Make everyone involved
You need everyone’s perspective. To build robust security program which actually solves problems of your organisation, you need questions and insights of other employees.
Sometimes, we’re not even aware that employees use a specific tool, thus we have no way of protecting them. You need to talk to people, you need to encourage the culture of communication, so people know how important it is to keep you in the loop with new tools and processes. You also need data from their systems, you need to be able to tweak configurations, which you can’t do if you don’t even know these exist.
It’s Sisyphean’s task to try to tackle safety of the whole organisation on your own. Why would you even want to do that, if you have people around you eager to lend you a helpful hand, if you just ask for it.
Stay humble, no matter what
Everyone needs a help now and then. If you don’t respect problems of others and you don’t apply a dose of humility in all interactions, how do you expect others to support you? Most of the times, you get what you give and that’s for a good reason.
You must first give something from yourself, and only then you can ask for something in return. Each time you catch yourself acting cocky, think how would you feel, if you were in shoes of the other person. Would you like to collaborate with a person that acts the way you act?
I’ve seen it countless number of times, when people behave like complete jerks to more junior people, but when it happens that “THE PRO” doesn’t know something, it’s all good and everyone should drop everything and jump in to help.
World doesn’t work that way. Be humble, be grateful and always give more than you wish to receive in return.
Value their time over yours
Put in the work before you ask others to do so — that’s how leaders inspire people to action. They set an example by putting in the work, not by throwing the requests around and abusing their position of authority.
Debug the stuff yourself whenever you can. It’ll show coworkers that you care, and you don’t drop work on their head in a rush so that you can get away with doing less.
Before you delegate, rethink if it should indeed be delegated, because you want to delegate as much as possible, but not more than necessary.
Also, don’t let delegation come at the cost of company’s growth. Which means that if something is time pressing and you know you can deliver something much faster, then do yourself and others a favor, and do stuff on your own.
You need to master the art of delegation, but this one I’ve had covered in previous chapters, so this time focus on how much you can actually do yourself without bothering others.
Create a culture of appreciation
You really want to have people believe and feel that they matter. Everyone wants to feel safe and empowered at the workplace, so don’t shy away from giving a feedback to people. It’s not only about positive feedback, you need to work out a way to talk with people about the ugly stuff as well.
Most conflicts after discussions aren’t born because of negative feedback itself, but the way that feedback is given.
Conflicts arise because of improper and incompetent communication, so always over-communicate and don’t let other people misunderstand you.
Don’t be simple in your speech, just be impossible to be misunderstood.
Trust comes from care, and care comes from honest relationship you should have been building with another person since the day you met them. Actions speak louder that words and no one is going to expose their vulnerabilities in front of you, just because you’ve just told them “hey, trust me, be open and honest”. It doesn’t work that way, so don’t even bother, because such wishful thinking will only put people in uncomfortable situation.
Uncomfortable is an enemy of safe and if you demonstrate the lack of such knowledge, you’re not building the trust in your leadership competence and goodwill.
Don’t take good results for granted
If you appreciate the speed as much as I do, you likely do the same mistake I’ve been doing for a long time, which is taking the goodwill of others for granted. When you move fast and want to make a difference, you create for yourself a narrative and keep telling yourself the stories about how the world is and how it should be. People are different, and you should keep reminding yourself that not all people share your passion — let alone mission.
Very often, it’s not in the business of coworkers to spend extra time at work or invest their personal time to learn and do security. We should always appreciate when someone goes an extra mile and does something great, especially when they were not expected to do it. This varies between corporate cultures, but you must accept that some people are at the workplace to do their 9–5 staying in line with the job description they’ve had read while applying for a job and that’s TOTALLY FINE.
One thing, that we all have in common tho, is we love to be praised and called out for our achievements, so whenever you’ve got a chance to do that, do it without a hesitation.
It truly can make miracles. You can use it to shape a culture in which people go an extra mile just for that bit of appreciation from your side.
So do it. Be a good citizen and spread the positivity around you, because it costs you very little and can have a huge ROI.
Avoid myopic decisions to save your reputation
People will understand when you make mistake, they really will. We all make mistakes and that’s really not a thing that should bother you a bit. The anxiety of your coworkers kicks in, when your ego doesn’t let you admit you’ve messed up.
Be humble to acknowledge what happened, do a solid Root Cause Analysis to learn from the failure and move on.
Don’t be so stubborn in keeping the poker face, because nothing frustrates people more than a know-it-all person who’s taking “fake it till you make it” to the extreme. There is no need to let your ego play you like a puppet, because people are smart and — sooner or later — will figure you out. Your credibility decreases with each lie to try to sell to your team, and credibility is all we’ve got as a leaders.
People love when you stay in line and backup the decisions you made in the past. We all make mistakes and it doesn’t make any sense to spend any time worrying about it.
We will be always smarter while looking back at the decisions we had made. Just spend a bit of time on reflecting what could be done better and move forward . I encourage you to follow this advice both in personal and professional lives.
However, we must realize that being integral puts you in position of an authority, because people love to secretly look up to the highly integral individuals.
If you need to change the direction of your action plan, clearly explain your reasons, so people understand your “why”. You must take an extreme ownership and show that you indeed have all knowledge and grit necessary to lead them, and the failure you had happened to experience was a calculated risk.
In general, just don’t jump from one idea to another, but build a solid security roadmap for next 2–4 years and stick to it, adjusting only the minor items along the way.
If you do that, if you take ownership of your guidance and create a strategy which makes people feel safe under your leadership, you’ll be all fine.
Don’t let stress and short-sightedness slow your company down
If you push people to get stuff done for the sake of getting it done, you’re not building anything for long-term success.
Review your emails from the past few weeks and if you notice too many messages in flavor of “Fix this now, it’s important!” stop for a while and give it a second thought. Whether everything or anything is important is decided by a context of a given situation. Something important for you, may not be important for others and when you’re sending too many messages emphasizing what’s important and what’s not, you’re messing around with people’s priorities. If you rewire their personal definitions, you’re not only leaving their work schedule skewed but your create a confusion in your organisation, because now people can not differentiate between urgent and important. You don’t know what they’re doing, you don’t know the situation they’re in at the moment, so enforcing your narrative on them brings no good to anyone. You’re missing the Big Picture, and Big Picture Perspective is all that matters while managing the problems in our lives.
I encourage you to try to move to approach of “Let’s come up with a solution to fix this now and prevent us from making the same mistake in the future”.
It’s also not wise to expect urgency from people, to be then surprised that the important work isn’t getting completed. Create a sense of urgency on important items, so you don’t keep coming back to the exactly same issues all over again.
Think about security culture like it’s a car that must be fully functional for next 5 years after your kid inherits it from you. You care about kid’s health and good experience, so you think long term when using your car. You don’t do anything crazy and avoid collisions that could weaken the car parts, hence endanger your child who’ll be driving it after you.
Same concepts apply to security culture, because there will be people inheriting it from you(other security PROS) and there are people who trust that they can have a safe trip with you(coworkers).
Make sure you don’t discourage people by taking them on crazy initiatives. Short-term improvement of security posture with a risk of exposing people to negative experience and feeling really isn’t worth it. Even if you’re not planning to stick with an organization for a long time, don’t make life harder for an InfoSec fellow who’ll be hired after you. Be empathetic not only to your coworkers, but to any person that may interact with your work in the future. You know how it feels when you need to refactor spaghetti code or infrastructure, right? Now multiply the effort x10, and you’ll get the feeling how hard it is to recover the organisation who had negative and indifferent security PRO.
Become a lifelong learner
I would be nothing if it wasn’t for great people who’ve had invested their time into writing books describing their life stories. I can’t even reasonably measure how much I’ve transformed my life and career by learning from experience of the greatest.
Consuming books, articles and other materials on leadership, people management and general HR is essential for success of security initiatives — or any initiatives that touch people for that matter.
If you want to spread security culture across all company’s departments you must posses wide range of qualities and skills. You need to be a great generalist who knows how to find flaws in various system and processes, but also how to manage a small talk with your coworkers.
We tend to underrate the value of chit-chats and we don’t put enough effort into converting a random small talk into something of actual value. It’s those small things that together create what we call later a culture. It’s not about dull policies, processes and extravagant speeches made by CEO. It’s about the work we put in every single day, can contribute to the bigger picture.
Most of us have an internal urge to kick asses thanks to our technical knowledge, but when it comes to managing security across the entire organization, social skills are at the top of requirements. Every single one of us, even those of us who work in highly technical roles, should enhance our social abilities because if you really look at it — you’ll see how bad we are at it and how little we care about developing it. You really should pick some good read on leadership, because every single one of us participates in something greater, and you can’t delegate all social interactions to your manager.
Not for long at least.
Go the extra mile
The extraordinary results are born when people do more than they’re expected to. It doesn’t mean you should be staying late and working till you’re completely exhausted. It means that when you’re already working, pay attention to what you do and put some heart into it. Be nice to other people, think how to deliver great work.
If you’re working anyways, why not work on something meaningful in a way that makes you proud of yourself?
The game that never ends
Great security culture takes years of hard work to be established and takes a lot of work to maintain it in a good shape.
Working with every single employee which may seem like scaling the unscalable may have great results if done right. Simply saying, you’re making everyone a guardian of safety of your organization. You won’t ever be able to hire enough security engineers to keep watching what employees do, but you can make employees themselves more alert to potential dangers. When people are smart about security, they make less mistakes which allows you can decrease the number of required InfoSec employees.
I know it costs a lot of time, but perceiving this as an investment in your personal satisfaction really makes a difference. You’re building yourself a tribe of people who’ll support you going forward, and having people behind your back is a great motivation to do even better work. You, like everyone of us, will be facing tough times once in a while and legitimate motivation and positive feedback from your mates will be essential to get past thru it.
By being friendly and practical security professional you can make a lot of valuable and great connections, because people you worked with will remember you during their future ventures. And everyone these days is looking to hire great InfoSec professionals so you can make no mistake by creating meaningful and long lasting relationships.
Now it’s all up to you…
I hope that suggestions you’ve just read will help you make the process easier and enable you to be a bit more effective. I wish this to you with all my heart, I really do.
We need you to lead your organization and inspire other professionals to deliver great results. People with whom you work will at some point leave to other organizations and spread the goodness and knowledge you instilled in them. That’s how you change the world for better — you influence your local social circle, who influence their local circles and spreads like a good virus. An antidote to chaos let’s call it.
We are the average of a few closest people around us. So be a good person, to increase chances of someone else evolving into greater human being by having you by their side in life.
This is the last chapter of my Effective Management Series vol.1 which I’ve been writing for almost 2 years by now.
I’m now going to review all of my chapters, include your comments and extend my chapters based on the discussions we’ve had in the meantime.
Once that’s done, the whole piece will be released as a free ebook titled — “Social Skills For InfoSec Professionals: A Handbook For Those Who Want To Lead And Manage Effectively”
All the best wishes and keeping my fingers crossed for you.