Striving To Be Less Necessary: Developing Future Security Leaders Is Crucial

I would no doubt turn a few heads if I said, “I’m trying really hard to get to the point where I make no decisions and do no work.” But the fact is, if I ever got to that point as Senior Director for EMC’s Global Security Office, I would be an extremely effective leader by developing my team to lead without me.

I don’t expect to get to that state of leadership obsolescence any time soon. However, I know that a crucial part of being a leader in today’s new Information Security paradigm is working to develop future leaders in our organizations. And one of the hardest things about leading is developing leadership skills in others because as you do, you frankly become less necessary.

Those are some of the points I explored in a workshop about Developing Cross Functional Leadership Skills at the 2014 RSA Conference in San Francisco.

While I am sure that many of the conference attendees will be there to learn new technical skills to be better leaders, these skills are only one of many ways leaders gain power and influence in their organizations.

What is leadership and why does it matter?

Click to Enlarge

IT Security has shifted away from relying on technology and banging our fists on the table mandating rigid behavioral rules to safeguard our information.  Because IT is striving to be more accessible to the consumer, today’s security professional realizes that fostering collaboration and cooperation among IT users to do the right thing to avoid risk is crucial to achieve information security in today’s world.

So it makes sense that instead of using so called ‘Draconian’ methods, bureaucratic structure and positional power to get things done, we may be better served by a security leadership that embodies a more thoughtful strategy and approach to put risk decision in the hands of the people best equipped to make those decisions. Our users.

After all, in many cases we don’t have direct oversight over what our business users do. That means we need to articulate to them a vision for managing risk and drive the appropriate behavior and decisions through effective influence. And that is what today’s IT Security leadership is all about—behaviors.

While we may talk about leadership in terms of positions and titles, you don’t have to be in a position of authority to be a leader. You are a leader as defined by your behaviors and activities. Leadership gives you the ability to influence and motivate and to drive change.

If leaders drive change, we must also understand that our organizations—EMC or our security program—are changing all the time, so leaders are integral to that change and not just subjects of it.

What leaders do is influence peoples’ attitudes, beliefs and values. You can’t deploy a technology that does that. We can put as many security controls as we want in place, but ultimately none of them will change attitudes, beliefs and values. So if we don’t drive user behavior, ultimately we won’t get security because we can’t control every aspect of peoples’ behavior.

What’s the problem?

Ok, so we know what leadership is and why it matters. So what’s the problem?

The fact is that while we all agree that leadership development is crucial in IT Security, we don’t necessarily take the right steps to develop it in ourselves or others. A recent survey found that most executives see improving and leveraging leadership talent as a top priority, but consider their corporate leadership development programs inadequate because they are relying on someone else to do the job.

The best way to get more leaders is to go develop them. And if we fail as leaders to develop more leaders, then we’re not leading. It is a vicious circle.

There has long been a debate over whether leadership is a skill or a trait— whether people can be taught to lead or are born to lead. I say it doesn’t really matter which theory you favor. It’s behaviors that really influence all of us and leaders influence followers through their behavior. We need to focus on what leaders actually do.

To that end, there are three categories of leadership behavior:

  • Task focused—setting goals, putting processes in place, and understanding the functions need to get things done.
  • Individual behavior relations—understanding peoples’ feelings, considering morale, and including team members in decisions.
  • Team focused—collaborating and communicating.

Leaders need to engender a combination of all three of these categories as they manage demand, develop opportunities, and deal with role conflicts.

Power is, of course, a key part of leadership behavior. Leaders can exercise positional power, leveraging their rank or title to reward people who do things they want and sanctioning people who don’t. Or they can leverage personal power—personal relationships with people and the merits of their professional expertise—to influence those they lead.

Exerting positional power might get compliance from workers, but is unlikely to gain their personal commitment and can give rise to resistance. Personal power tends to be more effective in getting people to be committed to what you want them to do and less likely to get resistance. There are times and places for both.

Leaders also need to ponder is the merits of delegating responsibility or not delegating. Oftentimes you can get things done faster if you do them yourself, but then you won’t be teaching anyone to lead in the process.

Striking a balance

In most cases, striking a balance in light of your situation and your organization structure are key. And in every case, you should, as a leader, be using your influence to develop leadership in your team.

Sending people to training is important, but what you do after that training is important as well. Are you discussing what they have learned so you can learn from them? Are you giving them the chance to use what they’ve learned? You might want to consider a refresher course for yourself.

I tend to go with my entire team to trainings. That way we all learn together, practice the concepts together and observe each other putting new skills into action.

In recent years, the workplace has moved away from using apprenticeship type programs to help employees develop well-rounded technical and social skills. We tend to think that they come out of college with all the technical skills they need to jump into the workplace. But in reality nobody ever taught them how to fit into an organization, how to play the politics, how to build relationships in the workplace or how to network. Internal leadership programs go a long way toward addressing some of these issues; however, this alone is not enough.

We as leaders need to influence those behaviors along with providing the technical skills, through mentoring, coaching and through our own behaviors. The important thing is we can’t just sit around and wait to be anointed as leaders before we start to lead. If we think we can change behaviors for the greater good, then we have to lead.

About the Author: Doug Graham