I got to thinking today about the way we internalize new behaviors. And I think that most of us don’t really remember the fundamental things we learned as we evolved through life that we take for granted today…
…like learning to walk
…like learning to ride a bike
…and even learning to drive.
Now, if you’re from the US, you do all those things by the time you’re 16 years old. And if you’re a CISO, the stats say that was between 24 and 44 years ago.
24 and 44 years!
In only 10 years I forget a lot of details, but then, according to my personality type, I’m more of a big-picture guy than a detail guy—but don’t try to tell that to the contractor who installed the crooked light switch box (and plate) in my house. There’s no way I’m letting him off that easy…
But 44? That’s a long time.
Mind you, I’m NOT discounting experience. Experience with reflection (e.g., wisdom) is truly an exceptional thing, and far too many of us – myself included sometimes – kinda don’t quite follow through with the whole reflection bit.
So let’s fast forward about 30 years, since that’s right in the middle. And let’s say you’re a CISO who’s not happy with the effectiveness of your security organization.
Your threat and incident response teams are overwhelmed with the deluge of “potential” data they get, and each one of those needs to be tracked down, validated and crossed off the list as the candidate of THE BIG ONE, or people will think you’re not doing your job or something….
And you’re trying your best to shift your security to more agile and more proactive mechanisms, but there’s still a bit of a feeling like you’re trying to turn the Titanic on a dime—and not winning that fight…
Or you’re just fresh off the adoption of Framework-du-Jour, and you think you’re ready to go head-to-head with the bad guys because, after all the work you and your team have been through, you’re the embodiment of the rag-tag recruits in one of my favorite movies, Stripes:
You’re a “lean, mean, FIGHTING [security] machine!”
Or not.
You see, the sad truth about objectives is that while everyone talks about them, and everyone seems to want them, they’re just so damn hard to identify, quantify and actually…well… ya know…MEASURE.
It’s a bitch, really.
And so, your path to becoming the lean, mean fighting machines of the future of cybersecurity just might be built on a passel of documents and deliverables created by “TOP MEN” (and women, but that wasn’t in the movie quote that popped into my head just now).
And then you kinda wonder why things are still not quite going the way you expected. You’ve ticked the boxes, you’ve been advised by the top-t-est, TOP MEN (and women) in the industry, and yet…
…things still somehow look like a bunch of preschoolers trying to learn the Macarena.
Well, to be fair, the preschoolers on a good day might have just a slight edge.
And the reason might be that…
…trying to adopt framework-du-jour AND keep the lights on AND be home by lunchtime AND…AND…AND…
was just a bit more than your team could handle.
And so, while they’ve been EXPOSED to the framework, it hasn’t become a habit.
The time, patience, mistakes and practice required for learning and internalizing new skills and disciplines just somehow wasn’t available.
There were all those alerts and items in the work queue after all, and we didn’t have time to integrate those into the new process…
Right?
The unfortunate reality is that I’ve seen this, and I’ve been told stories by people whom I respect deeply, that this kind of thing is not quite as rare as teeth on a frog.
So, I know that I don’t want to have a front row seat at this kind of thing, and as a result, I’ve been doing some deep dives over the years into what it takes to really change behavior…to change habits…and replace them with new ones.
Now, there’s a book called The Change Monster by Jeanie Daniel Duck, a former BCG consultant who talks about the cycle of change and the process organizations go through whenever they finally have the magic alignment of vision, commitment and budget to initiate a change program.
But the thing is, it doesn’t tell the whole story.
The rest of the story (which is started in the book to be fair) is human. It’s about what makes us tick…what makes us act…and how we make decisions.
And it’s something that very few people know — let alone security (or business) leaders – except possibly because they’ve somehow figured it out intuitively.
But it’s the key thing that’s really make-or-break time when you’re embarking on a chance program.
And the full version of the African proverb I actually first saw on a slide at my son’s school in Cape Town may apply:
“If you want to go fast, go alone. If you want to go far, go together.”
Now, of course, here’s where I could talk about the revised coaching program that is on a flash sale because of the correlation of both Brazilian and US holidays, but – except for that – I won’t mention it (at least for now)…because:
There’s an assumption there…right there in that proverb.
And that assumption is that you know where you want to go.
Maybe you do, and maybe you don’t. And, as they also say in Ireland, “it is what it is and you are where you are.”
What matters is what you do next.
What matters is what decisions you make.
What matters is what visions you have that drive those decisions.
So I ask you: do you really know what it takes to transform your security organization while still keeping a “hair on fire” operation going 24×7?
I’m not sure I do either. And that’s the truth.
But I might know some questions you might want to think about. And I might have some experience that would help you avoid getting stuck in the middle of implementing a program you’re CERTAIN will be EXACTLY what the organization needs…
…or that when, months down the line, you feel ready to give up the whole thing and admit you’ve made a mistake because the project schedule says we’re done, but…
Hey, we’ve ALL been there. And anyone who says otherwise either is lying…or they’re a robot.
So, even though I’m not sure whether I can actually help get you where you want to go…I’m also not sure that I can’t.
If you want to find out either way – with no risk other than investing the time it takes for a call – then maybe you should head on over to this link:
https://securityleadershipcoaching.com
…and click the big yellow button at the bottom and find a time where we can talk.
Maybe it’ll be worth your while, and maybe it won’t…
…but the only way to know for sure is to schedule that call.
I’ll be happy to talk to you.
Cheers,
ast
—
Andrew S. Townley
Archistry Chief Executive
P.S. And I apologize for the typos. My 2018 MacBook Air is again displaying the keyboard glitch that I’m pretty sure, if Steve was still around, would at least have a good official story instead of being buried on the Apple Support forums…but I’m several thousand miles away from the nearest Apple repair center where I’d be willing to leave my machine for 3-4 days, so we’ll just have to suck it up and “read through” the extra spaces. Sorry about that.
