Intro:
An organization's identity and culture is the source of pride for many, and a source of many problems for others. I have been studying Organizational Leadership for quite a while now, and have come to realize that IT in general, and Infosec in particular is mostly getting it wrong.
Why?
In general, IT has been promoting the best technical people into roles of leadership. Apart from the C-level positions, your average IT organization ignores leadership skills and rewards those who perform technically well. This generates a great deal of referent power, but ignores the personality characteristics that must come with a position of leadership.
With a higher position comes reward power, coercive power, and several other sources of power that a leader has at their disposal. Gaining these tools in leadership can be an issue for those not prepared to lead.
In working with many IT people over many years, I see a lot of "Power Drunk" senior staff wielding coercive power around and mentally beating down junior staff for simple, and honest mistakes.
This is not how we lead.
This is how to alienate people.
This breeds more destructive behavior.
On the other end, when dealing with users many companies implement reward programs, which reinforce good behavior. Unfortunately, it only works on people who want the rewards, and only until they have gained the rewards. Reward, or bounty systems have a severely limited shelf life and are challenged by limited efficiency.
How does this apply outside of IT?
Infosec is typically the most important policy surrounding the IT department for a company to enforce. As we saw above, we have oversimplified leadership into two types of programs:
Coercive - Don't screw up or you're fired. Even 2 strike policies don't work.
Reward - The gamification of Infosec suffers the problems i outlined above.
Infosec lacks true leadership:
As tech people we should know that there's no simple way to solve a complex problem. So why do we oversimplify leadership across internal organizations? It's simple, they don't like us. We lack the personal power, which would serve as a source of balance in our leadership practices.
Avoiding Leadership Gaps:
1. Hire personable people within your Infosec group - Also, make sure they are visible within the organization and are likable when dealing with users. People are more likely to listen to people they like.
2. Be transparent - Give the organization a sense of what you're doing to help protect them and to make their jobs easier. Make sure that you reinforce that it is an organizational effort, and get users to buy in through a sense of working together.
3. Build a comprehensive game plan - If you want to be a true leader in your organization, go to leadership with a way to build rapport. You do not need to spend money, you just need to show you can blend sources of power into a change in culture, not just a policy.
Finally:
Work with what you have at your disposal. Some people will be above policy, but no one is above culture. Some people will get away with things they shouldn't, and there is nothing you can do to change that. If all you have is policy, you have a finite tool that will never be applied evenly. Culture has a strange way of weeding out those who don't fit in. They lose support from those who see them as an outlier, and eventually fall out of favor with leadership.
More to come about leading an Infosec team next time.
