When I introspect myself as a leader, it's often because I've had a flash of doubt. In other words, I sometimes wonder if I made the right call on any given topic during especially stressful times. And through the course of self-analysis, I am often reminded of Ray Dalio and reflect on what makes me tick as a leader.
I've actually gone down the path of writing my own ‘Principles' before, so I'll only abridge the concepts relevant to this post here (lucky you!). I'm a process guy that thrives in the company of good people. I initially believed this came from university, wherein team delivery was key and I was focused on business process engineering and automation during my final year. However, when exploring that idea I found patterns of obsessive-compulsiveness in my hobbies and interests as well - so I couldn't attribute it all to training per se. And sparing you from my own far reaching self-psychoanalysis, I’ll simply say that I’m in constant pursuit of an unattainable lasting calm...so that I have as much time as needed to enjoy the simple pleasure of the moment.
So what does this have to do with Security Leadership? More often than not, I find my operational peers to be extremely technically focused. So as a people and process person, I'm typically at odds with said peers. That's not to say that I'm not technically competent, I'm just not comfortable asking an engineer to step aside so that I can correct the flawed line of source code, running config, FW policy, or ACL at the drop. My peers however, not necessarily those immediate to me, largely believe this is an functional must-have. And interestingly, one that I often am presented with, directly and indirectly, at least once a month.
Information Security was beget by Information Technology. So naturally, most leaders expect CISOs to be nearly entirely technically driven. Arguably, this works – if not required – when you operate in organizations like Google, Facebook, or Yahoo! Beyond the Technology sector though, the balance between people, process, and technology is critical to success. Consider Retail, an industry sector largely built on brick and mortar and Loss Prevention. Here, Information Security cannot be driven without understanding the Store Operations and employees in the field. With approximately >90% of retailers not technically driven, many of which are prone to compromise by the phish/spam campaigns that the Finance and Technology sectors have identified several years ago, success in Retail requires a strong people and process focus in order to maximize the benefits of technology. Recent breaches in the sector only stress the need for balanced people, process, technology capabilities.
So to simplify, my view is that Security Leaders must have strong capabilities in the following domains:
(a) People – to communicate, educate, and motivate their superiors, peers, and subordinates effectively…customers, partners, and employees are always the first line of defense;
(b) Process – as it relates to the business and what it does, managing Information Security itself as a business, and maintaining controls consistency to minimize human error risk; and,
(c) Technology – to effectively identify, qualify, and remediate threats holistically across the cloud/mobile connected enterprises across an ever changing technical landscape.
So when these flashes occur, I remember that I'm here because I chose to be, and make a call based on the people, process, technology information I have in hand. And if my assessment of the situation that isn't right, I can course correct with my team the next day. Most of the time though, it's simply that everyone else hasn't caught up with me. ;)