An infosecurity manager's life can be one of aimless repetition, but leadership skills break the cycle.
Within an organization, an information security manager is often trapped in an endless cycle year after year, repeating the same old activities, never making any progress. It's just like the namesake movie in which Bill Murray gets stuck in an endless replay of Groundhog Day.
For example, what's the first thing an information security manager is expected to do? Create a new policy. In large organizations, most security policies have been replaced several times. Another day, another policy. Were the old policies really not good enough? Did the security manager want to establish authority or just look busy?
Murray's character frees himself from the endless repetition of the same day through self-awareness. Taking advantage of experience to affect his own self-improvement, eventually he and Andie McDowell's character wake up Feb. 3 in Punxsutawney. Situa-tional awareness and relentless focus on goals are the ways corporations can escape from their own Groundhog Day. If you put the cart before the horse, you're always going to get stuck going in circles. Putting the horse first doesn't guarantee you'll reach your goal, but it beats the alternatives.
Policy is a bad starting point for two reasons: Without an in-depth understanding of the organization, an newly hired security manager is unlikely to improve on existing policy. More importantly, no matter how well-written the policy, it is useless as an instrument of organizational change unless it is championed by someone who exerts influence.
Just as Murray's character eventually endears himself to the small-town Pennsylvania residents, a security officer's most important first task is to establish leadership--which is not the same thing as exerting authority. Authority is having the privilege of making decisions; leadership is the ability to teach and inspire. Without leadership, there will be no interest in developing personal skills and no change in corporate priorities or culture. Unsur-prisingly, a lack of leadership leads to endless repetition as the organization continually makes the same old mistakes.
Organizational change, the other classic Feb. 2 behavior shown in the film, can't turn people into leaders. Organizations seem to continually fiddle with the reporting structure of the security function, but the aimless repetition is counterproductive. New org charts are usually just a superficial attempt to solve foundational infrastructure and cultural problems on the cheap. Security requires the cooperation of the entire organization, and the security manager must gain this cooperation by influencing decision makers in every business unit and corporate service. It should be clear that there can be no perfect reporting point when a function cuts across the entire enterprise.
Good managers will find their way into an appropriate organizational structure; and, when the time is right, a good leader will put together a council to write a policy that everyone buys into. Strong internal relationships, trust and credibility are the horses that pull the infosecurity program wagon. Leadership comes first; an improved reporting structure, a useful policy, and all the other attributes of an effective program follow.