Jeff Bardin (A chief intelligence officer with 27 years experience in the security game. Currently working for Treadstone 71 in Washington D.C.) says we are not being fair to CISOs:
“It’s a constant battle against traditional culture, it’s a battle where they (other staff) see you as a person of ‘No’ — and that’s not true, it’s, ‘Yes, but this way.’”
An alternative take on current security leadership culture:
Security heads have traditionally been treated a lot like premiership football managers (be they player managers, retired players, or career managers moved sideways into the role). Reasons for success (and failure) still mainly a thing of myth and conjecture. Sacked on the strength of a high profile loss, even when performance is incrementally improving.
Charisma and a high profile helps, but only 5 things are certain.
- The team has to have the potential and means to meet expectations
- Managing those expectations takes someone who can win team, board, sponsor, shareholder and fan (user/customer) hearts and minds.
- Set expectations too high and you won’t last long
- Losses will happen. Even for the very best teams. Maybe not this season or next, but it will come. It might be loss of key players, lack of budget and foresight to sign or develop new talent, disasterous screw ups on the pitch, or just coming up against better opponents. Only the folk who know the game and have the trust of key stakeholders, will weather that storm.
- The ones that get results will get headhunted. Personally/financially undervalue them, ignore them, scapegoat them for incidents they couldn’t reasonably have prevented and they’ll be gone.
Now, in the high profile era of ‘Cyber’, CISOs are increasingly members of the board. Life is still precarious, they still answer to the owner (CIO/CTO), but more can be influenced. Where we’re not yet (in most companies) is CISOs owning teams.
How many managers/directors can really influence the FA? They’re the custodians of the brand. Making overarching decisions to ensure it’s on-going health, wealth and reputation. Only the owners of the top earning outfits can really nudge the direction chosen. Priority revenue earning divisions are your Chelsea or Man City. Security more like my team – Norwich. Sometimes flying high, but more often than not clinging to the bottom rungs, or dropping out of sight.
Well…until there’s a high profile incident. Something that calls the game into disrepute. That will get you an invitation to the top table and some owners aren’t above scapegoating their directors or managers to save themselves. In security as in football, handling an incident is about minimising impact, investigating causes and if feasible/economic, fixing what broke. Ideally keeping that nerve (easier if response has been pre-defined and practiced), expertly managing the message, standing by the team and getting some breathing space from the board to do all that.
Please don’t misunderstand. Success, influence and managerial skill are not intrinsically tied to seniority and reporting lines. They are more closely tied to the overall organisational culture and the credibility that one is able to foster and maintain with everyone who has skin in the game. Credibility that can only be earned by knowing the game from top to bottom, having a deep understanding of what it takes to play it well and remembering you are on the same side.
And this is where the analogy ends, because I (as the gender stereotype goes), know next to nothing about football. I do however know about security, having experienced and observed it in many different contexts and at many different levels. I’ve also benefited from insights shared by a number of exceptional security leaders (in particular those thanked below).
So it’s over to you, the overwhelmingly male dominated security crew, to pick this up. Tear apart my inexpert representation of the game if you like, but perhaps give it some thought.
Which premiership manager or board member is your security boss? Which team best represents the performance and success of your security function? How well are they respected by stakeholders? What lessons can you learn from your beautiful game to put security where it belongs, and keep a good boss in the driving seat when it really hits the fan?
Many thanks to Dave Waterson, Amar Singh, Robert Duncan, Kai Roer, Quentyn Taylor, Mo Amin, Thom Langford, Charlotte Tschieder, Rowenna Fielding, J Wolfgang Goerlich, Beau Woods and others who have helped inspire this post by sharing thought provoking insights about security leadership.