The path from security director to respected executive is perilous. Some never make it. However, any manager who demonstrates consistent cleverness and understanding of the business, will generally grow in rank and influence. There are many ways to show this savvy. Some security professionals are adept at law enforcement and investigations; others are more political, with relationships among executives; some have excellent presentation skills.
In my 30 years in the security industry, with the last 15 focused on mentoring security and technology leaders, I’ve found that savvy has a practical application. The security manager with the most well-run business unit usually has the most influence.
These 5 “savvy” skills are the building blocks to executive leadership, but don’t come naturally to most people. In fact, business schools don’t explicitly teach them. Neither do security training courses. They are skills developed by trial and error by the greatest leaders and summarized and organized for security leaders here.
Skill 1 Set Clear Positive Goals
You’ve heard it I’m sure. You ask a security professional to explain the value of security, and they’ll often say something like, “Well, just think of all the bad things that would happen if we didn’t do it.” It comes with the profession, this idea that security is about keeping bad things from happening. Trouble is, if that’s the main metric, success cannot be measured.
In security, positive goals are valuable tools in the leader’s toolbox for creating an excellent security operation and for being recognized as a leader. Your peers in the security profession don’t usually set positive goals. Most prefer negative goals. “We need to have fewer breaches, no PII (personally identifiable information) lost, lower costs, no bad press about security,” etc.
Positive goals take you forward. Higher. When senior executives and board members ask you about your goals, be sure you tell them goals that make the business better, more agile, or stronger, such as measurably improved response times, happier employees, or passed audits.
The very best and most resilient companies boast goals like: Be “Always Audit-Ready”
I believe this one goal, in particular, is one of the best a security leader can have. Being continually ready for any audit or assessment means you are proud of your operation and ready for scrutiny. And since audits are snapshots of a moment in time and are usually out-of-date the next day, having an “always audit-ready” stance means your operation is continually adapting, continually learning, continually improving.
Perhaps you are wondering why I don’t suggest a goal such as “Be always security-incident-ready.” Two reasons. A security incident is a type of audit. A test of the quality of your operation. So is every inquiry by an internal or external assessor. So, Audit seems to be the better word. Second, the four fundamental categories of security (see Comments below include one that answers the important questions of “What’s happening?” and “Is it working?” Therefore, Audit again seems to be the best word. But what do you think?
Steve Hunt helps security professionals like you to excel on the path to growth and improvement