Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 Critical Habits of...
-
Upload
centralohioissa -
Category
Technology
-
view
729 -
download
1
Transcript of Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 Critical Habits of...
Chris Clymer
Director of Security Services for MRK CISO for companies ranging from SMB’s to
multi-billion dollar corporations Former board member for NEOISF & co-host
of the Security Justice podcast Aspiring Ironman, amateur saberist
I collaborate with my peers to identify and effectively manage risks which my clients are confronted with
Jack Nichelson
Director of Infrastructure & Security for Chart Industries.
Executive MBA from Baldwin-Wallace University Recognized as one of the “People Who Made a
Difference in Security” by the SANS Institute and Received the CSO50 award for connecting security initiatives to business value.
Adviser for Baldwin Wallace’s, State winner Collegiate Cyber Defense Competition (CCDC) team.
I defend my companies competitive advantage by helping solve business problems through technology to work faster and safer.
“Solving Problems, is my Passion”
Acknowledgements
Dennis Sommer, COO SecureState Steve Hendricks, CMO RedIron Steve Holt, CIO Chart Industries David Hilmer, VP & CIO Graftech Matt LoPiccolo, VP & CIO Swagelok Chuck Norman, Sr. Mgr. Swagelok Carl Kessler, VP & CIO First Federal
Matt Neely, Dir. Strategy SecureState Rich Wildermuth, Manager PWC Craig Shular, CEO GrafTech Tom Wojnarowski, CIO RITA Troy Thomas, SVP Wells Fargo Erick Asmussen, VP & CFO Jason Middaugh, Mgr. Cliffs
Special thanks to all of the mentors who have helped us through these lessons
The Ten Habits
Listening Positivity Know Your Stakeholders Service Just Say Maybe
Don’t be the Smartest Guy in the Room
Keep it Simple Execution Walk the Talk Self-Reflection
Habit I: Listening“Listen, Learn and Then Lead”
Leading by Listening – Desire to help others High Emotional Intelligence (EQ) is key, you need to
care about everyone succeeding at personal & career goals
The day people stop bringing you problems is the day you stop leading
Act decisively, be firm yet sensitive and empathetic
People want to be successful, so take the time to listen, respect, be humble and then help them reach their goals.
Your IQ got you in the door, your EQ will get you to the boardroom
Putting it into action“Good Leaders Ask Great Questions”
Listen to the total message Prove your understanding by using nonverbal signals Use open-ended questions & probes Paraphrase what you hear and show understanding Don’t just say “hi”, have a more personal
conversation
Effective managers spend a good part of their workday listening to other people and asking good questions.
Effective listening includes a four-step process to ensure understanding:
Habit II: Positivity
Security is often fixated on finding the negatives: missing patches, misconfigured systems. It becomes very easy to be Mr. Negativity
Security is often in a position of asking others for help, not dictating to them
Who would you rather help…someone encouraging, or discouraging?
Perpetual optimism is a force multiplier…if you provide positive energy, those around you will be willing to work much harder towards your goals
To motivate those around you to take action, positivity will always trump negativity
“Perpetual Optimism is a Force Multiplier” – Colin Powell
Putting it into action
Aim to make “heroes” not “zeroes” Actively look for ways to encourage and help your peers Actively avoid “beating them up” with negativity
People want to be successful, help them accomplish their personal goals Have conversations to learn what their personal goals are Find projects that will help them achieve these If you have knowledge or connections that could help, share them
Using positivity to achieve your security goals takes several steps:
Habit III: Know Your Stakeholders
Security is about a lot more than just you You are taking actions to protect assets in the
stewardship of others You are making choices which will impact the ways
those around you conduct their business No one cares what you know until you show them how
much you care
To make stuff that matters, you have to know what matters so work on solving the right problems.
Putting it into action
Identify stakeholders in your security program This is anyone affected by what you are doing Could be execs, IT, sales, marketing, manufacturing, customers…
anyone Learn what their drivers are, both personal & professional
“Know their pain” Plan to have “The meeting before the meeting”
Meet with stakeholders individually before bringing them together for a decision.
You’ll know the decision before the real meeting even happens
Effective managers take the time to identify stakeholders and know their pain points.
Habit IV: Service
Security is a support role…your job is to help others safely do the things that make your organization productive
You cannot do this job without help Your employees are not subjects for you to dictate rules
to…they are your customers If you treat them well, they will be your “army of
human sensors”, bringing you all kinds of useful intel, and helping to enforce policies you’ve developed to protect them
We often focus on the problem and forget about the customer. They will forget the problem you solved before they forget how you made them feel.
Putting it into action
Know who your customers are Aim to create “stark raving fans”
Make sure they feel comfortable Make sure they feel “heard”
Create a positive feedback loop
To take care of your “customers”, keep the following steps in mind:
Habit V: Just Say Maybe
Security has often been the Department of “No”
Taking a hard stance as a “cyber policeman” can seem to work…until you become perceived as an obstacle
If you are an obstacle, process will begin to be routed around you
Effective leadership requires compromise and empathy for the other person.
Putting it into action
Identify the core requirements (Yours & Theirs) Facilitate a Risk vs. Reward conversation to balance
security Resist the urge to be a “cyber policeman.” Empathize with other’s problems…but still be comfortable
taking a stand Collaborate on the solution where everyone can win
Don’t take a hard line on a topic before you have determined everyone's “must's” and “want’s”. This approach will ensure clear commutation, fair compromise and a better solution.
It’s OK to be uncomfortable with the results
Habit VI: Don’t Be the Smartest Guy in the Room
Many of us performed other IT roles before moving into security
This is often seen as a move “up”, which makes it easy to feel that you know your peers jobs as well as your own
We also often feel that no one is qualified to do the challenging job of security other than those of us currently charged with it
It is not your job to out-do or “call out” your peers No one cares who came up with the idea, just that issues
are solved
To achieve results we need to build partnerships, not demonstrate knowledge
Putting it into action
When in a meeting, listen more than you talk Think very hard before speaking: are you contributing to the
discussion, or are you demonstrating your knowledge? Make your goal finding the best solution for an identified
problem…not convincing everyone to accept your solution unchanged
Do not be afraid to let others fail…failure drives personal growth
To build strong partnerships with their peers, an effective manager will strive to do the following in all of their social interactions
Habit VII: Keep it Simple
Security is a complex field, characterized by the convergence points between many others
It is your job to deal with this complexity, and distill it into simple actions for your stakeholders
Their main job is something else…when you’re asking for their help, you want it to be as simple and frictionless as possible
Be on a mission to be results oriented
A quick win with a simple solution is better then holding your ground for the elegant solution. Don’t let perfect become the enemy of good.
Putting it into action
Distill complex security problems into simple elevator pitches you can easily convey to multiple layers of your organization
Hone and practice your message, you will be repeating it often
Don’t become so invested in an elegant solution that you lose sight of the original problem
Find quick wins that you can chain together into larger ones
“Fight the battles you can win” – Sun Tzu
Habit VIII: Execution
This may seem obvious, but you need to execute on your plans
Because security is so dependent on others, its easy to develop plans which are never executed…and place the blame on others
We also often spend months, or years of long effort selling our ideas. Once others finally become bought-in, it can feel like the hard work is done
If you have a history of struggling with execution, others will not want to support new projects…no matter how significant the vulnerability you are addressing
Have a plan, and execute, execute, execute
Putting it into action
Once you have buy-in to security projects, have laser-focus on execution…you may not get a second chance to try it Security does not make your company money. If a project stumbles or impacts the
bottom line negatively, its easy to pull it out
Partner with others, but take responsibility for execution Have a plan, follow it, measure your progress
Use a project manager if you can
You don’t know what you can get away with until you try it
Security managers who move from simply identifying problems to achieving concrete results will typically follow these similar steps
Habit VIII: Walk the Talk
In security it’s easy to feel we’re an exception to some of the rules
In some cases, we may actually need to be As the “policeman” you must hold yourself to a
higher standard, because there’s often no one else to hold you accountable
Follow the policies you set, or expect others to follow your lead in ignoring them
You must lead by example, do not diminish your authority by disrespecting your rules
Putting it into action Maintain as few exceptions as possible, and
be sure you have a strong justification for each Cracked down on admin rights? Give thought
to where you really need your own Pushing standard server builds? Don’t
maintain a security system with a “special” build because you don’t trust your server teams, or feel your requirements are unique
Follow any policies you’ve set to the tee, and do so visibly
Habit X: Self-Reflection
In security we are often perfectionists…accepting failures can be a very difficult thing Reality is, we will have them
Without awareness of your own strengths and weaknesses you will fail to meet your own potential, and continue to be stymied by the same obstacles
The most important person for you to manage effectively is yourself. To grow personally and professionally you need to know yourself before you can help others.
“Know the enemy and know yourself and you will never be defeated” – Sun Tzu
Putting it into action
Put a lot of thought into identifying your own areas of weakness
Have a plan for improving these These will be iterative improvements over time, not one-time
things More about the journey then the destination…you will stumble
along the way
Work with a mentor You need a second opinion on what your areas of weakness are You also want someone to keep you honest in how you’re
progressing
Self-reflection is a challenge. Effective managers will follow these steps, repeat them often, and not be discouraged when they stumble along the way
The Ten Habits
Listening Positivity Know Your Stakeholders Service Just Say Maybe
Don’t be the Smartest Guy in the Room
Keep it Simple Execution Walk the Talk Self-Reflection
References You Don’t Need a Title to Be a
Leader – Mark Sanborn Five Temptations of a CEO - Patrick
M. Lencioni The Art of War for Managers –
Gerald Michaelson/Sun Tzu The Sandler Sales Method – David H
Sandler How to Win Friends and Influence
People – Dale Carnegie Seven Habits of Highly Effective
People – Stephen Covey The Fifth Discipline – Pete Senge Leading Change – John Kotter The Servant – James Hunter The New Leaders 100 Day Action
Plan – George Bradt Good To Great – Jim Collins Crucial Conversations – Kerry
Patterson
Contact Info
Chris [email protected] Twitter: @ChrisClymer
Jack [email protected] Twitter: @Jack0lope