Saturday, 4 April 2009
Security Leadership or Management?

A recent article on leadership in the Financial Times caught my attention:  This article, "Soapbox:  the myth of leadership" debunked today's emphasis on "leadership" versus plain vanilla "management" skills.  Clearly many of today's financial leaders have led their organizations into ruin.  While this has not happened in the information security world, organizations looking for senior security officers advertise for leaders not managers.  One recent article on security leadership listed the following attributes for "Tomorrow's Security Leader":  vision, competency, curiousity, enthusiam, etc.;  generally soft skills.

I decided to return to Peter Drucker to see what I could learn.  Fortunately, there is a Revised Edition of his classic Management (2008).  Here are the five activities he associates with management and how I think they apply to the security officer role:

  1. Sets Objectives.  This is the strategic planning function, where security goals aligned with business needs are defined.
  2. Organizes.  Security is carried out by the entire organization, not one department, so this is a significant part of the role.
  3. Motivates and Communicates.  This is where the soft skills are used to create results.
  4. Measurement.  Business is about performance and security needs to be run as a business process with corresponding success metrics.
  5. Develop People.  Build the security team's technical knowledge and management skills, preferably following the changes in the business.

As Drucker's book emphasizes, leadership accomplishes nothing without effective management skills.  This applies equally to information security as well as any other business process.

Posted on 04/04/2009 3:43 PM by Fred Scholl