The ManageHub Security Blog
June 8, 2016
Growing Up Fast as an Executive
July 30, 2018

Get Off the Hamster Wheel and Run Security Like a Business

“Who has time to do it better, when we are so busy doing things badly?”

Almost always — somewhere in my conversation with CIOs or CISOs — this idea surfaces. Here’s my answer: React Proactively. Each time you focus on fixing a problem, fix it permanently. Here’s how.

During a long career, I’ve had the privilege of researching trends and best practices across the security industry. Among that research I’ve conducted in-depth interviews with over 450 CIOs and business leaders and discovered that the greatest weaknesses in security programs are not technological, nor do they derive from limited budgets, nor are they skill- or personnel-related. The greatest shortcomings, affecting more than 9 out of 10 security programs, derive simply from leadership and management, or what I like to call the fire department syndrome.

Fragmented, improvisational, “shoot from the hip” security management is the norm in IT organizations. Security managers and their departments perform tasks with little or no guidance, other than an all-consuming desire to prepare for (and defeat) the next technical security threat, malware or hacker.

Stop operating in “triage mode,” continually hunting for and recovering from threats and vulnerabilities. Companies that run security programs with the cost-efficiency and quality conscientiousness of a regular business unit achieve greater benefits for the organization, and reduce costs relative to performance.

Here is where the success of security leaders consistently breaks down:

Wasting Time
Security teams waste time putting out the same fires, continually “reinventing the wheel” of many security tasks, and performing “busy work” for auditors and customers, recreating documents and filling out SIGs (standardized questionnaires used to self-assess security) and assessments and the like.

Wasting Money
Audits and assessments invariably find deficiencies that need to be fixed fast. Each “mitigation” project pulls valuable people off important “normal” projects.

Lack of Systematic Processes
Security and IT teams rarely function together as a finely-tuned-machine. As a result, managers are constantly running interference when conflicting processes and personalities interfere with productivity.

Lack of Quality Measurement
Annual 3rd-party assessments do a good job of establishing a progress report, like your child’s growth chart at his pediatrician’s office. However, waiting a year or longer between assessments means there is no way to catch operational errors in real time.

Employees Feel Left Out
Employees hoard information and protect turf when they feel uncertainty around them. They want to feel “essential.” Therefore, managers have a difficult time responding with agility. After all, if an employee becomes irreplaceable— “He’s the only guy who knows how to run our kludgey authentication server”—then he also becomes un-promotable. The manager has no way to move that worker to any other critical function, and is critically affected when key employees unexpectedly leave.

Support & Training Sporadically Available
Outside consultants and professional conferences offer excellent sources of training and improvement. Unfortunately, it is prohibitively expensive to finance full time consultants or constant employee trips to conferences.


Any leader who desires to improve security this year should focus less on technology and more on these techniques for reacting proactively. First, think of your security program as a small business and try to avoid the main failings of small businesses:

  • Most small businesses fail because they never become a well-oiled machine
  • Each task is a reinvention of the wheel, over and over
  • Occasional tasks are the least efficient, because knowledge learned the last time that task was performed was never recorded, or left with an employee

I found in my research that Success came with three simple concepts:

  • Continual Improvement
  • Continuous Coaching, and
  • Measurement & Recognition

“Continuous Improvement” you may recognize as the key ingredient in all those business books you’ve ever read. Good to Great, The Search for Excellence, Lean In, The Goal, and the rest. It’s also part of Six Sigma, CMMI, ISO9001, TQM, EFQM and the rest of the Baldrige-like quality improvement programs.

Continuous Coaching is the next secret. Just like a ball team with a great coach, Companies that have a resource feeding them exactly the best practices they need for each work activity needing improvement — those security directors flourish!
Measurement & recognition is the third. The best ways for managers to record success is to measure employee engagement and progress effectively, and the best way to maintain or grow that success is to make the front-line employees engaged for success.

Security Organized, is Security Optimized

For the last sixty years, the greatest business minds have been exploring, theorizing and fine-tuning a body of knowledge collectively known as “best management practices.” You may be familiar with best-practices through the work of thought leaders like W. Edwards Deming and Joseph Juran. You may have read classic management books like “The Goal,” “Good to Great” and “E-Myth.” You may have even attempted best-practice approaches like U.S. Baldrige Performance Excellence Program, EFQM (The European Foundation for Quality Management), TQM (Total Quality Management), Kaizen, Six-Sigma, ISO (International Standards Organization), or CMMI (Capabilities Maturity Model Integration).

The more you learn about best management practices the more you realize that they share common themes and requirements. Their most fundamental shared requirement is that you create your company’s management framework–what we are calling Governance. A management framework automates your company’s management processes in the same way accounting software automates bookkeeping, or a CRM automates customer relations. With consistent use, your management framework helps your company become very organized, efficient, and continually improving. Your employees can become empowered, self-motivated, and self-managed. Your company’s culture can become more innovative, focused, and collaborative.

After all, it’s not our job to secure the building. It’s not our job to secure the network. It’s our job to secure the business — to help it to thrive amid risks.

ManageHub helps professionals like you to excel on the path to growth and improvement.

Leave a Reply

Sign up now to learn more about Communities of Excellence, and receive Steve Hunt’s eBook…

You will also receive Steve's updates for live events and other resources.
Email address
First Name
Last Name
Phone Number
Secure and Spam free...