“The needs of the many outweigh the needs of the few, or the one.”
This was Spock’s pragmatic wisdom from Star Trek II: The Wrath of Khan, which was a inspirational movie for me when I was 12. Now 30 years later, it is still a good quote for security leaders to ponder.
It is no mystery I am a big fan of Star Trek. Like many fans, I enjoy the stories and inspiring vision it gives for the future. But mostly, I admire James T. Kirk. The bold leader of the USS Enterprise who can teach us all about being a good leader. Kirk embodies a style of leadership that is equal parts daring and reflective. Ultimately, Kirk is a servant leader. He cares deeply about his crew and will do anything to help them succeed.
In recent months I have been working to improve my own leadership skills. I joined a CEO group (Vistage International) and began working with a leadership coach. My own experience as well as that of our consulting practice has consistently proven that the quality of leadership in an organization has a profound impact on organizational security. Good security begins with good leadership. Likewise, servant leadership is more than just a sound philosophy for managing people, it is a an extremely effective tool in building an effective security program.
Origins of Servant Leadership
Servant Leadership has been around since long before Kirk was saving the world. While the term was coined by Robert K. Greenleaf in 1970, the concepts of Servant Leadership date back much further. The Chinese philosopher Lao-Tzu spoke of such leadership in the Tao Te Ching, which dates back to around 500BC.
The highest type of ruler is one of whose existence the people are barely aware. Next comes one whom they love and praise. Next comes one whom they fear. Next comes one whom they despise and defy. When you are lacking in faith, Others will be unfaithful to you. The Sage is self-effacing and scanty of words. When his task is accomplished and things have been completed, All the people say, ‘We ourselves have achieved it!
Lao-Tzu speaks of a leader whose existence is barely known. When there is success, people all share in the success. And when there is a failure, the leader assumes responsibility.
There is also a nice definition and background information at Wikipedia.
In a recent conversation I had with a group of CIOs, the question arose as to where poor security begins in an organization. Most of the participants blamed unskilled IT employees or lack of technology. I took the risky stance that poor security began with poor leadership. I said this knowing full well the people before me were all leaders (and might be offended.) However, the more companies we analyze at Anitian, the more we see that bad security practices and decisions come from poor leaders.
I Have No Ego to Bruise
Having seen the operations and internal machinations of thousands of companies, I have found that bad leaders cultivate environments where people are not naturally compelled to the right things. There is a fundamental lack of trust in poorly run organizations. Without trust, you cannot have security.
Trust is the ultimate commodity in building a secure environment. When people trust their leaders and co-workers, they are more inclined to share information, follow best practices, and defend the organization as a whole. Building and maintaining trust is therefore a key challenge of any security leader. However, building trust is no easy task.
If high-trust environments create security, low-trust environments destroy it. Low-trust organizations breed information hoarding, indifference to best practices, disregard for security controls and poor decision making. It is this last item that can be the most destructive. While a single ignored practice might cause a single data breach, a bad decision can lead to multiple breaches.
When fear, anger, or ego motivate leaders, their decisions are fundamentally selfish. In our consulting practice, we routinely encounter leaders who are consumed with fear: fear of attacks, fear of being exposed, fear of humiliation, fear of losing their jobs – fear of whatever. When fear motivates them, the decisions they make tend to be all about containing that fear rather than propelling the organization forward.
Furthermore, technology companies, or more specifically their marketing departments, intimately understand this dynamic. Preying upon the fears of leaders has become a fine art in the sales and marketing teams of security companies. Entire classes of technologies exist almost solely to feed and reinforce fear.
This dynamic of this is essentially a positive feedback loop. Bad leaders succumb to fear and mistrust. This causes them to mistrust their own people and co-workers. They begin to make decisions based on their own selfish needs to alleviate fear and protect themselves. Subsequently, it leads them into the clutches of marketing people who stoke and reinforce those fears. This causes them to invest heavily in practices and technologies that will supposedly alleviate those fears, deal with all those mistrustful employees, and ultimately make them look good. Of course, this never works out and the entire process just creates more fear. Thus starting the whole loop over again.
Fear can motivate people for a short period of time to be on alert, but that eventually that wears off. Fear is soon replaced with mistrust, anger, resentment and a lot of other negative emotions.
Bad leaders, making bad decisions results in bad systems and networks. It is appalling to us, as security consultants, how few organizations effectively implement security basics such as system patching and antivirus scanning. These are two vital controls which are relatively easy to implement, yet a stunning 80% of the companies we assessed in the past decade lacked consistent and reliable patching and AV protection.
What is really infuriating, is that these bad leaders always seem to have time to study up on the latest drama that is unfolding about Anonymous or the Chinese, and they are quick to remind you of all the certifications they have and important events they attend, yet they cannot seem keep their antivirus signatures updated.
Bad security starts with bad leaders. So how do you break the loop of negativity and fear?
One of my favorite scenes from the Wrath of Khan is when the Enterprise and Reliant are circling the Mutara nebula trying to find each other. Kirk is trying to figure out where Kahn is. Kirk knows Khan will not give up saying “He’ll be back, but from where?” With his signature calmness, Spock reminds Kirk that Khan is intelligent, but inexperienced. Spock adds that Khan’s pattern of attack shows “two dimensional thinking.” Kirk smiles and orders Sulu (the helmsman):“Full stop. Z minus 10,000 meters, stand by photon torpedoes.” (Incidentally, that quote is on a picture on the wall of my office.)
What Kirk does is stop hunting and sink down (on the “Z” axis) allowing Khan’s ship, the Reliant, to glide overhead. Kirk then comes up from behind and fires on the Reliant, immobilizing Khan.
While exciting, this sequence is an excellent metaphor for how a servant leader handles a tough situation. First, he collaborates with his people and involves them in the decision making process. Kirk asked his team for input. He then listens to their input, carefully. A strong leader knows his strengths and weaknesses. Then he makes a bold decision using his most powerful resources and trusting his crew to execute.
This moment of action and tension, as well as others in the movie, consistently demonstrate Kirk’s servant leadership style. This scene also demonstrates an effective business and security tactic: hunker down, remain unseen and wait for the problem to arrive and when it does, attack it with everything you have.
A Test of Character
Becoming a servant leader is not an easy task. However, it has huge benefits not only in terms of security but productivity as well. Ultimately, leadership is a test of character. A good Servant Leader, like Kirk, does not believe in no-win scenarios. There are always possibilities. The Servant Leader must therefore control his/her own needs and ego and build an environment where others can contribute, belong, and share in the success.
Key Qualities of a Servant Security Leader
Listening: A secure environment uses intrusion detection technologies to “listen” to the conversations going on between systems and applications. Likewise, a good security leader pays close attention to what people are saying and not saying. All the clues needed to make people successful and identify security risks is embedded in the words people use and how they express those words. In contrast, bad leaders lecture and pontificate, needing constant attention.
Humility: A good security leader does not need or even want the spotlight. When security works, it is silent, reliable and reassuring. A good security leader should be similar: humble, reliable, and reassuring. When security does not work, it is chaos, drama, and tension, which is also the qualities of a bad leader.
Authentic: Good security can stand up to testing. It is objectively measurable in its ability to protect or not protect the organization. Good security leaders are the same. They are honest and act with integrity, making them open to scrutiny and evaluation. They know their strengths and weaknesses and share them openly.
Empathetic: Good security empowers an organization to work better. It is empathetic to the organization’s mission. Good leaders are the same. They are empathetic to the needs and wants of their people and the organization. They take the time to understand how each person looks at their job and their role. In contrast, bad leaders have a “my way or the highway” approach.
Healing: Weak security can hurt the business. Good security teams respond quickly to stop the attack, correct the weakness, and get damaged systems back on-line. Good security leaders must also pay attention to those that are hurting or angry. They should respond earnestly and honestly to stop the pain and heal so those people can become productive again. In contrast, bad leaders allow people to be angry and may actively try to encourage drama and in-fighting.
Aware: A good security program has technologies and practices that help keep the entire organization aware of any attacks or problems that are happening. Security leaders must also be aware of how their people are being. They must also be self-aware, understanding their own strengths and failings. Bad leaders, in contrast, are clueless about what is going on in their own teams and focus on promoting themselves.
Persuasive: Good security controls encourage good behavior as well as preventing bad behavior. They do not disable the business, but rather set good boundaries for the business to operate successfully. Good security leaders persuade and encourage people in the same way. They avoid using the word “no” and instead ask probing questions that strike a balance between the needs of all involved parties. In contrast, bad leaders control people and tell them what to do. They are fond of telling people no and become indignant when people will not respect them.
Visionary: Good security has a clear path to lower risk. Good security leaders provide that vision. They not only know the path, but they can help others to walk the path. Bad leaders neither know a path nor can they walk it. They try to get others to tell them what the path is and then force others to do it, regardless of the consequences.
Stewardship: Security controls are entrusted to protect the business and serve the best interests of the organization. Furthermore, good security controls encourage and reinforce good behavior while preventing bad behavior. Security leaders must also shepherd their people and program as if it is a precious resource they have been entrusted to protect. A Servant Security Leader first and foremost is committed to serving the needs of others. Moreover, they emphasize openness and persuasion rather than control. Bad leaders, in contrast, blame others for problems and act as if people are disposable.
It is a far, far better thing that I do, than I have ever done; it is a far, far better rest that I go to than I have ever known.
Such ends Dicken’s A Tale of Two Cities and is Kirk’s parting words to Carol Marcus in the Wrath of Khan. It is also what Servant Leadership can bring to a security team: a far better security program with far greater peace of mind, knowing everybody is working to their fullest potential.
Anitian – Intelligent Information Security. For more information please visit www.anitian.com
I’ve been a personal witness to managers with no leadership skills killing an entire security team at a fortune 100 because of the environment they cultivate. My team went from 12 people to 3 people in 6 months and they tried to claim that they had no idea why there was so much attrition.
Unfortunately those type of people tend to be in absolute denial about their personal failures and lack of vision. Trying to constructively address the problems they create in the work environment just leads to them viewing you as a threat or a trouble-maker (speaking from personal experience). They don’t understand why you aren’t just grateful to have a paycheck. Resentment rides high and attrition skyrockets.
Even worse, once they are in a position of power they tend to bring in more of the same. Eventually creating a mono-culture that stifles real innovation or progress, and causes the people who are really passionate about their work to leave.
So how do we fix it?
I’ve spent many sleepless nights thinking about just this and I’ve come to the conclusion that it has to start with a top-down cultural change. Teach the executives to identify these unwanted attributes in their direct reports. and either fix or fire. Then have them do the same to their direct reports. Whenever a new manager is added, they need to go under the same evaluation. You can tell the quality of a leader by the people s/he choses to directly lead. This way you can root them out and keep them out, at least as well as you could hope for.
This was a great read, and if you are a manager or executive, please take Andrew’s words to heart. Otherwise you will not be able to retain anyone with the skills or passion that you need.
Thank you for the comment. I completely agree – its got to start at the top.