Motivational Skills for Security Wonks: 2011 Edition

By Mike Rothman

Ah yes, 2011 is here. A new year, which means it’s time to put into action all of those wonderful plans you’ve been percolating over the holidays. Oh, you don’t have plans, besides getting through the day, that is? I get that. The truth is things aren’t likely to be better in 2011 – probably not even tolerable. But we persevere because that’s what we do, although a lot of folks (including AndyITGuy, among others) continue talking burnout risk. And that means we have to refocus.

A while back I did a presentation called The Pursuit of Security Happyness. It was my thoughts on how to maintain your sanity while the world continues to burn down around you. But that was about you. If you drew the short straw, you may be in some kind of management position. That means you are not only responsible for your own happiness, but have a bunch of other folks looking to you for inspiration and guidance. I know, you probably don’t feel like much of a role model, but you drew the short straw, remember? Own it, and work at it.

The fact remains that most security folks aren’t very good at managing. Neither their security program (what the Pragmatic CSO is about), nor their people. With it being a new year and all, maybe it’s a good idea to start thinking about your management skills as well. Where do you start? I’m glad you asked…

I stumbled across a post from Richard Bejtlich over the break, which starts with a discussion about how Steve Jobs builds teams and why they are successful. Yes, you need good people. Yes, the bulk of your time must be spent finding these people. But that’s not interesting. What’s interesting is making the mission exciting. Smart talented folks can work anywhere. As a manager, you need to get them excited about working with you and solving the problems you need to solve.

LonerVamp highlighted a great quote at the bottom of Bejtlich’s post:

Real IT/security talent will work where they make a difference, not where they reduce costs, “align w/business,” or serve other lame ends.

So that’s what you need to focus on. To be clear, someone has to align with business. Someone also has to reduce costs and serve all those lame ends, which was LonerVamp’s point. Unfortunately as a manager, that is likely you. Your job as a manager is to give your people the opportunity to be successful. It means dealing with the stuff they shouldn’t have to. That means making sure they understand the goal and getting them excited about it. Right, you need to be a Security Tony Robbins, and motivate your folks to continue jumping into the meat grinder every day.

And all of this is easier said than done. But remember, it’s a new year. If you can’t get excited about what you do now, maybe you need to check out these tips on making your resume kick ass.

No Related Posts

Awesome response. Particularly the giving up the ghost. Duly noted. My marketing sheen was showing. Apologies.

The phishing e-mail demo is a sweet Pen Test of a different variety that builds its own business case for at least adequate staff IT security training.

Thank you for taking the time. Really appreciate the insight.

By Mark Evertz

If I were the security Tony Robbins, I’d be like 6’6” and hemorrhaging money. Clearly that’s not the case. But if I had three things I’d do:

1) Give up the ghost on positioning security as a business enabler. It’s not going to happen. I’ve been at this a long time and nothing has substantially changed. The real issue is to make people appreciate why the roadblocks are there.

2) Show, Don’t Tell: Security risk is an abstract idea for most folks. So whatever you say, however many links you send around about companies like you that have gotten nailed, won’t matter. The wonders of a tool like FireSheep is that it’s easy to show someone *visually* how you can own them. Also send some test phishing messages around. This kind of demo has much more impact than a press clipping.

3) Highlight success: When you defend against an attack. Or respond quickly to some user doing something stupid, highlight that. Put together a success case for internal use. Highlight a certain team member’s efforts at the next all hands IT meeting. Make it clear on mahogany row that although it’s hard, your team continues to do great things to stop the attackers.

Yes, we have to market the security program internally from a lot of different perspectives to have a chance for success in both getting senior level attention, as wel as, keeping team members focused and engaged.

By Mike Rothman

Long-time reader, first-time responder…
Love the visual of a Security Tony Robbins, complete with banana hands, toothy grin and IT-flavored motivational prose.

Not to put you on the spot, but I’m curious…
If you were the Tony Robbins of Security at a Fortune 100 company starting tomorrow what 3 things would you do to fire up the security team and other employees on the value of security as a business enabler rather than as the perpetual roadblock?

Keep doing what you do and I’ll keep reading.

By Mark Evertz

Excellent points! Yeah, I totally didn’t approach that from the management side of things, which is where alignment and those “lame ends” (from my POV) actually are goals.

By LonerVamp

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.