Management is doing things right; leadership is doing the right things. ~Peter Drucker
Leadership. It’s talked about a lot in today’s information security conferences and books â€“ but how much of it is really happening?
Do we, as professionals, really embrace leadership and its inherent risks, rewards, and challenges?Â Or, on the other hand, do we really embrace the status quo with its inherent frustration, ennui, and demotivating drag?
Don’t get me wrong â€“ leadership in any field is hard. I’ve led teams that have done such diverse missions as application development to firefighting to deploying the varied weapon systems in platoon of main battle tanks…and I have come the believe that effectively leading teams in today’s information security environment is one of the most difficult tasks I’ve ever taken on. As I look back, around, and forward I’ve made a few conclusions.
Too much focus on the status quo
I wish I had a nickel for every time I heard a â€œleaderâ€ describe a â€œgood dayâ€ as one where nothing went wrong, nothing broke, and (truth be told) nobody even noticed she or her team were there.
I think because for so long the business has seen information security as the â€œDepartment of ‘No!’â€ that any time we fly above the radar we get smacked â€“ or at least that’s the fear. If the systems run today just like they ran yesterday we call that a win and hope that they’ll work tomorrow just the same way.
This primal desire for the status quo is one of the most significant issues that chains down information security leaders today and it’s a topic I’ll address in more detail later â€“ but suffice is to say that the status quo is rarely, if ever, the ally of a successful leader.
Insane focus on a small group of miracle workers
We have developed an almost unnatural dependence in information security on the work and thinking of small groups over very smart people. We rely on that small cadre of â€œgo-toâ€ guys to design and build our systems, respond to incidents, and help develop policies and procedures â€“ but we rarely leverage that small group of folks to develop larger and larger teams of security oriented co-workers.
Whether we realize it or not we begin to live in a cultural echo chamber where everyone listens to the same presentations at the same conferences, reads the same blog post, and anyone who dares speak out against the conventional wisdom for any reason is suspect…
The Status Quo of the Mojo
The last major impediment I’ve seen is a synthesis of the first two. When you combine an overvaluing of the status quo with an over-dependence on small groups the almost inevitable outcome of a culture of â€œPlease $DIETY, don’t let me screw this up!â€
Leaders and their teams become so averse to anything negative (especially if it’s outside the accepted norms of the team) that the goal of the team slowly and immutably transforms from providing the best security for the organization to a goal of not wanting to be caught screwing anything up. This fear (and that’s what it is) leads teams to fall into the trap of wanting to build systems that are â€œperfectâ€ and â€œunhackableâ€ and resisting efforts to design or implement systems that don’t meet these standards.
The natural progression of this fear eventually leads to leaders and teams developing and attitude that is occasionally indistinguishable from despair. You’ll hear or read comments like â€œWhy should I deploy $SecurityTechnology? HD Moore could hack it in 5 minutes. Rsnake could get root and own me 25 ways from Sunday.â€
Rarely will the speaker or writer of such comments even seem to evaluate whether or not $SecurityTechnology will actually help the organization as part of a complete security plan. Defeat, as the philosopher said, is complete even before a shot is fired.
What can we do about it?
For the next dozen or so posts I’m going to address these issues head on and provide you with a (potentially) counter-cultural view of your role as a leader and hopefully challenge you to rise the amazing challenges we face today in information security.
The light you see coming at you â€“ itâ€™s not a train. Trust me.
What are your leadership goals for 2010? Share you challenges and successes in the commentsâ€¦