The Security Leader’s Guide to Excellence by Steve Hunt
The path from security manager to respected executive is perilous. Some never make it. However, any manager who demonstrates consistent cleverness and understanding of the business, will generally grow in rank and influence. There are many ways to show this savvy. Some security professionals are adept at law enforcement and investigations; others are more political, with relationships among executives; some have excellent presentation skills.
In my 30 years in the security industry, with the last 15 focused on mentoring security and technology leaders, I’ve found that savvy has a practical application. The security manager with the most well-run business unit usually has the most influence.
These 5 “savvy” skills are the building blocks to executive leadership, but don’t come naturally to most people. In fact, business schools don’t explicitly teach them. Neither do security training courses. They are skills developed by trial and error by the greatest leaders and summarized and organized for security leaders here.
Skill 1 Set Clear Positive Goals
You’ve heard it I’m sure. You ask a security professional to explain the value of security, and they’ll often say something like, “Well, just think of all the bad things that would happen if we didn’t do it.” It comes with the profession, this idea that security is about keeping bad things from happening. Trouble is, if that’s the main metric, success cannot be measured.
In security, positive goals are valuable tools in the leader’s toolbox for creating an excellent security operation and for being recognized as a leader. Your peers in the security profession don’t usually set positive goals. Most prefer negative goals. “We need to have fewer breaches, no PII (personally identifiable information) lost, lower costs, no bad press about security,” etc.
Positive goals take you forward. Higher. When senior executives and board members ask you about your goals, be sure you tell them goals that make the business better, more agile, or stronger, such as measurably improved response times, happier employees, or passed audits.
The very best and most resilient companies boast goals like: Be “Always Audit-Ready”
I believe this one goal, in particular, is one of the best a security leader can have. Being continually ready for any audit or assessment means you are proud of your operation and ready for scrutiny. And since audits are snapshots of a moment in time and are usually out-of-date the next day, having an “always audit-ready” stance means your operation is continually adapting, continually learning, continually improving.
Perhaps you are wondering why I don’t suggest a goal such as “Be always security-incident-ready.” Two reasons. A security incident is a type of audit. A test of the quality of your operation. So is every inquiry by an internal or external assessor. So, Audit seems to be the better word. Second, the four fundamental categories of security (see Comments below include one that answers the important questions of “What’s happening?” and “Is it working?” Therefore, Audit again seems to be the best word. But what do you think? Let me know in the comments below.
Want to read more?
Grab my newest eBook on Security Leadership. Simply drop me an email to firstname.lastname@example.org. I’ll send it right away. Let’s Improve Security — Together!
Steve Hunt is an executive strategist who is passionate about mentoring the next generation of security leaders. He served on the ISSA International Board of Directors, has served as a judge at RSA, founded the Communities of Excellence, was inducted into the ISSA Hall of Fame, and CSO Magazine presented him with the “Industry Visionary” Compass Award. Steve is a popular speaker at business and security conferences around the world. He also appeared as an analyst on CNBC, Fox News, CNN, and other news programs. His analysis has appeared in the Financial Times, Wall Street Journal, The New York Times, Business Week, and other global publications and trade magazines. Steve attended Elizabethtown College and was a graduate fellow at the University of Chicago. Steve’s diverse background lends a fresh perspective on business and society.