Security managers always have warning signs that they're losing their grip, but they rarely yield until it's too late: missed project deadlines; preventable security exposures; devastation at the hands of the latest worm and, worst of all, a disenfranchised and deserting staff.
We've all been there and we've all fallen back on the same excuses: limited resources; unbudgeted assignments and unrealistic management mandates. But the signs of failure are plain as day, and you're in over your head before you know it.
The key to your professional success is reflecting on and understanding the warning signs, and knowing how to reverse course and get back on track for world-class infosecurity leadership.
#1: You're not getting the message
As a security manager, you use meetings with staff to "connect" on a personal level, share information and get everyone on the same page. These meetings are what communication is all about, right? Think again.
Communication is a matter of efficiency on both sides of the conversation. If there aren't going to be at least three staff members in the room, use e-mail, the telephone or IM to communicate more effectively with your group. If a meeting requires less than an hour, don't have one; instead, maximize your time by writing an e-mail that will only take your staff five minutes to read. Communication is most effective when it's intended to disseminate information or directions rather than gather information or troubleshoot a problem.
#2: Just get those firewalls up--now!
The temptation to dive in head-first to get things done quickly is irresistible. But, you're doing yourself and your company a disservice if you don't make a formal plan with your staff's input before starting a project. Rely on your people to help produce a sound plan with realistic deadlines.
#3: The best and the brightest are sulking
Ever walk into the office in the morning to a lot of glum faces? Do you overhear things like, "I come in. I do my job. I go home."?
These are the signs that your staff members don't have a sense of ownership in their jobs. There may not be an "I" in "team," but there is an "I" in "security." Personal ownership instills pride, encourages innovation, and increases individual and, correspondingly, collective productivity.
#4: Breathing down people's necks
You like to stay in the loop, close to your staff's activities -- but is this a bad thing? Asking for daily progress reports and second-guessing how employees conduct their tasks can erode trust, actually creating a disincentive for innovation and success. Holding staffers accountable for their actions produces more long-term benefits. Remember the implementation plan? If your staffers sign off on it from the start and then miss key deadlines, they only have themselves to blame.
For management, and anyone else who needs to know what your team is doing, create a tracking document on the company intranet that marks each project's progress.
#5: The talent pool is stagnant
If your staff isn't volunteering ideas that will save time and money, they're probably so overtasked that they don't have time to think creatively, let alone innovate.
While not every security department has the luxury of giving its staff "creativity time," dedicated research time can produce money-saving results. Realistically, you can set up a rotating schedule of, say, one week every quarter for pure research. Or, on a case-by-case basis, you can take individuals off the daily work schedule to explore new initiatives.
#6: You're missing the personal touch
Near 100% efficiency and effectiveness is possible. To rack up this kind of winning percentage, you just need to apply a little creative personnel management.
Find the right mixture of personal and team incentives. Mix up your players. Leverage individuals' strengths and varying perspectives to solve security problems. With a little luck, this collaboration will spur innovation -- and your staff members might have a little fun.
There are tangible benefits to your planning, communicating and counseling: You'll see better results, have a more secure infrastructure and acquire a better sense of your staff's strengths and weaknesses -- leading you toward greater management efficiency and effectiveness.
About the author
James C. Foster, CISSP, is a technical editor for Information Security magazine and a deputy director for global security solution development at Computer Sciences Corp.