How to Secure Things & Influence People: 10 Critical Habits of Effective Security Managers Have you ever felt that the security problems you're faced with would be so simple to solve if only your colleagues had your perspective on them? Are you frustrated that security does not have a more prominent seat at the table? Often times identifying security problems and developing the appropriate controls is the easiest part of the security job. Getting our peers and superiors to buy-in to those solutions and understand the risk decisions they're making is an under-appreciated but arguably much more important part of our jobs in security. Chris and Jack will share techniques that help to turn your employees into an army of human security sensors, to get security done regardless of where it sits on the org chart, and to earn major security victories even with a meager budget and a small team. Along the way you’ll learn about the “10 Critical Habits” which we have observed effective security leaders using to achieve their goals.

1. How to Secure Things & Influence People
10 Critical Habits of Effective Security Managers

2. Introduction
 Why are we here?
 What are our goals?

3. Chris Clymer
I collaborate with my peers to identify and effectively manage risks
which my company is confronted with
 Architect of information security program for
Swagelok
 Formerly outsourced CISO for a variety of
organizations while managing the Advisory
Services practice at SecureState
 Former board member for NEOISF & co-host of
the Security Justice podcast

4. Jack Nichelson
I defend my companies competitive
advantage by helping solve business problems
through technology to work faster and safer.
 Director of Infrastructure & Security for Chart Industries.
 Executive MBA from Baldwin-Wallace University
 Recognized as one of the “People Who Made a
Difference in Security” by the SANS Institute and
Received the CSO50 award for connecting security
initiatives to business value.
 Adviser for Baldwin Wallace’s, State winner Collegiate
Cyber Defense Competition (CCDC) team.
“Solving Problems, is my Passion”

5. Acknowledgements
 Dennis Sommer, COO SecureState
 Steve Hendricks, CMO RedIron
 Steve Holt, CIO Chart Industries
 David Hilmer, VP & CIO Graftech
 Matt LoPiccolo, VP & CIO Swagelok
 Chuck Norman, Sr. Mgr. Swagelok
 Matt Neely, Dir. Strategy SecureState
 Rich Wildermuth, Manager PWC
 Craig Shular, CEO GrafTech
 Tom Wojnarowski, CIO RITA
 Troy Thomas, SVP Wells Fargo
 Erick Asmussen, VP & CFO
Special thanks to all of the mentors who have helped us through these lessons

6. The Ten Habits
Listening
Positivity
Know Your Stakeholders
Service
Just Say Maybe
Don’t be the Smartest Guy
in the Room
Keep it Simple
Execution
Walk the Talk
Self-Reflection

7. Habit I: Listening

8. Habit I: Listening
“Listen, Learn and Then Lead”
People want to be successful, so take the time to
listen, respect, be humble and then help them
reach their goals.
 Leading by Listening – Desire to help others
 High Emotional Intelligence (EQ) is key, you need to care
about everyone succeeding at personal & career goals
 The day people stop bringing you problems is the day you
stop leading
 Act decisively, be firm yet sensitive and empathetic
Your IQ got you in the door, your EQ will get you to the boardroom

9. Putting it into action
“Good Leaders Ask Great Questions”
Effective managers spend a good part of their workday
listening to other people and asking good questions.
Effective listening includes a four-step process to ensure
understanding:
 Listen to the total message
 Prove your understanding by using nonverbal signals
 Use open-ended questions & probes
 Paraphrase what you hear and show understanding
 Don’t just say “hi”, have a more personal conversation

10. Habit II: Positivity

11. Habit II: Positivity
To motivate those around you to take action,
positivity will always trump negativity
 Security is often fixated on finding the negatives: missing
patches, misconfigured systems. It becomes very easy to be
Mr. Negativity
 Security is often in a position of asking others for help, not
dictating to them
 Who would you rather help…someone encouraging, or
discouraging?
 Perpetual optimism is a force multiplier…if you provide positive
energy, those around you will be willing to work much harder
towards your goals
“Perpetual Optimism is a Force Multiplier” – Colin Powell

12. Putting it into action
Using positivity to achieve your security goals takes
several steps:
 Aim to make “heroes” not “zeroes”
 Actively look for ways to encourage and help your peers
 Actively avoid “beating them up” with negativity
 People want to be successful, help them accomplish their
personal goals
 Have conversations to learn what their personal goals are
 Find projects that will help them achieve these
 If you have knowledge or connections that could help, share them

13. Habit III: Know Your Stakeholders

14. Habit III: Know Your Stakeholders
To make stuff that matters, you have to know what
matters so work on solving the right problems.
 Security is about a lot more than just you
 You are taking actions to protect assets in the stewardship
of others
 You are making choices which will impact the ways those
around you conduct their business
 No one cares what you know until you show them how
much you care

15. Putting it into action
Effective managers take the time to identify
stakeholders and know their pain points.
 Identify stakeholders in your security program
 This is anyone affected by what you are doing
 Could be execs, IT, sales, marketing, manufacturing,
customers…anyone
 Learn what their drivers are, both personal & professional
 “Know their pain”
 Plan to have “The meeting before the meeting”
 Meet with stakeholders individually before bringing them together for
a decision.
 You’ll know the decision before the real meeting even happens

16. Habit IV: Service

17. Habit IV: Service
We often focus on the problem and forget about the
customer. They will forget the problem you solved
before they forget how you made them feel.
 Security is a support role…your job is to help others safely
do the things that make your organization productive
 You cannot do this job without help
 Your employees are not subjects for you to dictate rules
to…they are your customers
 If you treat them well, they will be your “army of human
sensors”, bringing you all kinds of useful intel, and helping
to enforce policies you’ve developed to protect them

18. Putting it into action
To take care of your “customers”, keep the following
steps in mind:
 Know who your customers are
 Aim to create “stark raving fans”
 Make sure they feel comfortable
 Make sure they feel “heard”
 Create a positive feedback loop

19. Habit V: Just Say Maybe

20. Habit V: Just Say Maybe
Effective leadership requires compromise and empathy for the other person.
 Security has often been the Department
of “No”
 Taking a hard stance as a “cyber
policeman” can seem to work…until you
become perceived as an obstacle
 If you are an obstacle, process will begin
to be routed around you

21. Putting it into action
Don’t take a hard line on a topic before you have
determined everyone's “must's” and “want’s”. This
approach will ensure clear commutation, fair compromise
and a better solution.
 Identify the core requirements (Yours & Theirs)
 Facilitate a Risk vs. Reward conversation to balance security
 Resist the urge to be a “cyber policeman.”
 Empathize with other’s problems…but still be comfortable
taking a stand
 Collaborate on the solution where everyone can win
It’s OK to be uncomfortable with the results

22. Habit VI: Don’t Be the Smartest Guy in the Room

23. Habit VI: Don’t Be the Smartest Guy in the Room
To achieve results we need to build
partnerships, not demonstrate knowledge
 Many of us performed other IT roles before moving into
security
 This is often seen as a move “up”, which makes it easy to feel
that you know your peers jobs as well as your own
 We also often feel that no one is qualified to do the
challenging job of security other than those of us currently
charged with it
 It is not your job to out-do or “call out” your peers
 No one cares who came up with the idea, just that issues are
solved

24. Putting it into action
To build strong partnerships with their peers, an
effective manager will strive to do the following in all
of their social interactions
 When in a meeting, listen more than you talk
 Think very hard before speaking: are you contributing to the
discussion, or are you demonstrating your knowledge?
 Make your goal finding the best solution for an identified
problem…not convincing everyone to accept your solution
unchanged
 Do not be afraid to let others fail…failure drives personal growth

25. Habit VII: Keep it Simple

26. Habit VII: Keep it Simple
A quick win with a simple solution is better then holding your ground for
the elegant solution. Don’t let perfect become the enemy of good.
 Security is a complex field, characterized by the
convergence points between many others
 It is your job to deal with this complexity, and distill it
into simple actions for your stakeholders
 Their main job is something else…when you’re asking
for their help, you want it to be as simple and
frictionless as possible
 Be on a mission to be results oriented

27. Putting it into action
 Distill complex security problems into simple elevator
pitches you can easily convey to multiple layers of your
organization
 Hone and practice your message, you will be repeating
it often
 Don’t become so invested in an elegant solution that
you lose sight of the original problem
 Find quick wins that you can chain together into larger
ones
“Fight the battles you can win” – Sun Tzu

28. Habit VIII: Execution

29. Habit VIII: Execution
Have a plan, and execute, execute, execute
 This may seem obvious, but you need to execute on
your plans
 Because security is so dependent on others, its easy to
develop plans which are never executed…and place
the blame on others
 We also often spend months, or years of long effort
selling our ideas. Once others finally become bought-in,
it can feel like the hard work is done
 If you have a history of struggling with execution, others
will not want to support new projects…no matter how
significant the vulnerability you are addressing

30. Putting it into action
Security managers who move from simply identifying problems to
achieving concrete results will typically follow these similar steps
 Once you have buy-in to security projects, have laser-focus on execution…you
may not get a second chance to try it
 Security does not make your company money. If a project stumbles or impacts the
bottom line negatively, its easy to pull it out
 Partner with others, but take responsibility for execution
 Have a plan, follow it, measure your progress
 Use a project manager if you can
 You don’t know what you can get away with until you try it

31. Habit VIII: Walk The Talk

32. Habit VIII: Walk the Talk
You must lead by example, do not diminish
your authority by disrespecting your rules
 In security it’s easy to feel we’re an exception to
some of the rules
 In some cases, we may actually need to be
 As the “policeman” you must hold yourself to a
higher standard, because there’s often no one else
to hold you accountable
 Follow the policies you set, or expect others to follow
your lead in ignoring them

33. Putting it into action
 Maintain as few exceptions as possible, and
be sure you have a strong justification for
each
 Cracked down on admin rights? Give thought
to where you really need your own
 Pushing standard server builds? Don’t maintain
a security system with a “special” build because
you don’t trust your server teams, or feel your
requirements are unique
 Follow any policies you’ve set to the tee, and
do so visibly

34. Habit X: Self-Reflection

35. Habit X: Self-Reflection
The most important person for you to manage effectively is
yourself. To grow personally and professionally you need
to know yourself before you can help others.
 In security we are often perfectionists…accepting failures can
be a very difficult thing
 Reality is, we will have them
 Without awareness of your own strengths and weaknesses
you will fail to meet your own potential, and continue to be
stymied by the same obstacles
“Know the enemy and know yourself and you will never be defeated” – Sun Tzu

36. Putting it into action
Self-reflection is a challenge. Effective managers will
follow these steps, repeat them often, and not be
discouraged when they stumble along the way
 Put a lot of thought into identifying your own areas of weakness
 Have a plan for improving these
 These will be iterative improvements over time, not one-time things
 More about the journey then the destination…you will stumble along
the way
 Work with a mentor
 You need a second opinion on what your areas of weakness are
 You also want someone to keep you honest in how you’re
progressing

37. The Ten Habits
Listening
Positivity
Know Your Stakeholders
Service
Just Say Maybe
Don’t be the Smartest Guy
in the Room
Keep it Simple
Execution
Walk the Talk
Self-Reflection

38. References
 You Don’t Need a Title to Be a Leader –
Mark Sanborn
 Five Temptations of a CEO - Patrick M.
Lencioni
 The Art of War for Managers – Gerald
Michaelson/Sun Tzu
 The Sandler Sales Method – David H
Sandler
 Seven Habits of Highly Effective People –
Stephen Covey
 The Fifth Discipline – Pete Senge
 Leading Change – John Kotter
 The Servant – James Hunter
 The New Leaders 100 Day Action Plan –
George Bradt
 Good To Great – Jim Collins
 Crucial Conversations – Kerry Patterson

39. Contact Info
Chris
Chris@ChrisClymer.com
Twitter: @ChrisClymer
Jack
Jack@Nichelson.net
Twitter: @Jack0lope

40. Q & A

41. Networking
 No time like the present to put your soft skills to work
 Say hi to your neighbor…what can they teach you about this topic?