Dave Elfering had a good post, making clear the difference between managing and leading.
I thought my job as a security leader was to produce detailed policies that might as well have been detailed pseudo code executed by robots.
If you are tasked with truly leading the security program for a company or organization then lead; quit trying to be a combination of the thought police and baby sitter. Detailed policies are necessary in some circumstances but overall they are unsustainable.
Let’s dive back into the Army manual [Army Planning and Orders Production FM 5-0] for a moment. “Effective planning incorporates the concept of mission command… concentrates on the objective of an operation and not on every detail of how to achieve that objective.”
I always talked about managing to outcomes when I had corporate jobs. I didn’t want to tell folks how to get things done. I just told them what needed to be done and figured they could figure it out. Mostly because half the time I wasn’t sure what to do, and the other half of the time I was too lazy to do it for them. Kidding aside, that’s how I learned the most.
It’s not much different in security. You need to lead your security program with a light touch. Think big picture objectives, and as Dave says, managing intent. Not task lists, which is small thinking. You can’t make folks within the business do things – not over the long term, anyway. Hell, most of the time you can’t even make your own team do things. So you need to persuade them that it’s in their best interests to do so. So you need to lead, not just manage to the details, expecting your employee base to just get it.
This is not easy. It’s usually easier to write the policy and become Dr. No. But that approach also means you’ll be looking for another job in the near term. More stuff they don’t teach you in any of those security certification classes, eh?
Photo credit: “If you are not the lead dog your view never changes #grommet” originally uploaded by Nic Wise