In the July 2 Incite I highlighted Dave Elfering’s discussion of the need to sell as part of your security program. Going through my Instapaper links I came across Dave’s post again, and I wanted to dig a bit deeper. Here is what I wrote in my snippet:

Everyone sells. No matter what you do you are selling. In the CISO context you are selling your program and your leadership. As Dave says, “To truly lead and be effective people have to be sold on you; on what and who you are.” Truth. If your team (both upstream / senior management and downstream / security team) isn’t sold on you, you can’t deliver news they need to hear. And you’ll be delivering that news a lot – you are in security, right? That post just keeps getting better because it discusses the reality of leading. You need to know yourself. You need to be yourself. More wisdom: “Credentials and mad technical skills are great, but they’re not who you are. Titles are great, but they’re not who you are. Who you are is what you truly have to sell and the leader who instead relies on Machiavellian methods to self-serving ends is an empty suit.” If you can’t be authentic you can’t lead. Well said, Dave.

Let’s dig a little deeper into the leadership angle here, because that’s not something most security folks have been trained to do. Here is another chunk of Dave’s post.

As a leader you are guaranteed to be put into a continuous onslaught of events and situations, the circumstances of which are often beyond your control. What you do control is how you deal with them. This will be decided by who you are. People who rely on intimidation through authority or the manipulation of personality ethic may be effective up to a point, but in the melee of events those alone aren’t sufficient.

Leading is a personal endeavor, which reflects who you are. If you are an intimidator don’t be surprised when your team consists of folks who (for whatever reason) accept being intimidated. But at some point fear and manipulation run out of gas. There is a time and a place for almost everything. There are situations where someone must take the organization on their back and carry it forward by whatever means necessary. That situation might be neither kind nor graceful.

But it is also not sustainable. At some point your team needs to believe in its mission. They need to believe in their strategy for getting there. And they need to understand how they will improve and grow personally by participating. They need to want to be there, and to put forth the effort. Especially in security, given the sheer number of opportunities security folks have to choose from.

Security is a hard path. You need to be tough to handle the lack of external validation, and the fact that security is not something you can ever win or finish. But that doesn’t mean you (as a leader) have to be hard all the time. At the end of the day we are all people, and we need to be treated that way.

Photo credit: “LEAD” originally uploaded by Leo Reynolds