This morning, my wife shared with me some COVID humor she saw either on one of her “mom” groups or social media. I’m sure there’s more than a few of us who’ve been on lockdown for a while who can relate:
WIFE: “What would you like for dinner?”
HUSBAND: “What are the options?”
WIFE: “The options are ‘yes’ or ‘you can go feckin’ starve!’ Take your pick.”
Having been under somewhat constrained culinary choices for a variety of reasons over the last couple of weeks in our house, I have to say, I laughed…
…and longingly dreamed of piles of sushi from Willoughby’s.
In this case, the whole “my way or the highway” mentality is clearly a stress response from someone feeling a bit overwhelmed and anxious about the state of the world. It’s normal.
And it’s normal because we’re human.
However, sometimes the “my way or the highway” mentality is institutionalized—just as it often is with our security programs. I mean, come on. Tell me you’ve never said to a security something eerily similar to the words that came out of my 5 yo son’s mouth yesterday:
“You get what you get, and you don’t get upset!”
Now, I don’t know where he got this, but I blame YouTube’s lack of better filtering since I had to re-enable it on his iPad so he could do what he’s supposed to do for school. He always somehow manages to go from school videos…to HotWheels track building…to “Escape the babysitter” seemingly no matter what I do. However, it’s certainly a phrase he’s never heard from me or his mother.
Anyhoo…if you’ve been a reader of these emails for a while, you know I think this “take it or leave it” approach to security is a bad thing. And you also probably understand what donning the riot gear of the Policy Police probably isn’t the best way to win friends and influence positive change in our security customers.
What I’ve come to recognize over the last couple of months of consistently pouring through reference architectures and control libraries to represent them in terms of the Baseline Perspectives™ of The Agile Security System™ is that…
…the real reason we’re failing to give our customers a choice on how they consume their security is that – in a lot of cases – our choices for security are driven by just as much anxiety and fear as the comments from the long-suffering wife above.
We know we have a big, important job to do.
We know there are potentially huge consequences if we get it wrong.
We know that there’s no way we can keep up with everything.
We know that there’s a helluva lot less of us than there are in the rest of the organization making security decisions every day.
And we know we need help, or we’re going to go crazy (and, unfortunately, even all the help in the world can’t prevent that from time to time).
Because we also think we don’t have time, or the world is moving too fast, or we’re feeling like we’re not ready because we don’t have the skills, expertise or the staff to figure out the right answer…
…we go looking for leverage from packaged solutions, like “best practice”, standardized control libraries, product vendors, methodologies, experts, etc., etc…
And whatever we find, we often tend to take at face value, because they themselves are big, complicated “black boxes” that we don’t really understand…
…nor have the time, or sometimes the skills, to truly learn, analyze and decide which of the parts we really need…
…not to mention how to stitch them all together into a coherent foundation of a security program.
So we don’t.
Because we don’t do this, so there really isn’t much of an option we can give our security customers when they ask us what’s for dinner.
“Here’s the policy. Follow it, and leave me a lone.”
“No, you can’t do that. We don’t support it. Now, leave me alone.”
“Yes, if you want your email on your phone, we’re going to manage your personal device. Now go away—and be glad you can be connected to the office 24/7/365!”
So, I get it if what I’m about to say blatantly might make you uncomfortable—or even downright piss you off. And it’s something that you might’ve already picked up so far, so maybe I don’t need to say it. However, just in case:
Security professionals spend far too much of our time being scared, stressed and anxious, and that means that we’re driven to decisions that might not be the best for our organizations—even though they feel “safe” or “right” for us.
The bad news is that far too many people don’t really realize this, and so they’re surprised, frustrated and confused when their security program doesn’t really ever get any better.
The good news is that the human-driven solution for fear, stress and anxiety is already known. It’s knowledge, and it’s having the skills to put that knowledge in to practice confidently, no matter what situation you might be in.
As someone very wise once said to me talking about being scared shitless on the battlefield, trying to help me when I too was feeling a bit overwhelmed one day:
“The secret is focusing on what you can control. Even if it’s being able to wiggle your little finger. Because if you can show yourself that there’s something you CAN control when the rest of everything else seems totally out of control, it’s how you take the first step to realizing you can control a lot more than you actually think.”
He was right.
Now, maybe none of what I’ve said applies to you or anyone on your team. And maybe you think I’m a quack who doesn’t know anything.
That’s fine. I can live with that.
But if – when you really think about where you are and what you want to accomplish professionally with your security team – some of this makes sense…
…a super easy, and very small decision you can make that is within your control is to do something about it—either with me as part of the Effective Security Leadership Program, or with someone else.
The first step is making that decision. After that, who knows where it’ll take you.
To see if you’re right for the program and whether I might be able to help you, use this link to set up your screening interview:
Either way, never forget that you can actually control a lot more than you think—especially in the times you’re sure you can’t.
Andrew S. Townley
Archistry Chief Executive