Like my strategy class, I went into “Managerial Leadership & Productivity” completely blind. The course description helped little; it mentioned “organizational behavior and human motivation in the workplace”.
Seven weeks later: You know how people keep saying security needs “people skills”? The textbook is “Developing Management Skills” by David Whetten and Kim Cameron. You know how people keep saying security needs “people skills”? Read this.
My biggest takeaway: It really explains a lot about why I did or didn’t like previous managers. It also gave me concrete steps I can take to improve in this area, beyond the class itself, which is amazing. I’ve been looking for exactly this information.
Based on thoroughly cited research, the book groups 10 core skills into three major groups: personal, interpersonal, and groups.
First category: Personal skills. This covers “Developing Self-Awareness”, “Managing Stress and Well-Being”, and “Solving Problems Analytically and Creatively”.
Self-awareness involves taking a long, hard look at yourself. The aim is to identify your own core values, underlying personality attributes, cognitive style, attitude toward change, and emotional intelligence. It’s harder than you think; it’s not about Myers-Briggs or any of the other various personality tests. The “big 5” personality attributes are extroversion, agreeableness, conscientiousness, neuroticism, and openness. We’re all different on those, because, well, we all have distinct personalities. This doesn’t mean that you have to be an open, agreeable extrovert to be successful in life; it’s more about being self-aware. How tolerant of ambiguity are you? Do you feel in control of your life? How do you gather and process information? The answers to these affect your working style and the type of workplace you’ll feel comfortable in.
Or: Go to therapy, people.
Next up at bat, our friend stress. It’s not just the recent surge in Mental Health conference tracks and talks and conference sponsored 12-step meetings. If you do not learn how to sleep at night or how to cope, you will burn out.
Security work — especially incident response, our digital first responders — will eat you alive if you let it.
Stress comes in four flavors. Time stress is being overloaded, constantly. Combat this with ruthless time management, even for us neuro-spicy brains, find something. Encounter stressors are fighting with managers for budget, pushing for the business to do even the smallest security task, begging for patching and MFA. Combat this with building community and having a sense of empathy. Situational stress is unfavorable working conditions with a side of rapid change. Again, even for us neuro-spicy types: find your niche, don’t be a generalist. Anticipatory stressors are garden-variety anxiety. Depending on your brain chemistry, this may mean prescription drugs. Talk to a doctor.
Deal with your past/present traumas and handle your triggers while you keep the job from eating you alive. Learn to deal with life in a way that isn’t self-destructive. Yes, I know the world sucks. Go. To. Therapy.
Finally, creativity. Being too curious for our own good is the undercurrent that brings us together, so you’re probably pretty good at creative problem solving. It’s still worth confronting any biases that you may have. Understand the problem, brainstorm answers, rack and stack options, pick one and implement. In a broader business sense, you want to find that unique value proposition to outshine the competition. Creativity also comes in four flavours: Imagination, Incubation, Improvement, and Investment.
Or: Building trust and continuous improvement is just as valuable as being new or being first.
Interpersonal skills features: “Building Relationships by Communicating Supportively”, “Gaining Power and Influence”, “Motivating Performance”, and “Negotiating and Resolving Conflict”.
Security has to build relationships with the business. We do that by being respectful, helping each other, trusting each other, and having a sense of humor. We humans have more in common that we do apart and we’d do well to remember that.
Be honest with each other. Focus on the problem. Collaborate. Own your part of it.
The chapter on power and influence starts with a warning we all know well: Respect the privacy of others. Think before you type. With great power comes great responsibility.
A harsh truth is that being a subject matter expert is only part of being able to influence others. Personal grooming matters. Being likeable matters. Engaging in society matters. Being dependable matters — just don’t over commit and burn out. It’s ok to let the change be the boss’s idea — being the stubborn asshole will not get you more resources. Being visible to leadership matters.
Influence and power are different. All influential people have power, but the reverse is not true. The three basic influence strategies are forcing people, helping people, or presenting facts. Want to pitch your great idea up to senior leaders? Know your audience, come with a solution to the problem, and present your case succinctly.
If you want resources and a budget for security, you need to influence the business leaders.
Chances are, once we have successfully convinced the business to stop clicking on suspect links, we have to motivate them to continue to behave securely. The performance we want depends on our expectations, what the business is capable of, and sufficient motivation. That also means our performance goals have to be SMART goals. Feedback matters a lot, security needs to tell the business what it’s doing right, and what it can improve — and that’s true from the boardroom to an end-user taking part in a phishing test.
We must teach the business folks. Treat them with respect when you do; they’re smart people, they just don’t know what we know about security.
Goals and training capitalize on motivation to drive performance. Proper reinforcement turns performance into outcomes. Properly rewarded, outcomes turn into satisfaction, which feeds back to motivation. Alternatively, humans are monkeys performing tricks for food.
Naturally, along the way, we’re going to lock horns. We’re going to disagree about the likelihood of a particular threat. After all, security is a Cassandra, cursed to speak truth but never believed. We need to find a Zone of Possible Agreement and agree on The Best Alternative to a Negotiated Agreement (Actual Technical Terms).
How can Security help Business get what they need? To stay ahead of the other campers and not experience a major public cyber incident. What are our shared goals? To continue to operate. How can we evaluate alternatives? Be reasonable here, do not let the perfect become the enemy of the good. What does success look like in gains? Less risk to the business, more trips around the sun, peaceful existence. Maybe an un-ironic Live-Love-Laugh wall decal.
Be creative. Remember, Security isn’t always going to be the biggest business risk, or the #1 priority.
Part three: “Empowering and Engaging Others”, “Building Effective Teams and Teamwork”, “Leading Positive Change”.
If we make the Business want to engage positively with Security, that matches with our mutual need for Better Security. Be excited about helping them Do Business Better. The first time you walked, ran, rode a bike, swam; these are all moments we have, right? In this analogy, Security is the adults. Empower users to feel confident in their abilities to learn what on earth we’re on about this week. Celebrate small wins; demonstrate the right thing to do, all the time. Connect to something important to them, whatever that is. We want to build confidence, not name-and-shame. Provide a safe place for the Business.
Security has to be a Team Player. Face it: We’re the new seat at the table, the new kid in school. We need to make friends with the other kids. Beware of the honeymoon phase when everyone is getting along; we need to have some conflict. Relationships without arguing are boring, right? The cool part is when the team is humming along, doing amazing things, and everything is awesome. It’s the difference between regular goals and crazy Let’s Climb Mount Everest goals. The two big keys to being a team player are staying on task and relationship building.
I know security feels like a Sisyphean task — but maybe it doesn’t have to be.
Finally, having done all that work to get to a good place, where do we go from here? The workplace is a tranquil garden of compassion, forgiveness, and gratitude. How do we sustain that? A vision of a lasting legacy, ideally attached to some kind of symbol. Think Walt Disney, or Apple, or even Katniss Everdeen as the Mockingbird. These things get buy-in and commitment, which creates irreversible momentum.
Remember, this is a journey WITH the business, not a UFC match against the business.
I’m not saying any of this will be easy. I just think that it’s within our power as security professionals to bridge the divide between us and the business.
Cyber security Story teller 
Leave a comment