Five Quotes That Help Me Navigate

Roy L Post, CISO, AXA Equitable
1175
2048
395
Roy L Post, CISO, AXA Equitable

Roy L Post, CISO, AXA Equitable

Leading change is one of the things we security professionals live for. We are at our professional best – most effective, most engaged and most satisfied with our jobs – when we see ourselves as effective agents of change. We pluck solutions out of the tumbling avalanche of technology and technique and fit them, sculpt them, tailor them to fit our organization and solve a problem. Voila, it’s in, it works, people are using it and we enjoy a huge rush of job satisfaction.

But not everybody shares our joy, and we may not understand why. Consider a few thoughts from Harry Levinson.

The human brain exacts a price for every change. It loves to exist in a predictable, repeatable world. Even change that benefits a person still evokes a cycle of mourning for the old bad ways, the familiar.

People need time to adapt. They need to make adjustments. It’s not that they “just don’t get it,” that they are “obstructionists.” It’s just that this is the way the brain works. It does sweat the small stuff.

We need to be prepared to make allowances and not find fault when we lead change and encounter resistance.

A Man’s Got To Know His Limitations: Dirty Harry

No, I’m no Dirty Harry. But Harry had a point. We’re not infinite. We’re not even a scalable resource. We can’t plug in more brain blades to know more and think faster, we can’t get a bigger battery and go on and on without sleep.

We need to know and accept the limits of our own knowledge and capabilities. And we need to leverage the energy of others who have skills that complement ours.

I can probably make a mumbling summary of how certificates and certificate authorities are managed that’s at least 85 percent accurate. But I also know the person in the company who wrote the policy and designed our architecture. That person is my plug-in brain blade.

It’s a little humbling, isn’t it? Asking for help? Admitting we’re not the experts on everything? I grew up in a family of do-it-yourselfers. I’m not wired to ask for help. I had to learn that skill. People like to share what they know. They get engaged. And you build rapport, because you granted visibility.

Grant people visibility and they will do anything for you: One of my former bosses

We all want to be seen for who we believe we are. To know that we are known and respected.

Eye contact. Active listening. Remembering people’s names, stories, expertise. Grant people visibility. “I see you there; I know you and I respect you. You are not invisible.”

Support their self-esteem, which makes me want to borrow another Harry Levinson idea, although crudely paraphrased in my own words.

A person’s self-esteem can be described as a measure of the difference between who they aspire to be and who they think they really are.

If my aspiration is to be good at my job, and I believe that I am, my self-esteem is nicely balanced.

If my aspirations are high, I want to be smarter/faster/better but in my self-image I see myself as struggling just to be an average performer, my self-esteem slips into negative territory.

If my aspirations are humble but I realize that I am doing more than I ever thought I could, my self-esteem rises.

Understand who and what someone wants to be. Grant people the visibility, the time, the active listening in ways that support their self-image and help them work toward their aspirations. Reflect back to them the fact that you see who they aspire to be and you want them to succeed as much as they do.

Better is the enemy of good: Voltaire

I might have called this “embrace the maturity model” but nobody quotable ever seems to have said that. We’re always looking for opportunities to improve our security posture, and when a project crosses the security desk we don’t look at it in a vacuum, we look at it in light of the enterprise security strategy. Is there an opportunity to resolve a security issue through this new project? Maybe the project involves website enhancements– have we got https everywhere we need it? Can we get a little boost in pen testing scope? Should we introduce stronger authentication? What about logging and monitoring of the application?

There’s a certain irony in trying to use nuanced thinking when managing technology that knows only binary logic. If our decisions are binary, we will always ask for more, because risk will never be eliminated. Longer passwords, more fobs, more layers of instrumentation and logging, and so forth. All of which brings its own risks–longer projects, greater expense, more complex end user experiences, to name a few.

When managing information security risk, use of a maturity model helps us save ourselves from the binary world. Consider a model off our steps: 0–no risk mitigations present; 1–mitigations present but inconsistently applied; 2 mitigations present but residual risk remains; 3–mitigations managed and optimized with no significant risk remaining unaccounted for.

We know we don’t want to be at 0 and probably not at 1. Getting to 2 may be a major achievement involving expense, technology, process re-engineering and staffing. Great, but what about that residual risk?

A {person} has to know {his or her} limitations, and an enterprise has to know its risk appetite. A maturity model helps to focus that part of the risk discussion.

Changes- Turn and face the strange changes: David Bowie

Change happens. It happens whether we are standing still or motivating it ourselves. Better to ride the wave then tumble in it. Turn into it. Face it.

But know that you and anyone else affected will often still have a nostalgia for “the way things used to be.” While we adapt, we grieve. Beware of false comparisons to the past and focus on the value proposition that brought change about.

When change is afoot, be aware of your own limitations. Accept that there are new ways evolving and you don’t know them all. Reach out for partners, allies, friends to help propel success. Pay them in the coin of visibility and respect, making them know they are known and seen, that you are aligned with their aspirations and believe in them.

Consider the impacts of changes that you want to introduce, the positive and the negative. Consider how others may react and make allowances. Know your own strengths and weaknesses, embrace and support those you work with, know what a “good” solution means for your organization and adjust your course and heading as needed.

Read Also

Architecture Is Architecture Is Architecture

Architecture Is Architecture Is Architecture

John A. Zachman, Founder and President, Zachman International
Transparency: The Universal Value-add

Transparency: The Universal Value-add

Eric Donnelly, SVP & Chief Enterprise Architect, PNC [NYSE: PNC]

"The architect" guiding principles

Leo Barella, VP & Chief Enterprise Architect, AstraZeneca [NYSE: AZN]
Simplifying Enterprise Architecture (EA) - An Overview

Simplifying Enterprise Architecture (EA) - An Overview

Arulvelan Subramanian, Director-Enterprise Architecture, Dialog Direct