That was just some of the advice from Jeff Immelt, former Chief Executive and Chairman of GE following Jack Welch. And if one word could define a good portion of his tenure at the helm, it would be crisis. So it was very interesting to hear his perspectives on leading through crisis on a WOBI call yesterday, and I wanted to share some thoughts with you about it because I think a lot of what he said is very germane to security—even when we’re not in the midst of a crisis like this.
Yes, indeed, though, there aren’t style points awarded to people in a crisis situation. It’s a pass/fail test, as he said. One thing about this whole experience is that it certainly illustrates the character of people—sometimes, not for the better. People who you expect to be leaders because of their position or their experience sometimes collapse into a useless mess…
…and people whom you’d least expect to be able to pick up the banner and rally the troops appear and seem to navigate the back-to-back bombshells with natural grace.
As I’ve said a good few times in these emails, it all comes back to the decisions you make about your activity – what you choose to do – and your behavior – how you choose to respond to events. The choices we’re all making today are going to be with us for at least the next 12-18 months, so it’s worth thinking about them for a few extra cycles to make sure that we’re going to be happy with the results.
That said, one of the other points he made, was that what’s needed in a crisis is a unique blend of decisiveness and patience. We always need to be thinking about the next decision we’re going to need to make, but, as I said yesterday, we want to make sure we’re not making those decisions too quickly.
Another aspect of this that we tend to often overlook when trying to lead through a crisis is that we need to have the patience to wait to see how the results of our last decision are actually working out. It’s easy enough to get caught up in the adrenaline rush of decision after decision after decision after decision after decision—because we’re clear we’re “doing something.”
However, if we’re not careful, some of the subsequent decisions might cut off some of the progress our teams are making right at the knees. Not only does that put us back toward the starting line, it sure plays hell with both your morale and that of your team.
Now, I realize that not all of you reading this are in leadership roles within your security teams, but one of the key recommendations Jeff made was about erring on the side of clear communications across the team. You can’t make decisions based on information you don’t have, so hopefully, both you and your leadership are opening new lines of communication during all of this so that everyone feels more closely connected than they were before…
…rather than feeling like the proverbial mushroom sitting in the dark and alone due to WFH, social distancing and directives to stay at home.
And if they aren’t (or you aren’t), then it’s still not too late to fix it. You can start the process from either end of the channel, and, I unfortunately think you’re going to need it, because I think we’re going to be dealing with all this for at least 9-12 more months. Maybe we’ll have flattened the curve, but we’re still going to need to be making decisions then relating to what’s happening now and whatever impacts that’s having on you and your teams.
The last thing he said that I want to share with you is the necessity during a crisis for you and your team to clearly hold “two truths” in your head at the same time.
The first of those truths is whatever you think the worst thing that can happen will be, so you can make a plan sooner rather than later for what you’re going to do if it happens so you’re not going to be surprised. As security people, this shouldn’t be too hard for us given we tend to live in that state of mind an awful lot of the time. A mark in our favor, I guess.
And the second of those truths is to be able to see the opportunity in the situation…the chance to make the changes you’ve always wanted to make, because…well, why not? What’s the worst that can happen?
If you’re aligned and all working together, then your ability to test out these ideas, learn and adapt will be a lot greater – and with a much better chance of real-world feedback – than they otherwise would be. And if your organization and leadership are smart, they’re not necessarily going to give you a blank check, but they shouldn’t be opposed to investing now to reap the dividends later…
…because, remember Jeff’s comment that times like this are pass/fail tests, not about style. If you can make changes that will demonstrate clear results when the world’s falling apart, they could possibly work even better when it’s not—provided they’re the right ones.
But I have to say that a good portion of the time I was listening to him talk, I was thinking about how much of what he described about leadership during a crisis in one of the largest organizations on the planet…
…sounded a helluva lot like the every day success criteria for a lot of the roles across security. And the advice about clear communications, keeping both truths of the worst and the best in mind, and maintaining the appropriate balance between decisiveness and patience is something we can all probably do better to put in practice all the time—not just when we’re facing a global pandemic, economic meltdown and a pretty-much guaranteed recession in the near future.
If you want to talk about how these ideas might more directly fit with what you’re doing now and the unique budget, staffing and political constraints you’re facing trying to continually make your security team more effective, that’s a big part of what we can potentially do as part of the Effective Security Leadership coaching and mentoring program. The other part is give you direct guidance, advice and support on aligning and creating a concrete security architecture you can use to tangibly demonstrate the value of what you do upwards and outwards to the rest of the organization…
…while setting the context, guidance and priorities to ensure that architecture delivers the right operational security controls across all of what your organization does—including cloud, DevOps, risk and policy.
This is the last time I’m going to talk about this program for a while, because I have some big news tomorrow. So if you’ve been wondering whether it might be a good fit for you, then now’s as good a time as any to visit this link and set up a call:
Andrew S. Townley
Archistry Chief Executive