How conversations help us grow

We don’t develop alone. As a colleague, and as a leader, there are many ways you can contribute to the growth of others. I would like to share some thoughts on how to create an environment where professionals can thrive, together.

Think now for a moment that you have a one-to-one conversation with one of your team members. You ask the person; “can you describe a situation where you feel you performed really well at work?”. Perhaps there is no answer, so you will need to follow up with a few nudges. For example, you say that you perform best when you have a clear goal, and you know why you have this goal. Then you may ask – do you feel the same? They are probably going to agree that this sounds quite good. This could be a conversation starter about what the ideal state of work is – when do we get to be the best versions of ourselves at work?

Conversations are important to people
Humans interact through language. Good conversations at work are essential for fostering growth.

Here’s a list of some plausible factors that people could come up with:

  • We have a clear vision of what we are trying to achieve, together
  • There is room for my opinions to be heard and valued
  • I can use my competence and personal strengths to drive results that are valued by others
  • The work itself is interesting and challenges me to learn
  • We have the necessary time and resources to build fundamental knowledge and skills
  • I get clear feedback and support from my manager
  • We all make an effort to contribute to the success of others
  • Our team enjoys good work-life balance
  • We have realistic career development opportunities (vertical and horizontal)
  • Ambition is welcome

Your list may look different, but variations around purpose, autonomy and community are typically ingredients of most people’s ideal working environment. Caring about what that means for each individual, is the essence of professional empathy. If your job as a leader is to facilitate results through others, how can you do that?  

Humans are good at spotting flaws. Engineers and analysts are perhaps the most skilled of all at this. This is why it is so easy for us to start with a problem when we want to achieve improvement. I think it is better to start by focusing on personal strengths. If you perform work every day where you feel you are not developing, or that your competence is not needed for the type of work being done, it is no wonder if you feel disengaged after a while. The best way to find out if someone’s strengths are matching the work they do, is to ask them. Have a conversation about strengths, and how to best use those strengths in the work we do, as a starting point. That is a much more positive tone and helps build a sense of having value in the work community, as opposed to the more typical approach of focusing on a GAP assessment of a skills matrix.

Professional development is key to the motivation of any professional. Without it, engagement dies. If the organization has no training budget and going to conferences is riddled with bureaucracy and layers upon layers of approval requests, this is likely to hurt employee retention more than factors such as low compensation or a high workload. Training is valuable to each individual, but of course it brings benefits to the organization too. We all know this. Don’t accept a situation where people cannot get training. It is not fair to the employee, and it is not sustainable for the company.

Learning is not only done in trainings. We should aim to learn every day, as individuals, and as organizations. A lot of people have never thought about all the opportunities to learn that exist as part of the work they do every day. As a manager you can improve the effect of learning from doing the work by making it more explicit. For example, during investigation of a particular security incident, analysts learn about new TTP’s, as well as how to detect and stop them. Or, when creating a new policy, discussing with stakeholders and collecting feedback is a great opportunity to learn about the perspectives of different stakeholders. Common to both cases is that this learning is very often wasted. It remains in short-term memory only and can often only be retrieved again by relearning it the next time a need for this knowledge exists. This is why we need to be explicit about expectations to learn on the job.

Everyone should have some time every week to reflect on what has been learned, and what it means for them in the future, as well as for the team and organization as a whole. If we set aside a fixed number of hours for “skills development”, encouraging employees to spend some of that time reflecting on what they have learned on the job over the last week, is an example of good management. Don’t mandate how people reflect or document what they have learned but sharing ideas on how to do it is a good idea. Some like to write a work journal. Some prefer blogging, some would rather create proof of concept code. Most people have never thought about doing this, or what they prefer, so encourage experimentation.

Some things that people learn on the job are mostly improving individual competencies. But some things are worth sharing, and it is good to challenge existing practices when they are suboptimal. This is how we move forward. Those practices can be policies and guidelines, they can be habits, or they can be ways of using technology. Encourage sharing where sharing is due. Encourage challenging the status quo and improving the way things are done. Continuous improvement is not a result of a management standard or policy, it is the result of culture. We need to make it happen. As a leader you should visibly share knowledge, visibly challenge practices, and encourage others to do so too. When people see that you are doing it, and not only talking about it, the message becomes much more powerful. A good place to start inviting such contributions is to take a page from lean management and ask: “what is something we spend time on today that we could stop doing without any harm to the organization or our department?”

Of course, our hypothetical bullet point list of a great working environment that will help us perform at our best, is not only about learning and training. Another important aspect here is relationships at work. This is what we can think of as “work community”. A leader is a catalyst for work community; not necessarily the driver of it but the leader helps the organization choose healthy pathways to build community. From our bullet points, the desire to have room to be have opinions heard and valued, packs a lot in one sentence. What has to be in place for us to have such a situation? We definitely need a certain level of psychological safety, so that people don’t feel threatened of ridicule or being ignored when they raise their voice. We can achieve a sense of psychological safety when we can trust that our surroundings have our best interest in mind. The people we surround us with want us to succeed. At the same time, we must accept disagreement and honesty. We should not expect any idea to be accepted at face value, we should expect, even demand, that every idea is challenged. But it should be challenged constructively, respectfully, and without any implication of us thinking less of the person bringing the idea to the table. Bringing a bad idea to the table is infinitely better than not bringing any ideas to the table. A culture of silence is the place where creativity goes to die. So, what can you do to foster this ideal state where people love to contribute and really feel that their contributions mean something to the department, and to the organization?

One thing you can do to instill trust, is to be vulnerable. Put yourself at risk by sharing your ideas with your team and ask them for feedback. Not the type of feedback often given to managers, such as “OK” or “looks good to me”. Ask for concrete feedback on “what do you like about this suggestion?”, “what do you dislike about it?”, “why do you think so?”, “how can we improve it?”. Let people see that you don’t have all the answers. If the case you are trying to improve is difficult, let people know you think it is difficult. Taking away the notion that you have to know everything is helpful for reducing imposter syndrome.

Empathy is key to trust. We cannot expect to have the same kind or relationship with everyone on the team, or to reduce relationship management to a bullet point list, but we can seek to have valuable and trusting relationships with everyone on the team. To build healthy relationships that foster trust, investing time in working together and in having conversations about both work and life itself, is time well spent. Listen actively in conversations, and care about the ambitions and wants of the other person, as well as the organization. Active listening is a skill worth practicing every day.

Another thing you can do is to think about how you balance relationships versus results.

What have you done lately to support the personal ambitions and career plans of your team members? For example, if one of your the team members has a personal dream of publishing a novel, how would you think about that in terms of your manager-employee relationship? Is it irrelevant to work, should you discourage such ambitious personal plans due to fear of their thoughts being spent on non-work-related projects, or should you support it and help them balance those ambitions with responsibilities and ambitions at work? I know what I think is the best choice, but your view may be different. It is worth thinking about.

And that brings me to the end of this post, thinking. Leadership is difficult. People are complex, and there are so many things that influence how we behave and think. This is why leaders also need support structures. You will have doubts, and you will have seemingly intractable judgments to make. Having a mentor is helpful, someone who can empathize with you as a leader, someone who knows to ask good questions and help you reason. Supporting each other in the leadership team is essential; share your management practices, your doubts, and how that difficult conversation went (while respecting the privacy of your team members, as appropriate). If you want to develop as a leader, I highly recommend finding a good mentor. Good mentors elevate your thinking.

A letter to the manager

This is a letter to all managers out there. If you are being paid to manage other people, this one is for you.

Leadership is like baking. It has a lot of ingredients and care means more than measurements.

I bet there is friction in your team. There is friction in all teams, and some of it is healthy. But when it turns into a chronic condition, relentless, abrasive, never taking a break – then you have a problem. And it may very well be that you and your organization is at fault for creating this unhealthy and unproductive environment. For many workers, work no longer feel inspiring and rewarding. Instead, colleagues feel tired, and many feel disengaged at work. This is a big problem. Disengagement is the arch enemy of excellence. And we would all like to be considered centers of excellence, wouldn’t we?

Perhaps there is a narrow focus on performance management through reporting and key performance indicators. This approach resonates well with most engineers and accountants; what is measured gets managed. There is no doubt that we need to measure performance. How else would we know if we are moving in the right direction? And perhaps that is the core of the disengagement problem. Because who knows what future state are we trying to move towards? If there is a lack of a shared and compelling vision, it is hard for people to know what matters, and what is just noise.

Performance management is a double-edged sword. It has downsides that managers need to be aware of and watch closely to avoid the negative effects of management to overtake the good effects. A very high focus on key performance indicators tend to bring out some side effects such as a lack of involvement, tunnel vision and can also exacerbate short-termism. All of this together tends to create disengagement, which again would drive the real key performance indicators in the wrong direction. Successful managers know how to balance focus on results and relationships. Managing based on measurements alone will tip the balance of focus heavily towards results over relationships, but without healthy relationships we cannot reliably drive results over time.

Let us first consider how measurements can help us drive result in a complex system such as a big organization, and then return to how we tie achievement to key management practices.

About measurements

Measurements are critical. But how do we know if what we measure, and the results we infer from our KPI’s, indicate progress? Managing an organization is an optimization problem. To know whether we succeed or not, we need to know what we are aiming for. In mathematical optimization this is called the objective function – a mathematical function that we seek to minimize, typically under a set of constraints. In management, we typically rely on a vision statement to guide our actions. The KPI’s we live and manage by, should have a clear connection to that vision. Without this connection, it is hard to tell whether a change in the KPI is good or bad, or if such a change is important, or merely a weak improvement of the whole system. To make these connections, we need to apply systems thinking. Systems thinking means an approach where we look at the internal and external interactions of a system and try to understand how our actions push this system from one state to another. Is that new state taking us closer to our desired state, as described in our vision?

Let us go back to our mathematical optimization problem as an analogy of what we are trying to do. Let’s say we have a mathematical model describing “the system”. This model describes the interactions internally in the system, as well as how the system responds to external events that we have no control over, and actions we take on purpose to drive our systems towards that optimal state, where an objective function is minimized. This is a very difficult problem; how can we make the best decisions about inputs we can control (let’s call them u), to optimize the state of a system when there is considerable uncertainty (let’s call such signals that we cannot control d).

In most cases we are also not able to observe every state of the system. There are features of our complex system we cannot see. In some cases, we may infer what they are, but very often we have limited observability of the internal state. This is also true of organizations and management; there will always be internal factors we have no way of observing.

When we make decisions about what to do next, we need to rely on things we can see. These are measurement variables, y. This information can be used to drive our system towards our ideal state, but all information is not equally important. Sometimes two different measurements can also give us in essence the same information. Mathematically speaking we say that the measurements are highly correlated. This means that for solving our mathematical optimization problem, it is not arbitrary which measurement variables we use to drive our decisions. We should carefully select measurements that give us the best ability to approach our optimal state or minimizing our objective function. This is the same for management of an organization; we should pick the KPI’s that will help us the most in moving in the direction of our vision.

The actions we take can be viewed as inputs to our system, whether they are variables in a mathematical optimization problem, or actions and tasks to focus on in an organization. Say we have decided some key performance indicators we would like to drive to some target values. We need to choose our actions for doing this. We will typically have many candidates for actions to take, but not all of them are equally effective. We have two decision problems to solve; which knob should I turn, and what value should I set it to? We also have another issue to keep in mind. While turning a certain knob may drive a property of our system in the desired direction as measured by one specific KPI, what if it makes the situation worse as measured by another KPI? Our optimization problem is much more difficult to solve if there is significant interaction between the internal states we change through our inputs. We should thus aim to decouple the input-output structure of our system. We would like to use inputs (actions) that do not cause conflicting outcomes as measured by different outputs (i.e., our KPI’s). This is not always possible, but we should be aware of the possibility of conflicting interactions and strive for more decoupling in the measurements we use.

So, if we now can agree that it is important to carefully select KPI’s, do we have any heuristics or rules that can help us do that? Luckily, we do. This has been extensively studied both from a mathematical point of view, and from a management theory point of view. It is a good thing that the general conclusions from different research areas do align well with each other.

  • Select KPI’s that are tightly coupled to the objective function so that a change in the KPI would indicate a change in the closeness to our ideal state
  • Select KPI’s that have optimums that are close to invariant under noise and disturbances. This means that if we have small errors in the measurement of our KPI, or external conditions change slightly, we are still operating close to the ideal point of operation.
  • Select KPI’s that are not strongly correlated with each other as they would not together provide more information about the internal state of the system than one alone would
  • Do not select more KPI’s than you have inputs to manipulate. This is because we cannot independently change more outputs, than we have inputs available.

If we pull this knowledge into the context of managing an organization, we can make some immediate observations. First, it will be very hard to select good KPI’s unless we know where we are heading. We need a clear vision for the organization. This is our objective function. Let us try to define a few possible “visions” to see how they would affect our KPI selection problem.

  1. Our vision is to make the CTO happy with the technology department
  2. Our vision is to enable the organization to provide services our customers love
  3. Our vision is to replace all humans in the company with robots maintained by others

These examples are of course contrived but they are made to illustrate that what we want to achieve will heavily influence what we measure, and how we work towards that ideal state. Let us take the first suggestion – our vision is to make the CTO happy with the technology department. Perhaps the deeper motivation for such a vision could be to secure bonuses for ourselves and our friends, or because we are uncertain about management’s ability to see value in what we do so we would like to keep the CTO happy for the sake of our own job security. Of course, none of these are admirable motives but let us pretend this is the case for a moment and see how we would seek to optimize that problem.

The CTO is happy when:

  • We do not ask questions but execute desires from top management quickly
  • We report numbers that make the CTO look good to other executives
  • We buy products and services from vendors the CTO has a tight relationship with

Our KPI’s should then be on speed of implementation, reporting progress through measurements that are easy to make change a lot but does not necessarily create competitive advantage for the company. Perhaps should a KPI also be number of LinkedIn contacts of the CTO associated with each vendor we choose. Obviously – this would be absurd. We are optimizing for the wrong objective function! We see that this type of opportunism is not only suboptimal, it is bordering on corruption.

If, on the other hand, we want to maximize our customer’s love of the services delivered by our organization, we would likely select other KPI’s. When would customers like our products more than those from our competitors?

  • Our products do not have a lot of vulnerabilities and can be trusted
  • Our products are reliable and exceed the expectations the customers have
  • Our risk mitigations are designed to stop harm to our customers
  • Our marketing messages make our customers feel good about our offerings
  • Our products and services are easy to use

Say that this is what we believe underpins making the vision of “most loved supplier” reality. What should we measure to help drive results? We need to make sure our products are trustworthy and reliable – so using quality and security metrics will make sense. We need to make sure our products exceed expectations; meaning we need to watch closely the feedback from customers and the market. We need to make our products very easy to use – measuring user behavior to see if actual use of our products match what we intended would be an important part of making up the full picture.

A lot of this cannot be achieved internally by one department or division alone. We need to sell this approach to the entire organization, from top management to marketing and sales, to engineering. Our sphere of influence needs to expand to make our vision reality. Selling does not necessarily come natural to our team members, so focusing on driving activity before driving results can be a reasonable approach. One way to do this is to look at time spent on working with other units to make sure we do not fall into the internal focus trap. So where the manager obsessed with output based KPI’s would see internal socialization as wasted time, the more relationship aware manager understands that this underpins the creation of business value.

Further, as we expect our team members to “sell our vision” to the organization, people will need support, not just performance push. We will get back to that.

The point of this is, we should not try to measure all the things possible, we need to prioritize, and track KPI’s that align closely with our vision for the future. And to do that, we must first define that vision clearly. It must be shared by everyone, understood, and felt to be “right”. To be effective it must align with our values, and it must align with the values of the organization. In that set of values, we find innovation and agility. A practice that causes dissonance between the values we identify with, and our daily work, leads to frustration. And that has unfortunately become very common, and perhaps it has gotten even worse after COVID due to less strategic focus and involvement?

Creating excellence through people

Leadership is about creating results through others. We cannot do that through one-sided focus on “productivity”. It does not matter if you do a lot of things, if those are not the right things to be done, or if the things we do are not done very well. A top-down management approach will often lead us into doing things without putting our hearts in it, without considering if they are the right things to do, if the measured numbers and reports are produced. That is an illusion of effectiveness.

An approach to leadership that seeks to balance organizational performance and human development is “situational leadership”. This term stems from work done in the 1970’s by academics, and has developed significantly since, but the main take-aways are:

  • Not every situation is most effectively managed with the same style of leadership
  • For long-term organizational performance we need to balance our focus on tasks and relationships

According to this leadership theory, a good leader develops “the competence and commitment of their people so they’re self-motivated rather than dependent on others for direction and guidance”.

It should be clear that an over-focus on task performance will run counter to this principle and can easily lead to micromanagement. Micro management is warranted when competence is very low but enthusiasm to learn is high, but in knowledge organizations primarily employing university graduates this is rarely the situation at hand. Micromanagement in knowledge organizations is counterproductive.

So what should a good leader do?

Ken Blanchard is one of the originators of situational leadership theory, and he has written many books in a semi-fictional style. His most well-known book from the 1980’s is a quick read called “The One-Minute Manager”. It is still a good read about management, for learning about motivation and driving human excellence. In this book he introduces the concept of the serving leader, with the acronym SERVE serving as a reminder of key management practices. The practices are summarized as follows:

  • See the future
  • Engage and develop others
  • Reinvent continuously
  • Value results and relationships
  • Embody the values of the organization

See the future: develop a compelling shared vision of the future

This is the precursor to strategy. How can we plan what actions to take if the direction is unclear? How can we expect people to pull in the same direction, if they have no shared model of what an ideal future looks like? Therefore, creating a vision needs to be a collaborative experience. It is also necessary that the responsibility for articulating a vision for a business unit, lies clearly with the top leader of that unit.

A good vision, whether for a team or an organization should consider the core values of the organization. The values say something about what the organization sees as important, valuable, worth striving for. All organizations have values, whether articulated or not. If they are not articulated, or they are simply “dormant” – somebody defined them, but they are not widely known or reflected upon, they provide no guidance. Start with the values.

An effective vision sets a clear direction. It describes a future ideal state, somewhere we want to go. That state must be compelling to the team, and something everyone agrees that we would like to achieve.

Having a compelling and shared vision makes everything easier. Prioritizing what is important becomes easier. Motivating both oneself and others is much easier. Seeing if the fruit of our work moves us closer to where we want to be, becomes easier. It is a common saying that visibility is important.

Engage and develop others

To accomplish something great together we need to learn, as an organization, and as individuals. Leaders must support development of people, and of good practice. How do we develop people, so that they feel that work is rewarding, and improve their competence in a way that supports the organization in reaching its goals as well? The first thing we need to do is to acknowledge that development and optimization requires time, trust, acknowledgement, support, and effort.

Excellence does not come from task performance alone, although much can be learned “on the job” as well. A good approach to competence management requires the ability to think about systems. An individual alone is complex, a system. A team adds more complexity, not to speak of a large organization, or our entire market. Even society as a whole is relevant to our development. We need to consider systemic effects if we are going to effectively engage and develop others. That means that we must consider if our result focus is interfering with our ability to drive positive development. We need to align our performance management efforts with our competence goals.

Human performance requires motivation. A large part of “engage and develop others” is thus related to motivational leadership. Research in competence management has taught us about many factors that contribute to the motivation of people at work. Key influencing factors are:

  • Task motivation: a desire to solve the problem at hand, intrinsic motivation for the work itself. This is a state we should strive for.
  • Confidence in own competence: the individual’s self-esteem as it relates to competence and knowledge at work and in a group
  • Perceived autonomy: ability and acceptance of independent influence and decision making
  • Perceived use of own competence: that the work to be done requires the skills and abilities of each person to be actively used
  • Clear expectations: a clear understanding of what is expected of output, behaviors and social interaction from colleagues, leaders, and other relationships
  • Time and resources for competence development and training
  • A culture of excellence: where everyone expects the best of everyone, and provides support to achieve that
  • Usefulness of the work – a desire to help the wider organization achieve its goals (again pointing back to the vision)

Leaders play a crucial role in optimizing the environment around the factors above. This can be done through organizational design (who do we hire), how we work together, how we select and work on tasks, how we coach and support one another, how we share our own knowledge, and how we provide feedback to each other.

This is very hard to do unless we trust each other and know each other more personally than what particular job skills we have or what we can read from a CV. The only way to foster that trust is to care deeply about other people, to care about their success in terms of what is important to them, as well as to care about their value and contributions to the social group at work as a whole.

Culture eats strategy for breakfast is an old saying, and it holds a lot of truth.

Reinvent continuously

We will not achieve our vision in a vacuum. We are exposed to both internal and external competitive pressures. Competition for resources, for relevance, and market forces that decide whether our desired future state is still the right goalpost to aim for. To be successful in moving into our ideal future, even when clouded by uncertainty, we must innovate. Without innovation, the competitive pressures will crush us (external threat) and our internal performance will dwindle due to destruction of motivation and achievability of our goal. Hence, innovation must be on every leader’s agenda.

To reinvent you need to learn. Therefore, every leader should make it a practice to learn new things. Not only about the topic of the work, such as information security for example, or about leadership itself. Leaders should learn about the things that matter to society, to the supply chain, to the organization, and to individuals. A lot of this learning can come from fiction, from cultural experiences and from hobbies. It is through the way we interact with the world we learn to understand the world. That means that to drive effective innovation, we should not be workaholics. System thinking requires system understanding, and that understanding cannot come entirely from an inside perspective.

Innovation means change. We do something new, and we take risks. Innovation means doing things we don’t know will work. If we want others to innovate, to drive practice forward, we need leaders who are brave. Failure must be expected, perhaps even celebrated if we learn from it. Failure is always seen as risky by people in an organization due to perceived expectations being successful, efficient, productive. It is important for leaders to show willingness to take risks, try new things, and fail in a transparent way that others can see when things do not go the way we want.

There are many ways to reinvent or innovate. It can happen at the individual level, as a group in a natural, non-directed way, or as a managed project. It is also important to make innovations visible, no matter what type of innovation we are talking about.

Reinvention can be about processes. It can also be about technologies, products. We should always work to improve our processes and ways of working. This means that people must be able to voice their opinions, as well as to experiment. If we talk about trying new ways of doing things, challenging each other’s thinking along the way, we improve the odds of success. To make this reality, it is important that we create a culture where people will speak their minds, and where those who make decisions think about the suggestions and concerns raised. Involvement only works when it is authentic. Experimentation takes time. If someone wants to try something new, discuss and agree on how much “extra time” is OK to spend on experimentation to drive things forward. Maximize time spent on driving creativity, efforts to create and test, and make evaluation easy. Innovation work is where agile shines, working software above extensive documentation. Or demonstration by “doing” above extensive KPI’s.

Value relationships and results

Results matter. But it is through our relationships we create our best results. Relationships drive improvement, innovation, motivation, and quality.

As a leader, take time to build strong relationships with others. Not only with your own leaders, or with your direct reports. Those are important, but so are other people. Those who use the work produced by your unit. Those who need to support your unit in creating results. For example, for an information security team, it is often necessary to get help from the IT helpdesk in handling security incidents. If you as a leader have a strong relationship with the leader of the helpdesk team, and some of the key helpdesk members, their willingness to help and make a real effort when the security team needs help, will be much higher. The same goes for the relationships between your team members, and people who work in adjacent teams that we interact with. Value your people’s efforts to build relationships within the unit, in the organization, and even externally.  Even if their day-to-day work is not about external contact to vendors or customers. Every employee is a brand ambassador, and a strong brand drives results across the whole organization, even in business support functions.

As a leader, you should try to encourage and support people’s efforts in building relationships. One can provide arenas such as cross-functional knowledge sharing, or break activities. One can think strategically on how we engage with other units through the work we do and choose ways of working that makes it easier to build relationships to other people. Those relationships create trust, and trust is the parent of collaboration. This way – relationships help us drive performance. They create results.

Valuing results is also very important. This often comes more natural to an organization driven by measurements and reporting. Showing acknowledgement of results help us improve motivation, trigger ideas for improvement, and further create a need for more collaboration. Through that result focus creates a need for relationship management.

  • Celebrate all wins – big and small
  • When things go wrong – appreciate what can be learned. That is a result too.
  • Evaluate results based on outcome, expectation, handling of challenges and effort.
  • We should value the way a result was achieved as much as the result itself.

Embody the values of the organization

Authenticity is key to trust. The actions of an organizations leaders is very visible to that leader’s direct reports, but also to others. A leader who acts in a way that does not harmonize with the organization’s values does not support achieving the vision.

Unauthenticity will drive mistrust. Nobody is willing to go beyond the bare minimum to follow a leader who acts as if he or she does not actually believe in the vision, in the agreed values. This boils down to “walk the way you talk”. If you talk about agility, but opt for micromanagement, this creates dissonance. If you say you want to empower people to innovate but discourage taking risks, little innovation will occur. Authenticity matters. This means not only trying to behave in accordance with the values of the organization superficially, but actively working to bring the system forward just as you expect others to.

Do you want people to innovate? Then you must innovate. Do you want people to share your vision? Then you must invite participation in its creation and how to articulate it. Do you want people to learn and develop? Then you must learn and develop. There is no better way to portray authenticity than letting people see the things you do. Actions reinforce words.

To embody the values of the organization is not only about the actions you take, but also about the expectations you set. If we want to build excellence, we should not tolerate long-term underperformance. But more importantly, we should not tolerate systematic behaviors that go contrary to our values. When underperformance manifests itself, or behaviors that go contrary to our vision, to our stated values, show up repeated, we must act.

In a culture where tasks are valued above relationships, where measurements count more than progress, underperformance is often met with punishment. No bonus, lower salary adjustments. Or firing the individual. While such measures have their place, they should not be the start of improvement. For a situation where people act differently than we would expect with a set vision, with our defined values, we must ask ourselves what the cause of this behavior is. For a leader the first question should be “is there something in the way I lead that would make people believe those undesired behaviors are tolerated, or even encouraged?”. Sometimes our actions have unintended consequences when interpreted by others.

The next question we should ask is if there are misaligned incentives driving the behaviors we see. Do we reward results in a way that practically force people to take shortcuts or actions we do not actually want to make our measurements hit target? This type of opportunism will often manifest itself when motivation is entirely extrinsic, and there is a mismatch in the interests between the agent (the employee) and the principal (the leader, or the organization).

If we want to identify the cause of the performance slip, or the non-productive behaviors, we can only achieve this through dialog. You as a leader must have a conversation with the person displaying these behaviors. This is a great opportunity for situational leadership. What approach is appropriate and effective in the current situation? Is it a directive style, where you tell the other person what to do? Is it a coaching and participating style, where you support self-reflection to enable the desired change? Warnings and disciplinary actions tend to be an extreme variant of directive leadership style, and if the lack of harmony with expected behavioral standards this can be necessary. We are then often talking about serious violations of norms, or code of conduct. Most often this is not the case, and a very directive approach can be counterproductive, especially if there is not a high level of trust already in the relationship between you and the person you are trying to help change his or her ways. The conclusion of this is that leadership is complex and more about people than it is about measurements. Using the SERVE principle as a guideline for how you think about leadership can be very helpful as it helps you balance focus between driving results and creating strong relationships to underpin the results.

Who supports the leader?

Being a leader can feel very lonely. That is not a good situation and is completely unnecessary. Leaders need support structures. Sometimes you will need to think about complex dilemmas, involving people you care about. Leaders must often make trade-offs between conflicting goals, desires and needs. To do this effectively we need support from those around us. The organization should provide some of that support, through leadership training, mentorship, management systems and through contact with other managers. Your own line manager should be available for discussing such issues. It can also be a very good idea to have a strong mentor to help you reflect on challenging situations.

You should pull necessary support from many sources. Leaders often try to portray themselves as someone with the answer to every question. They often keep the dilemmas hidden and deliver directives for execution. This can easily lead to micromanagement and suboptimal solutions. In many cases you can share the dilemma and have your people help sort out what should be done next instead of presenting them with a directive to execute. Remember – people have been hired for their talents, not as cogs in a wheel.

Another source of support is your friends and family. That support does not have to be “task related”. Simply taking time to have a good life and feel appreciated will make you a better leader. That helps you create results, both on your own, and through others.

Value work-life balance for yourself, and others. Long-term growth depends on it.

The take-away

  • It is your job to make sure there is a compelling vision articulated, shared by everyone
  • Hire the right people and support their development – professionally and as individuals
  • Improve things every day – innovation applies to processes, products and who we involve
  • Appreciate and support relationships at work, and make networking part of what you do
  • Live by the values you and your organization believe in. Be authentic, and build trust.
  • Take care of your mental and physical health – and help others do the same. This is work-life balance in practice.

How to embed security awareness in business processes

All businesses have processes for their operations. These can be production, sales, support, IT, procurement, auditing, and so on.

All businesses also need risk management. Traditional risk management has focused on financial risks, as well as HSE risks. These governance activities are also legal requirements in most countries. Recently cybersecurity has also caught mainstream attention, thanks to heavy (and often exaggerated) media coverage of breaches. Cyber threats are a real risk amplifier for any data centric business. Therefore it needs to be dealt with as part of risk management. In many businesses this is, however, still not the case, as discussed in detail in this excellent Forbes article.

Most employees do not even get basic cybersecurity training at work. Is that an indicator that businesses have not embedded security practices in their day-to-day business?

  1. One common mistake many business leaders make is to view cybersecurity as an IT issue alone. Obviously, IT plays a big role here but the whole organization must pull the load together.
  2. Another mistake a leader can make is to view security as a “set and forget” thing.  It is unlikely that this would be the case for HSE risks, and even less so for financial risks.

The key to operating with a reasonable risk level is to embed risk management in all business processes. This includes activities such as:

  • Identify and evaluate risks to the business related to the business process in question
  • Design controls where appropriate. Evaluate controls up against other business objectives as well as security
  • Plan recovery and incident handling
  • Monitor risk (e.g. measurements, auditing, reporting)
  • Get your people processes right (e.g. roles and responsibilities, hiring, firing, training, leadership, performance management)

What does the security aware organization look like?

Boiling this down to practice, what would some key characteristics of a business that has successfully embedded security in their operations?

Cybersecurity would be a standard part of the agenda for board meetings. The directors would review security governance together with other governance issues, and also think about how security can be a growth enhancer for the business in the markets they are operating.

Procurement considers security when selecting suppliers. They identify cybersecurity threats together with other supply chain risks and act accordingly. They ensure baseline requirements are included in the assessment.

The CISO does not report to the head of IT. The CISO should report directly to the CEO and be regularly involved in strategic business decisions within all aspects of operations.

The company has an internal auditing system that includes cybersecurity. It has based its security governance on an established framework and created standardized ways of measuring compliance, ranging from automated audits of IT system logs to employee surveys and policy compliance audits.

Human resources is seen as a key department for security management. Not only are they involved in designing role requirements, performance management tools and training materials but they are heavily involved in helping leaders build a security aware culture in the company. HR should also be a key resource for evaluating M&A activites when it comes to cultural fit, including cybersecurity culture.

If you are looking to improve your company’s cybersecurity governance, introducing best practices based on a framework or a standard is a great starting point. See How to build up your information security management system in accordance with ISO 27001 for practical tips on how to do that.

Security Awareness: A 5-step process to making your training program role based and relevant

Security awareness training is one of many strategies used by companies to reduce their security risks. It seems like an obvious thing to do, considering the fact that almost every attack contains some form of social engineering as the initial perimeter breach. In most cases it is a phishing e-mail.

Security awareness training is often cast as a mandatory training for all employees, with little customization or role based adaptation. As discussed previously, this can have detrimental effects on the effectiveness of training, on your employee’s motivation, and on the security culture as a whole. Only when we manage to deliver a message adapted to both skill level and motivation levels we can hope to be successful in our awareness training programs: When does cybersecurity awareness training actually work?

So, while many employees will need training about identification of malicious links in e-mails, or understanding that they should not use the same password on every user account, other employees may have a higher level of security understanding; typically an understanding that is linked to the role they have and the responsibilities they take. So, while the awareness training for your salesforce may look quite similar to the awareness training you give to your managers and to your customer service specialists, the security awareness discussions you need to have with your more technical teams may look completely different. They already know about password strength. They already understand how to spot shaky URL’s and strange domains. But what they may not understand (without having thought about it and trained for it) is how their work practices can make products and services less secure – forcing us to rely even more on awareness training for the less technically inclined coworkers, customers and suppliers. One example of a topic for a security conversation with developers is the use of authentication information during development and how this information is treated throughout the code evolution. Basically, how to avoid keeping your secrets where bad guys can find them because you never considered the fact that they are still there – more or less hidden in plain site. Like this example, with hardcoded passwords in old versions of a git repository: Avoid keeping sensitive info in a code repo – how to remove files from git version history

So, how can you plan your security conversations to target the audience in a good way? For this, you do need to do some up-front work, like any good teacher would tell you that you need to do for all students; people are different in terms of skills, knowledge, motivation for compliance, and motivation to learn. This means that tailoring your message to be as effective as possible is going to be very hard, and still very necessary to do.

The following 5-step process can be helpful in planning your content, delivery method and follow-up for a more effective awareness training session.

A 5-step process for preparing your awareness training sessions. 

First you need to specify the roles in the organization that you want to convey your message to. What would be the expectations of the role holders of a good security awareness training? What are the responsibilities of these roles? Are the responsibilities well understood in the organization, both by the people holding these roles, and the organization as a whole? Clarity here will help but if the organizaiton is less mature, understanding this fact will help you target your training. A key objective of awareness training should here be to facilitate role clarification and identify expectations that are always exisiting but sometimes implicitly rather than explicitly.

When the role has been clarified, as well as the expectations they will have, you need to consider the skillsets they have. Are they experts in log analysis from your sys.admin department? Don’t insult them by stressing that it is important to log authentication attempts – this sort of thing kills motivation and makes key team members hostile to your security culture project. For technical specialists, use their own insights about deficiencies to target the training. Look also to external clues about technical skill levels and policy compliance – security audit reports and audit logs are great starting points in addition to talking to some of the key employees. But remember, always start with the people before you dive into technical artefacts. And don’t over-do it – you are trying to get a grasp of the general level of understanding in your audience, not evaluate them for a new job.

The next point should be to consider the atmosphere in the group you are talking to. Are they motivated to work with policies and stick with the program? Do they oppose the security rules of the company? If so, do you understand why? Make sure role models understand they are role models. Make sure policies do make sense, also for your more technical people. If there is a lack of leadership as an underlying reason for low motivation to get on board the security train, work with the senior leadership to address this. Get the leadership in place, and focus on motivation before extra skills – nobody will operationalize new skills if they do not agree with the need to do so, or at least understand why it makes sense for the company as a whole. You need both to get the whole leadership team on board, and you probably need to show quite some leadership yourself too to pull off a successful training event in a low motivation type of environment.

Your organization hopefully has articulated security objectives. For a more in-depth discussion on objectives, see this post on ISO 27001. Planning in-depth security awareness training without having a clear picture of the objectives the organization is hoping to achieve is like starting an expedition without knowing where you are trying to end up. It is going to be painful, time-consuming, costly and probably not very useful. When you do have the objectives in place – assess how the roles in question are going to support the objectives. What are the activities and outcomes expected? What are the skillsets required? Why are these skillsets required, and are they achievale based on the starting point? When you are able to ask these questions you are starting to get a grip not only on the right curriculum but also on the depth level you should aim for.

When you have gone through this whole planning excercise to boil down the necessary curriculum and at what level of detail you should be talking about it, you are ready to state the learning goals for your training sessions. Learning goals are written expressions of what your students should gain from the training, in terms of abilities they acquire. These goals makes it easier for you to develop the material using the thinking of “backwards course design“, and it makes it easier to evaluate the effectiveness of your training approach.

Finally, remember that the training outcomes do not come from coursework, e-learning or reading scientific papers. It comes from practice, operationalization of the ideas discussed in training, and it comes from culture, when practice is so second nature that it becomes “the way we do things around here”.

To achieve that you need training, you need leadership, and you need people with the right skills and attitudes for their jobs. That means that in order to succeed with security the whole organizaiton must pull the load together – which makes security not only IT’s responsibility but everybody’s. And perhaps most of all, it is the responsibility of the CEO and the board of directors. In many cases, lack of awareness in the trenches in the form of no secure dev practices, bad authentication routines, insufficient testing stems from a lack of security prioritization by the board.

Want more? Get free updates by joining the Safecontrols e-mail list!