I manage risk. I also manage people. And how I manage risk tells me how to manage people.
Let me explain.
Managing security risk means anticipating both known unknowns as well as unknown unknowns (true Black Swans). In the first case I know what I don’t know, in the second case I don’t know what I don’t know.
That means I have gigantic organizational blind spots to defend against.
When you have blind spots, more eyes see more. No one person can see everything, and hiring and leaning on great people with good security vision is one of the best ways to manage this kind of risk.
But that means you have to listen to the people you hire. I’ve personally known some managers who take the approach “I am a Giant Brain and my direct reports are robotic extensions of my galactic vision, do my bidding, minions.”
You might be surprised how common this kind of manager is.
But that does not help me manage known unknown and unknown unknown risks! If I were to trust only my own judgment and my own vision then I would not be doing my job well.
Every single one of my direct and indirect reports knows something I do not know. Every single one goes deeper in at least one area of knowledge and expertise than I do. As a CISO I have no choice but to be a generalist. There are not hours in a day to earn half a dozen PhDs plus a law degree and an MBA to somehow be a one-man army.
A CISO is like a military general in this way.
So how can you take action on this insight? Well, first admit to yourself and to your direct reports that you don’t know everything. Pretending you know everything doesn’t make people respect you or follow you, it just makes you look like an idiot. Get over yourself and leave your ego at home if you want to do a good job as a CISO.
Does that mean your directs are always right? Also definitely not. But creating a culture of colegial debate where everyone is encouraged to probe weaknesses in other people’s arguments results in better outcomes.
I strive to exercise the best possible judgment in my role as a CISO. And I want my decisions battle-tested by friendly fire—have I missed something? Am I wrong?
Sometimes. Also, sometimes not.
At the end of the day, a CISO is responsible for exercising good judgment and the consequences of the decisions they make.
Listen to your followers and they will make you a better leader.