One of the recent things I've sat back and thought about is the dramatic impact "Play" has in our workspace. Specifically, when engineers are tasked to work the concept of "Play" or fun has a much different meaning than in other work cultures. The ability to derive "play" or "fun" from the work activity itself is bound to the overall ability to technically solution something. When these things are removed even the overall accomplishments of the team fall to the wayside and the individual is left with a sense of loss of identity. More to the point, their identity and value are comingled into the ability to produce technical solutions.
As managers of information security organizations our main task is to secure the enterprise. The combines a couple of things. First and formost, what is the overall risk areas of the enterprise and what are our solutions. Second, how do we prioritize those risk areas with our management constraints that are placed upon us? i.e. capex/opex funding, labor capability, labor skill sets, political headwinds, threat vectors, etc. To this, the focus or priority of "Play", in this context, takes a significant back seat. Most notably as we drive to a vendor solutioning that takes the "Play" completely out of the picture.
In thinking this through I believe there can be a balance. We can have key projects that will allow for the "Play" which will entice overall technical identity as well as provide appropriate solutioning. In addition we can do this in concert with our vendor or non technical governance models we put in place. Instead of having it be a afterthought or "Pet project", which never really works, we need to make it a core function of how we manage the risks to solution process. In both raising the bar of the identity of the team and bringing that "fun" to the culture.