It’s OK to be uncomfortable with the results
Habit VI: Don’t Be the Smartest Guy in the Room
Habit VI: Don’t Be the Smartest Guy in the Room
Many of us performed other IT roles before moving into security
This is often seen as a move “up”, which makes it easy to feel that you know your peers jobs as well as your own
We also often feel that no one is qualified to do the challenging job of security other than those of us currently charged with it
It is not your job to out-do or “call out” your peers
No one cares who came up with the idea, just that issues are solved
To achieve results we need to build partnerships, not demonstrate knowledge
Putting it into action
When in a meeting, listen more than you talk
Think very hard before speaking: are you contributing to the discussion, or are you demonstrating your knowledge?
Make your goal finding the best solution for an identified problem…not convincing everyone to accept your solution unchanged
Do not be afraid to let others fail…failure drives personal growth
To build strong partnerships with their peers, an effective manager will strive to do the following in all of their social interactions
Habit VII: Keep it Simple
Habit VII: Keep it Simple
Security is a complex field, characterized by the convergence points between many others
It is your job to deal with this complexity, and distill it into simple actions for your stakeholders
Their main job is something else…when you’re asking for their help, you want it to be as simple and frictionless as possible
Be on a mission to be results oriented
A quick win with a simple solution is better then holding your ground for the elegant solution. Don’t let perfect become the enemy of good.
Putting it into action
Distill complex security problems into simple elevator pitches you can easily convey to multiple layers of your organization
Hone and practice your message, you will be repeating it often
Don’t become so invested in an elegant solution that you lose sight of the original problem
Find quick wins that you can chain together into larger ones
“Fight the battles you can win” – Sun Tzu
Habit VIII: Execution
Habit VIII: Execution
This may seem obvious, but you need to execute on your plans
Because security is so dependent on others, its easy to develop plans which are never executed…and place the blame on others
We also often spend months, or years of long effort selling our ideas. Once others finally become bought-in, it can feel like the hard work is done
If you have a history of struggling with execution, others will not want to support new projects…no matter how significant the vulnerability you are addressing
Have a plan, and execute, execute, execute
Putting it into action
Once you have buy-in to security projects, have laser-focus on execution…you may not get a second chance to try it Security does not make your company money. If a project stumbles or impacts the
bottom line negatively, its easy to pull it out
Partner with others, but take responsibility for execution
Have a plan, follow it, measure your progress Use a project manager if you can
You don’t know what you can get away with until you try it
Security managers who move from simply identifying problems to achieving concrete results will typically follow these similar steps
Habit VIII: Walk The Talk
Habit VIII: Walk the Talk
In security it’s easy to feel we’re an exception to some of the rules
In some cases, we may actually need to be
As the “policeman” you must hold yourself to a higher standard, because there’s often no one else to hold you accountable
Follow the policies you set, or expect others to follow your lead in ignoring them
You must lead by example, do not diminish your authority by disrespecting your rules
Putting it into action
Maintain as few exceptions as possible, and be sure you have a strong justification for each Cracked down on admin rights? Give thought
to where you really need your own Pushing standard server builds? Don’t
maintain a security system with a “special” build because you don’t trust your server teams, or feel your requirements are unique
Follow any policies you’ve set to the tee, and do so visibly
Habit X: Self-Reflection
Habit X: Self-Reflection
In security we are often perfectionists…accepting failures can be a very difficult thing Reality is, we will have them
Without awareness of your own strengths and weaknesses you will fail to meet your own potential, and continue to be stymied by the same obstacles
The most important person for you to manage effectively is yourself. To grow personally and professionally you need to know yourself before you can help others.
“Know the enemy and know yourself and you will never be defeated” – Sun Tzu
Putting it into action
Put a lot of thought into identifying your own areas of weakness
Have a plan for improving these These will be iterative improvements over time, not one-time
things More about the journey then the destination…you will stumble
along the way
Work with a mentor You need a second opinion on what your areas of weakness are You also want someone to keep you honest in how you’re
progressing
Self-reflection is a challenge. Effective managers will follow these steps, repeat them often, and not be discouraged when they stumble along the way
The Ten Habits
Listening
Positivity
Know Your Stakeholders
Service
Just Say Maybe
Don’t be the Smartest Guy in the Room
Keep it Simple
Execution
Walk the Talk
Self-Reflection
References
You Don’t Need a Title to Be a Leader – Mark Sanborn
Five Temptations of a CEO - Patrick M. Lencioni
The Art of War for Managers – Gerald Michaelson/Sun Tzu
The Sandler Sales Method – David H Sandler
Seven Habits of Highly Effective People – Stephen Covey
The Fifth Discipline – Pete Senge
Leading Change – John Kotter
The Servant – James Hunter
The New Leaders 100 Day Action Plan – George Bradt
Good To Great – Jim Collins
Crucial Conversations – Kerry Patterson
Contact Info
Chris [email protected] Twitter: @ChrisClymer
Jack [email protected] Twitter: @Jack0lope
Q & A
Networking
No time like the present to put your soft skills to work
Say hi to your neighbor…what can they teach you about this topic?
