In this video, Kip Boyle discusses the importance of leadership. Explore the skills you need to learn to become a strong leader in order to build a valuable information security program.
- [Instructor] John Kotter, a published leadership expert and former professor at the Harvard Business School, said that leadership is about vision, about people buying in, about empowerment, and most of all about producing useful change. Previously, we saw that Kotter defines management as maintaining the status quo. From a leadership perspective, you could say that management is all about winning the game by throwing the darts as close to the bull's eye as possible. In contrast, leadership is knowing which game you should be playing and why and then using your natural talents and strengths to play well.
Poker anyone? Now let's focus on why the implementer of an information security program needs to be able to use leadership tools and techniques. You will often find yourself asking members of your organization to practice better cyber hygiene. Will they listen to you? In order to get consistently great results from your staff, you'll need all your people to be fully engaged with your vision and remain enthusiastic about their job over months and years of time. The alternative is poor performance and a lot of unplanned turnover.
As hard as you may try to say yes to every request to weaken or remove a control, to make it easier for people to get work done, sometimes you will need to say no. Will the requester take it gracefully? Will you be able to work productively with them in the future? So leaders work primarily in the world of human emotion. That means you need to be skilled in that work. At a minimum, you'll need empathy, strong interpersonal communication skills and the ability to set and enforce boundaries with firmness and respect and it helps a lot if you're likable.
In fact, a study published in the July 2013 issue of Harvard Business Review said that to be very influential, you need to balance warmth with competence. This quote sums it up. Before people decide what they think of your message, they decide what they think of you. You'll use your leadership skills to build and maintain relationships. The way you talk with people and treat them is crucially important. Relating to people in emotionally intelligent ways and with strong personal boundaries enhances your ability to be influential.
The good news is if you don't have all these capabilities, you can get them. How do I know? In contrast with management, I found becoming a strong leader to be a significant challenge that I still grapple with. One of the reasons I was attracted to working with computers when I was younger is I found them to be easier to understand and deal with than a lot of the people I worked with. Later in my career as a chief information security officer, my main daily challenge was knowing when to use a management tool and when to use a leadership tool.
As I gained experience, I felt as though I could hold one type of tool in each hand and quickly switch back and forth between them even in the same conversation. For example, imagine you're getting ready to talk with a member of your staff about the status of a task you've delegated to him. The manager in you must figure out if the work will be completed as scheduled. At the same time, the leader in you can tell he's nervous about completing the assignment on time. Do you first discuss the nervousness you sense or do you go straight to discussing the project plan and hope he sorts out his emotions without your help? And what do you do about your own feelings about whether he will successfully complete the work? Will fear guide what you say next? Or can you act confidently? Unfortunately, there's no simple set of answers to these questions.
That's why the best people implementing information security programs are those who possess a skilled combination of management and leadership capabilities. To get better at leadership, I took all the leadership training I could and sought out opportunities to lead people. I also pushed myself out of my own comfort zone over and over again to face ever tougher leadership challenges such as becoming president of my home owner's association. Getting help from leaders I admire was very helpful and I had to learn how to deal constructively with failure.
Finally, I've spent time increasing my self-awareness to better understand who I am and why I say and do the things I do. You can increase your self-awareness by completing a personality inventory like the Myers-Briggs Type Indicator or a behavior assessment like DISC. If you are really courageous, you can conduct a 360-Degree Feedback Survey which isn't always easy to hear, but it may be the only way to see things about yourself that are otherwise invisible to you.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance