In this installment of the exclusive series from Tim Wenzel, CPP, Co-Founder and President of The Kindness Games, he discusses how to banish the frustration that can so often be felt in security.

To the brink

Frustration. That low boil tension which is palpable between us and others. 

At times, it rises within you when your employee begins to do that thing again.

That thing you’ve been trying to deprogram for months. 

It can be the invisible G-force pinning your team to the backs of their seats as you tell them “it’s not good enough” for the third time during this project.

For many of us it’s the tension in the room full of our business stakeholders or clients as soon as we walk in.

We try to make our smiles and greetings feel natural but we are uneasy, hoping this will go better, but somehow knowing it won’t.

Frustration can be the feeling of that self-fulfilling prophecy that you can’t get away from… of being upset or annoyed due to our inability to change or achieve something.

Many security departments live in a perpetual state of frustration. At times, it is our only constant.

When we feel like things are going well, we’re told they are not.

Every time we feel like we’ve “cracked the code,” there’s a new roadblock, a new source of frustration.

For some, this builds to become so palpable that our stakeholders within the business quit accepting our meetings.

It can take us to the brink where any form of change would be welcome.

I’ve been there. I know many people who are there right now.

So many have left very good roles because of this perpetual frustration… and unfortunately, I know many whose new role had similar tones of frustration soon after they were onboarded.

Is this just part of being in the security industry? 

Partly yes. 

As I discussed in The Insecurity in Security part 2: A higher purpose, over the decades, we as an industry have been caught in a competency trap, desperately trying to stay out of trouble while operating on the same assumptions we operated in the public sector.

We have taught the businesses we serve that we don’t really get it.

We don’t see ourselves as part of the business, we are security… so we are treated with passive disdain.

We have taught the corporate world that we are cost centers… a money pit which is necessary in case something happens.

When something happens, we are the money pit to blame.

The budgets they’ve wasted upon us is their penance and due diligence against the probability of a major security incident happening.

Lack of vision + lack of understanding x lack of meaningful feedback = frustration

Vision: the ability to think about or plan the future with imagination and wisdom.

Have you defined a vision for your security organization? Does your security organization have a mission statement of its own? If so, does it align with the organization’s?

Understanding: the ability to comprehend, to become aware and to have insight, resulting in good judgment.

If you don’t understand the workings of corporations, non-profits or whatever organizational model you serve, do this right now.

Buy:

• Quickbooks software
• Quickbooks for dummies – eight books in one
• Find the NOLO book which discusses how to form and manage the entity you serve
• Find the NOLO book on corporate taxes

Manage your personal budget on Quickbooks as the type of entity you serve for the next year or two. This is the beginning of understanding.

Have constant trouble with legal, HR or the product your company offers? Start attending their conferences and understanding their issues.

Build your business acumen! Your stakeholders will notice and applaud your efforts.

Meaningful feedback: this only comes with relationships.

This only comes with trust and the ability to humbly put in the work to understand where security is failing from their perspective.

Enterprise security risk management (ESRM)

Frustration creates and exacerbates inconsistency.

Inconsistency is the cause of all procedural breakdowns… the breakdown of processes which are essential to managing a business.

Do you have formalized policies, processes and procedures at all levels of your security organization?

How do you govern your security portfolio and what structure have you built to be governed by the business? 

Who in the business should be governing you? Have you provided them the correct scorecard for grading your performance?

In my experience, the answer is emphatically no.

This is the source of the disdain. You are most likely running a broken business unit and you don’t even realize it.

ESRM provides the modeling to build a framework which solves all of these problems and allows you to build your security organization into a business unit.

ESRM provides a very useful lens for security organizations to methodically study any company to understand where its value proposition lies.

1. Risk management and governance framework

What do you do? How and when? For whom? Do they agree? 

How do you measure success, failure and value? How do they?

Like an org chart, governance documentation begins at the top – the macro level and continues down into the main organizational structures, to the individual programs.

They define purpose, strategy and the management functions over all deliverables.

They ensure alignment and discourage duplication of effort.

Since security, properly understood, is a function of risk management, you cannot have governance documentation which does not define the risk and threat landscape and the strategy for defining and managing that risk on behalf of specific business stakeholders.

2. Risk management methodology

The ESRM cycle provides this workflow for all security disciplines.

Physical, logical, insider threat, workplace violence, intellectual property, it doesn’t matter.

The ESRM cycle is relevant and helps identify the correct stakeholders and the value proposition for your circumstance.

“But I’m mandated to use a different framework!” Our cyber security department uses NIST.

No worries, NIST is the framework you use, but ESRM can be the logical thought process which drives your organization.

This truth applies to all risk management frameworks which may be mandated by an industry, regulatory body, or enterprise risk management (ERM) function with your company.

Speaking of ERM functions… does the organization you serve have one? If so, you should be best friends with the Chief Risk Officer or whoever the head of risk management or governance is.

This is a natural alliance and these people will gladly help you form your governance and risk strategy around what is expected within the company.

3. Program management

These are the programmatic controls put in place to maintain the business health of your programs.

The Program Management Book of Knowledge by Project Management Institute (PMI) has everything you ever wanted to know on this topic.

The value here is your programmatic controls compliment the project management initiatives you will have going… documented in the Project Management Book of Knowledge by PMI.

The business of security

The development activities I do with my employees center around ESRM, program management, governance, ERM, personal branding, public image, communication and influencing people.

In short, my employees are taught the business of security and how to adapt to other business units and industries so they can become true security professionals.

From this vantage point, we walk confidently into every type of situation.

We are rarely frustrated and we rarely have business partners frustrated with us.

Instead, we dive into the potential sources of inconsistency and frustration. We challenge assumptions, test theories and identify root causes.

Like everyone, not every meeting is a happy event.

After all, in security one of our main responsibilities is being the bearer of bad news. This isn’t a silver bullet.

When we are exposed to poor feedback or someone who emphatically disagrees with us, we understand why we are here, in this very moment.

We are able to listen dispassionately, to ask questions which probe and define the specifics of the issue at hand and to guide these stakeholders down a logical pathway to arrive at decision points which are mutually beneficial.

Building the business acumen within your security organization builds strong relationships, teaches you to discuss security across all business units and demonstrates a transparent value proposition.

It diminishes the opportunity for inconsistency.

Your openness to discussing the specifics of your business and deliverables releases the pressure valve on frustration.

In short, building the business acumen of your organization is a mandatory step to banishing the insecurity from your security department.

Read the previous article in Tim’ series here and keep an eye out for the next installment, coming out 24 April 2024!