How to Secure Things & Influence People:
10 Critical Habits of Effective Security Managers
Have you ever felt that the security problems you're faced with would be so simple to solve if only your colleagues had your perspective on them? Are you frustrated that security does not have a more prominent seat at the table?
Often times identifying security problems and developing the appropriate controls is the easiest part of the security job. Getting our peers and superiors to buy-in to those solutions and understand the risk decisions they're making is an under-appreciated but arguably much more important part of our jobs in security.
Chris and Jack will share techniques that help to turn your employees into an army of human security sensors, to get security done regardless of where it sits on the org chart, and to earn major security victories even with a meager budget and a small team. Along the way you’ll learn about the “10 Critical Habits” which we have observed effective security leaders using to achieve their goals.
3. Chris Clymer
I collaborate with my peers to identify and effectively manage risks
which my company is confronted with
Architect of information security program for
Swagelok
Formerly outsourced CISO for a variety of
organizations while managing the Advisory
Services practice at SecureState
Former board member for NEOISF & co-host of
the Security Justice podcast
4. Jack Nichelson
I defend my companies competitive
advantage by helping solve business problems
through technology to work faster and safer.
Director of Infrastructure & Security for Chart Industries.
Executive MBA from Baldwin-Wallace University
Recognized as one of the “People Who Made a
Difference in Security” by the SANS Institute and
Received the CSO50 award for connecting security
initiatives to business value.
Adviser for Baldwin Wallace’s, State winner Collegiate
Cyber Defense Competition (CCDC) team.
“Solving Problems, is my Passion”
5. Acknowledgements
Dennis Sommer, COO SecureState
Steve Hendricks, CMO RedIron
Steve Holt, CIO Chart Industries
David Hilmer, VP & CIO Graftech
Matt LoPiccolo, VP & CIO Swagelok
Chuck Norman, Sr. Mgr. Swagelok
Matt Neely, Dir. Strategy SecureState
Rich Wildermuth, Manager PWC
Craig Shular, CEO GrafTech
Tom Wojnarowski, CIO RITA
Troy Thomas, SVP Wells Fargo
Erick Asmussen, VP & CFO
Special thanks to all of the mentors who have helped us through these lessons
6. The Ten Habits
Listening
Positivity
Know Your Stakeholders
Service
Just Say Maybe
Don’t be the Smartest Guy
in the Room
Keep it Simple
Execution
Walk the Talk
Self-Reflection
8. Habit I: Listening
“Listen, Learn and Then Lead”
People want to be successful, so take the time to
listen, respect, be humble and then help them
reach their goals.
Leading by Listening – Desire to help others
High Emotional Intelligence (EQ) is key, you need to care
about everyone succeeding at personal & career goals
The day people stop bringing you problems is the day you
stop leading
Act decisively, be firm yet sensitive and empathetic
Your IQ got you in the door, your EQ will get you to the boardroom
9. Putting it into action
“Good Leaders Ask Great Questions”
Effective managers spend a good part of their workday
listening to other people and asking good questions.
Effective listening includes a four-step process to ensure
understanding:
Listen to the total message
Prove your understanding by using nonverbal signals
Use open-ended questions & probes
Paraphrase what you hear and show understanding
Don’t just say “hi”, have a more personal conversation
11. Habit II: Positivity
To motivate those around you to take action,
positivity will always trump negativity
Security is often fixated on finding the negatives: missing
patches, misconfigured systems. It becomes very easy to be
Mr. Negativity
Security is often in a position of asking others for help, not
dictating to them
Who would you rather help…someone encouraging, or
discouraging?
Perpetual optimism is a force multiplier…if you provide positive
energy, those around you will be willing to work much harder
towards your goals
“Perpetual Optimism is a Force Multiplier” – Colin Powell
12. Putting it into action
Using positivity to achieve your security goals takes
several steps:
Aim to make “heroes” not “zeroes”
Actively look for ways to encourage and help your peers
Actively avoid “beating them up” with negativity
People want to be successful, help them accomplish their
personal goals
Have conversations to learn what their personal goals are
Find projects that will help them achieve these
If you have knowledge or connections that could help, share them
14. Habit III: Know Your Stakeholders
To make stuff that matters, you have to know what
matters so work on solving the right problems.
Security is about a lot more than just you
You are taking actions to protect assets in the stewardship
of others
You are making choices which will impact the ways those
around you conduct their business
No one cares what you know until you show them how
much you care
15. Putting it into action
Effective managers take the time to identify
stakeholders and know their pain points.
Identify stakeholders in your security program
This is anyone affected by what you are doing
Could be execs, IT, sales, marketing, manufacturing,
customers…anyone
Learn what their drivers are, both personal & professional
“Know their pain”
Plan to have “The meeting before the meeting”
Meet with stakeholders individually before bringing them together for
a decision.
You’ll know the decision before the real meeting even happens
17. Habit IV: Service
We often focus on the problem and forget about the
customer. They will forget the problem you solved
before they forget how you made them feel.
Security is a support role…your job is to help others safely
do the things that make your organization productive
You cannot do this job without help
Your employees are not subjects for you to dictate rules
to…they are your customers
If you treat them well, they will be your “army of human
sensors”, bringing you all kinds of useful intel, and helping
to enforce policies you’ve developed to protect them
18. Putting it into action
To take care of your “customers”, keep the following
steps in mind:
Know who your customers are
Aim to create “stark raving fans”
Make sure they feel comfortable
Make sure they feel “heard”
Create a positive feedback loop
20. Habit V: Just Say Maybe
Effective leadership requires compromise and empathy for the other person.
Security has often been the Department
of “No”
Taking a hard stance as a “cyber
policeman” can seem to work…until you
become perceived as an obstacle
If you are an obstacle, process will begin
to be routed around you
21. Putting it into action
Don’t take a hard line on a topic before you have
determined everyone's “must's” and “want’s”. This
approach will ensure clear commutation, fair compromise
and a better solution.
Identify the core requirements (Yours & Theirs)
Facilitate a Risk vs. Reward conversation to balance security
Resist the urge to be a “cyber policeman.”
Empathize with other’s problems…but still be comfortable
taking a stand
Collaborate on the solution where everyone can win
It’s OK to be uncomfortable with the results
23. Habit VI: Don’t Be the Smartest Guy in the Room
To achieve results we need to build
partnerships, not demonstrate knowledge
Many of us performed other IT roles before moving into
security
This is often seen as a move “up”, which makes it easy to feel
that you know your peers jobs as well as your own
We also often feel that no one is qualified to do the
challenging job of security other than those of us currently
charged with it
It is not your job to out-do or “call out” your peers
No one cares who came up with the idea, just that issues are
solved
24. Putting it into action
To build strong partnerships with their peers, an
effective manager will strive to do the following in all
of their social interactions
When in a meeting, listen more than you talk
Think very hard before speaking: are you contributing to the
discussion, or are you demonstrating your knowledge?
Make your goal finding the best solution for an identified
problem…not convincing everyone to accept your solution
unchanged
Do not be afraid to let others fail…failure drives personal growth
26. Habit VII: Keep it Simple
A quick win with a simple solution is better then holding your ground for
the elegant solution. Don’t let perfect become the enemy of good.
Security is a complex field, characterized by the
convergence points between many others
It is your job to deal with this complexity, and distill it
into simple actions for your stakeholders
Their main job is something else…when you’re asking
for their help, you want it to be as simple and
frictionless as possible
Be on a mission to be results oriented
27. Putting it into action
Distill complex security problems into simple elevator
pitches you can easily convey to multiple layers of your
organization
Hone and practice your message, you will be repeating
it often
Don’t become so invested in an elegant solution that
you lose sight of the original problem
Find quick wins that you can chain together into larger
ones
“Fight the battles you can win” – Sun Tzu
29. Habit VIII: Execution
Have a plan, and execute, execute, execute
This may seem obvious, but you need to execute on
your plans
Because security is so dependent on others, its easy to
develop plans which are never executed…and place
the blame on others
We also often spend months, or years of long effort
selling our ideas. Once others finally become bought-in,
it can feel like the hard work is done
If you have a history of struggling with execution, others
will not want to support new projects…no matter how
significant the vulnerability you are addressing
30. Putting it into action
Security managers who move from simply identifying problems to
achieving concrete results will typically follow these similar steps
Once you have buy-in to security projects, have laser-focus on execution…you
may not get a second chance to try it
Security does not make your company money. If a project stumbles or impacts the
bottom line negatively, its easy to pull it out
Partner with others, but take responsibility for execution
Have a plan, follow it, measure your progress
Use a project manager if you can
You don’t know what you can get away with until you try it
32. Habit VIII: Walk the Talk
You must lead by example, do not diminish
your authority by disrespecting your rules
In security it’s easy to feel we’re an exception to
some of the rules
In some cases, we may actually need to be
As the “policeman” you must hold yourself to a
higher standard, because there’s often no one else
to hold you accountable
Follow the policies you set, or expect others to follow
your lead in ignoring them
33. Putting it into action
Maintain as few exceptions as possible, and
be sure you have a strong justification for
each
Cracked down on admin rights? Give thought
to where you really need your own
Pushing standard server builds? Don’t maintain
a security system with a “special” build because
you don’t trust your server teams, or feel your
requirements are unique
Follow any policies you’ve set to the tee, and
do so visibly
35. Habit X: Self-Reflection
The most important person for you to manage effectively is
yourself. To grow personally and professionally you need
to know yourself before you can help others.
In security we are often perfectionists…accepting failures can
be a very difficult thing
Reality is, we will have them
Without awareness of your own strengths and weaknesses
you will fail to meet your own potential, and continue to be
stymied by the same obstacles
“Know the enemy and know yourself and you will never be defeated” – Sun Tzu
36. Putting it into action
Self-reflection is a challenge. Effective managers will
follow these steps, repeat them often, and not be
discouraged when they stumble along the way
Put a lot of thought into identifying your own areas of weakness
Have a plan for improving these
These will be iterative improvements over time, not one-time things
More about the journey then the destination…you will stumble along
the way
Work with a mentor
You need a second opinion on what your areas of weakness are
You also want someone to keep you honest in how you’re
progressing
37. The Ten Habits
Listening
Positivity
Know Your Stakeholders
Service
Just Say Maybe
Don’t be the Smartest Guy
in the Room
Keep it Simple
Execution
Walk the Talk
Self-Reflection
38. References
You Don’t Need a Title to Be a Leader –
Mark Sanborn
Five Temptations of a CEO - Patrick M.
Lencioni
The Art of War for Managers – Gerald
Michaelson/Sun Tzu
The Sandler Sales Method – David H
Sandler
Seven Habits of Highly Effective People –
Stephen Covey
The Fifth Discipline – Pete Senge
Leading Change – John Kotter
The Servant – James Hunter
The New Leaders 100 Day Action Plan –
George Bradt
Good To Great – Jim Collins
Crucial Conversations – Kerry Patterson
41. Networking
No time like the present to put your soft skills to work
Say hi to your neighbor…what can they teach you about this topic?
Editor's Notes
Have you ever felt that the security problems you're faced with would be so simple to solve if only your colleagues had your perspective on them? Are you frustrated that security does not have a more prominent seat at the table?
Often times identifying security problems and developing the appropriate controls is the easiest part of the security job. Getting our peers and superiors to buy-in to those solutions and understand the risk decisions they're making is an under-appreciated but arguably much more important part of our jobs in security.
Chris and Jack will share techniques that help to turn your employees into an army of human security sensors, to get security done regardless of where it sits on the org chart, and to earn major security victories even with a meager budget and a small team. Along the way you’ll learn about the “10 Critical Habits” which we have observed effective security leaders using to achieve their goals.
Chris kicks off
Why are we here – as we’ve moved through our careers, we’ve found that the technical problems are less and less of the challenge, and that soft skills seem to matter much more towards overall success in security. To better understand this ourselves, and to help our peers, we’ve spent the last several months having discussions with leaders across multiple
What are our goals – to deliver 10 “habits” that we identified during a series of conversations with leaders in and out of security. This group felt that these habits all contributed greatly towards accomplishing goals
Jack takes from here
Discuss interviews over last several months, presentation is aggregated from conversations with this entire group
These are the key lessons we have learned
Jack: If there is consensus among these leaders, it is that it all comes down to listening, learning—and then leading
Story: the listener becomes the “go-to” guy.
Cheerful, approachable, actively asking how you can help and taking the time to listen to everything
Jack is always invested in the success of those around him
Story: Jack’s old CIO on the phone so jack can solve the problem
Care about people
Jack: meeting a problem head on, in a crisis your words have great impact
Small acts of positivity build
You become what you think about, people around you become what you are
Jack: developing project charter & problem statement helped better understand who stakeholders were, and what matters to them
Shift from compliance to IP (actual business assets)
Jack: HR story. Sysadmin fixes her problem, but she didn’t feel heard, and did not understand the problem or solution
Jack: dropbox
Jack
Hand off to Chris
Chris – keeping mouth shut shows win…segment plan story. “pull” not a “push”
Not “my” projects, “our” projects
Chris: vulnerability management. Sharepoint site & Nessus versus enterprise VMP
Chris: scans, laid out a plan and followed it…prepped people to expect ugly findings, scans on Sunday mornings
Change orders in
Follow-up with employee on hiccups from scans
Noone took my gun away
Chris: take away your own local admin before others. “soft power”
How many of you have local admin yourself?
How many of you have passphrases?
This presentation germinated in a series of meetings with our mentors. Talking with external folks who’ve “been there before” gave tremendous perspective. Helped to see where we were falling down, and where despite resistance from our internal peers we were actually moving in the right direction. With security often being off on an island, this perspective can be hugely important.
Chris: Tri story. Needed to work on patience, picked an endurance sport, iterative improvement over time