I met Kenneth G. Hartman at a security event in Madison in a few years ago and we’ve stayed in touch. I’m impressed with his creative approach to security as well as life, and he’s definitely provided great input for this site. Ken also jumped at the opportunity to write a guest post, and it’s fantastic! – Ted
If you always do what you have always done, you will always get what you have always gotten
Recently, I was leading the information security program for a Cloud Hosting and Managed Service Provider. We were under a tight deadline to achieve ISO 27001 Certification for our information security management system to meet contractual commitments to an important customer that was looking to grow their business with my company. When a company implements ISO 27001 properly, the process is a transformative experience that facilitates top-down engagement in information security management and sets up a framework to improve the maturity of a security program. However, as the days ticked by, I had an increasing realization that we needed to kick it up a quantum level. As the old saying goes, “if you always do what you have always done, you will always get what you have always gotten.”
A leadership vacuum is an indication that you need to step up and lead. Don’t wait for permission!
At the time, I was frustrated at the lack of some basic security measures that were not in place. Initially, I wanted to blame someone—my predecessor, my boss, the bureaucracy, anyone or anything. Then it occurred to me that if changes were going to be made, it would have to be a result of my instigation. As I see it, a leadership vacuum is an indication that you need to step up and lead. Don’t wait for permission.
As an avid reader of books on business leadership, I had recalled reading about how Robert Townsend, the former CEO of Avis, used to carry around a resignation letter in his pocket in case someone had an issue with his efforts at slashing company red tape. I may have been a bit too dramatic, but I started telling people that my job was on the line over this ISO 27001 certification.
Damn it…we are going to be like the Blues Brothers…We are on a mission from God!
I called my InfoSec team together and told them that things were about to change. “From now on, when we are right, we are not going to take no for an answer. Either the company is serious about this certification or they are not. Either they are serious about protecting customer trust or they are not.” I said, “Damn it…we are going to be like the Blues Brothers…We are on a mission from God!”
At the time, I did not know how powerful the Blues Brothers metaphor would be for our team. All I knew was I was tired of the status quo and decided that we were going to actively engage the company according to our security improvement agenda. We started expanding our vulnerability scanning and pushing for shortened patching windows and improving our hardening—all things that are hard to argue with, but required the active participation of multiple groups beyond our InfoSec team. These conversations were not easy, but we were on a mission.
The Blues Brothers pursued their objective with gusto and panache
The Blues Brothers inspired us, because not only of their mission focus, but because they pursued their objective with gusto and panache. The Blues Brothers reminded us that it was ok to have fun and not take ourselves too seriously. In security, there is a lot of “blocking and tackling,” the mundane work that has to happen so that everything runs smoothly. Suddenly, this work was not as burdensome as the team started to get a shared vision of what was possible. We started to have fun again. “We are on a mission” became our rally cry and we reminded each other of this when discussing challenges and roadblocks. We did achieve the ISO certification, by the way, and the team has an even more aggressive agenda for this year. I have since taken a job at Google but I know that I have imparted the team with a new perspective on how to think about their career as InfoSec Rock Stars and that is with Blues Brothers style.
Why not aspire to be an InfoSec Rock Star where you are?
Not everyone is going to be a Security Consultant Rock Star, but why not aspire to be an InfoSec Rock Star where you are? In a corporate job, it is easy to become complacent. That is my biggest fear. Companies need leaders at all levels, but many will settle for folks that just show up. One of my favorite quotations is “the only job security is excellence.” If you are excellent, you will always be able to find work. Be excellent and then use that job security to push the organization past the status quo. Create a mandate; your company will thank you.
“Do cool shit every day, or die trying!”
In his book “Brand You,” Tom Peters posed the rhetorical question on how to become excellent and his response was “stop doing non-excellent stuff!” He actually went on to say “do cool shit every day, or die trying!” To me, that is the rock star way. If you do not have any epic war stories, go make some…Damn it 🙂