This past week I was the keynote speaker at a Corp! Magazine awards ceremony for Michigan businesses that are leading the way in digital, science and technology. Here’s how I opened my remarks:
I’d like start with this question: Are you an innovator or a protector? I will take a poll of the audience in a moment, but first, allow me to define the two groups.
In my 30 years of professional experience cutting across the public and private sectors, there are two kinds of ambitious people. Both seek to make an impactful difference in the world, but in very different ways. I am speaking primarily of a mindset.
First, the innovators. You always strive to be on the new projects at your business, seeking the cutting edge of hot new technology. You want to work for the brightest thought-leader in the industry. You strive to learn about the new advances, best practices and latest developments in order to improve, advance, expand and grow the business.
You must have the latest iPhone or Droid smartphone and the next version of important software or new product. Your innovative models include Bill Gates, Mark Zuckerberg, Steve Jobs or top women in your industry who introduce new ideas. You dream of starting your own company.
Next we have the protectors — or "defenders of the enterprise." In a world full of data breaches, fraud and criminals, the protectors keep the business safe. Protectors stop the bad guys (both offline and online). You make the rules and watch out for insider threats, or external and internal risks that must be mitigated.
Yes, security pros like me are defenders, but there are other groups such as accountants, auditors, technology infrastructure professionals who patch our systems, the police and military personnel and others who assist us in dealing with troubles in the world.
Protectors have heroes like Captain America, Batman, Luke Skywalker, Wonder Woman, Gen. George S. Patton and others.
I asked the audience for a show of hands for each group. I told them that everyone must vote only once. The results: Over 90 percent considered themselves innovators — which was not surprising given that they mostly worked for small and medium-size company award-winners.
Can We Work Together? Innovators vs. Protectors
I was thinking: "Perfect." This is was the result I expected.
But I also knew I could not “convert” any innovators in the room into protectors, any more than we can turn an extrovert into an introvert using the Myers-Briggs indicator methodology.
My real goal was to improve understanding and respect for the other perspective. Why? Even with a strong protector mindset, I have seen huge benefits in my career by becoming more innovative in my thinking. This transformation happened because some caring innovators pulled me aside (on multiple occasions over many years) and showed me my blind spots.
Only recently did I realize that innovators have just as great a need to understand protectors in the workplace. I came to this realization while writing a blog for the Brookings Institute on how cybersecurity can be an enabler of innovation.
But how could I make this point clear and meaningful to an audience full of innovators? I decided to use my case study on why security pros fail.
No doubt, I knew that this audience full of innovators had a different set of blind spots. Nevertheless, I wanted to show them why I was still passionate about being a protector and learned new habits to work with innovators effectively.
7 Answers To Becoming More Innovative
Here is a summary of seven innovative solutions that I learned through the "school of hard knocks." Most protectors (and even some aspiring innovators) face these challenges, even if the examples are different. Note that these challenges are explained in much more detail in this seven-part CSO Magazine blog series.
1) Stop Saying "No" — Protectors are often viewed as the "party poopers." Are you bringing problems or offering solutions? Are you viewed negatively by the business?
Become an enabler. Ask yourself whether the business sees value or roadblocks in your approach.
Back in 2004, when I was Michigan's CISO, I was in the "no wireless" camp. I quoted many experts from the NSA and other three-letter agencies who said that wireless networks simply could not be protected. My boss at the time was Teri Takai, who became both California CIO and DoD CIO. She challenged me to deploy secure wireless, following examples from several companies. Teri's advice made me rethink my business approach. Over time, I became known as an enabler of new technology, and Michigan won awards for our secure wireless networks.
2) Offer "Gold, Silver and Bronze" Options - Protectors typically offer only one solution, such as a one-size-fits-all approach to cybersecurity. We see things as black and white — for example, either it's encrypted or it isn't.
Try to offer at least three alternatives. Look for other solutions from Gartner, Forrester, tech magazines and colleagues at other companies. Check with industry associations, former co-workers and outside experts who can help come up with a range of solutions. Help the business understand the risks associated with each option, then let its members make the final selection.
3) Display Genuine Humility with Professional Excellence — We preach against fear, uncertainty and doubt (FUD) — but we don't practice what we preach. Security staff use legal compliance, dark-side hackers, malware problems, Third World threats and identity theft as trump cards. Staff can act as if these challenges are the only problems truly worth fixing. We forget our place and the reason for the security team's existence.
Goals in this area should include good collaboration and following established project life-cycle processes that build in security. Declare an emergency only rarely, or others will think you are crying wolf. Seek to be a respected team player. Treat others as you would have them treat you. One tip: Join the office softball team or take part in some other fun company activity.
4) Improve Customer Relations by Separating the People from the Project. Do Lunch. — So, here you are with that annoying client. They won't pay for the controls, and you're being forced to try to convince the auditors that you're in compliance.
You've now concluded that the business team will never get it. You've emotionally checked out. This has led to an unspoken us-versus-them mentality at project meetings. Problem is, they have the money, influence and power to make things happen.
Answer: Separate the tough issue you're addressing from the person you disagree with. Remember that the relationship will usually last longer than the current challenge. Get to know the business, one person at a time. Build trust. If the business fails, security fails. If you listen to your customers over lunch, you will naturally build relationships that outlive the bad things that happen. The customer is (usually) not clueless — so figure out what you don't know that he or she does.
5) Seek Accountability: Find a Good Mentor and Practice Virtual Integrity. The reality is that the smarter you are, the more you advance as an expert, the greater your temptation becomes. As you learn what the bad guys do and how they do it, the new ways to avoid detection, the secrets of the trade and the best ways to build and get around defenses, you will face a series of crossroads. Your ethics, values and beliefs will inevitably be tested. This is similar to a cop who arrests drug lords and finds a stash of cocaine or cash. Should he or she take a bit while no one is looking?
— Seek advice from respected colleagues regarding practical ethical behavior. Find one or more accountability partners who share your professional values. Remember that accountability is for winners, not losers. The best musicians, artists and athletes are accountable to coaches. Everyone who strives to improve needs accountability.
— Find a trusted industry mentor whom you admire. Make yourself accountable to this person regarding the direction of your professional career decisions.
— Practice the seven habits of online integrity found at www.govtech.com/pcio/Seven-Habits-of-Online-Integrity.html.
6) Watch Out for Career Burnout. Seek Work-Life Balance. We all need to recognize that stress and potentially even burnout come with the territory. Prepare for stress like you anticipate weather changes. Look for the warning signs. Being keenly aware of the burnout possibility is a first step.
Second, take some time to step back and analyze your situation at least once a year. Schedule some time to get away, and try to disconnect for at least part of the break. If you do check in with work during vacation, put barriers around your time. Talk about how things are going at work with those you trust but who have a different perspective. Get professional help from a doctor, if needed.
Third, recognize that your career is more like a marathon than a sprint. I like this quote from preacher Charles R. Swindoll: "You're through. Finished. Burned out. Used up. You've been replaced, forgotten. That's a lie." There is always hope.
7) Break Out of the Box. Lead by Moving Beyond Your Position Description
We all need to learn the power of the Pareto principle, which states that 80 percent of the effect of our work comes from 20 percent of the causes. In John C. Maxwell's book Leadership 101: What Every Leader Needs to Know, he describes the power of the Pareto principle at work. Here are a few examples:
— 20 percent of your time produces 80 percent of your results.
— 20 percent of the people take up 80 percent of your time.
— 20 percent of your work gives 80 percent of your job satisfaction.
Here are a few pragmatic work strategies to encourage outside-the-box thinking:
— First and foremost, understand that the box placed around your position is a good thing that must be respected. Always complete your stated duties, or you may be labeled as lazy and not respected.
— Volunteer for key committees or important ad hoc teams. Strive to lead, deliver and exceed expectations in these roles. Start a blog or wiki. Don't hoard knowledge; freely give it away.
— Generate good ideas. Look for organizational needs that aren't being met. Discuss these problems and potential low-cost solutions with your management. Think partnerships — beyond your own organization. What industrywide opportunities can you take advantage of?
Here's a summary of the seven problems and solutions.
I was very pleased after the presentation when several successful executive innovators came up and said, “Now I understand my security team and other protectors in my organization much better.”
That was my goal. So whether you are an innovator or a protector, I encourage you to strive to understand the other side.
Walk a mile in their shoes. It will help your effectiveness.