Analysis & Assessment of Main Management Skills of Security Managers
The role of security managers and their progression to Chief Information Security Officers (CISO) in their careers is often delineated by a very broad base of experiences, expertise, skills and the continual development of management and leadership skills. The intent of this analysis and assessment is to define the most critically important management skills for security managers, including those most critical to their setting a solid foundation for attaining a senior management as a CISO in an enterprise (Whitten, 2008). What most differentiates those who progress in their careers as security managers to CISOs is the ability to interpret situations, conditions, relative levels of risk while continually learning new techniques, technologies and concepts pertaining to security and leadership. Those that attain CISO roles progress beyond management and become transformational leaders of the professionals in their department. It is the intent of this analysis to provide a multifaceted view of the baseline skill sets required for security managers to excel in their roles, followed by an assessment of the foundations of security managers who ascend in organizations by being transformational leaders, including insights into how CISOs continually stay at a very high level of managerial and leadership performance.
Analysis Of Security Managers' Management Skills And Requirements
The multifaceted nature of a security manager's role includes cross-functional skills and the ability to immediately interpret the multifaceted nature of the many responsibilities they have. The many functional areas that are integral to a successful security strategy are critical, as is the need for having in-depth analysis of the law and its interpretation; in-depth analysis of preventative aspects of health and safety requirements within their enterprise; thorough analysis of preventative measures for healthcare and safety from a strategic planning standpoint; and extensive planning skills in fire prevention and emergency planning. All of these considerations must be integrated into a strategic security plan that is implemented across an enterprise and its many locations. The role of the security manager as cross-functional coordinator of these many tasks often propels professionals in this role to continually seek the opportunity to gain additional insight into each area of the company they are tangentially responsible for. There is also the challenge of making sure each relationship with other departments is at an optimal level, ensuring a high degree of coordination and clear objectives as well.
Security managers vary significantly in their ability to manage the synchronization of departments and fulfill the role of cross-functional leaders. Those security managers who succeed in the many tasks that comprise successful cross-functional leadership often have the ability to create and also sustain trust across cross-functional boundaries of an organization (Francis, 2003). The highest-performing security managers have the ability to create strong trust-based relationships through reciprocation and the development of effective lines of communication, while also creating a shared series of goals and objectives as well (Beugr, Acar, Braun, 2006). Taken together, these attributes of security managers that successfully create trust throughout the organization often have the ability to accelerate specific preventative security programs as a result. From the analysis completed for this study, it is clear that the highest-performing security managers are able to transform trust into an accelerator, creating a highly effective foundation to build on from a cross-functional standpoint. Instead of relying purely on coercive power or formal power in their organizations or enterprises, the most successful security managers are able to make trust a strong foundation for future growth (Purvanova, Bono, 2009). They seek ot create coordinated ownership if each facet or aspect of enterprise security management, and in so doing create a much more effective framework for attaining strategic security plans and initiatives.
This ability to turn trust into a strong, galvanizing force in their enterprises is what makes it possible to unify the highly dissimilar areas of preventative health programs safety preventative programs, and define strategic security plans that encompass risk management, business continuity planning and disaster planning (Whitten, 2008). Security managers who can successfully create this level of shared task ownership quickly move beyond the traditional roles of planning, organizing, leading and controlling.
Exceptional performance as a security manager is predicated on the ability to also balance IT security policy, provide managerial guidance that is predominantly transactional in nature (as it often includes rewards and incentives) and the ability to create a continual foundation of knowledge sharing and security education throughout an enterprise (Sudhakaran, 2011). These are all critical factors to a security manager's ability to expand their role beyond merely sustaining security policies or in some cases, barely enforcing them. With trust as the catalyst and accelerator that moves the highest-performing security managers beyond baseline or what could be considered mediocre performance levels to exceptional performance, their ability to get more done in a fraction of the time of their lesser-trusted counterparts is significant (Beugr, Acar, Braun, 2006).
What also emerges from an analysis of exceptional security managers is the orientation each has on communication skills that often exceed systems and IT training, even surpassing investigative experience in many cases. It is then the ability of a security manager to successfully balance the hard skills of IT, security planning and execution, and security planning relative to the "soft" skills of communication, management and the continual development of an intuitive sense of how to create and sustain trust over time (Sudhakaran, 2011). These "hard" and "soft" factors taken together are what comprise the foundation of an excellent career in security management. It is also evident from the analysis of security managers' performance as defined through empirical studies that the highest performing ones seek to align each aspect of IT, healthcare, fire prevention and risk management to the overriding strategic initiatives and plans of the enterprise (Warrick, 2011). The highest performing security managers are also able to situation ally choose and define which "hard" skills including IT security management with advanced security breach analysis and planning with the "soft" skills of management, vendor relations and the continual reinforcement of trust as a core foundation of their effectiveness as leaders in their organizations.
Exceptional security managers that can situationally assess and then define a successful plan for managing legal, health, safety, risk assessment and management, and disaster preparedness for IT and human resources have a higher probability of being promoted into more senior roles over time. As security managers progress into CISO roles, their perception of time and risk often becomes accelerated from a tactical problem level yet more long-term from a planning one (Whitten, 2008). This dichotomy of how CISOs view time itself and its value as a very limited resource often force decisions into context that security managers don't see the urgency of, or conversely misread decisions from the standpoint of long-term perspective. The multifaceted aspects of a security manager's role over time can become a constraint if the manager does not take the initiative and move forward with their own career plan as well (Warrick, 2011). Throughout the empirical studies that are the basis of this analysis and assessment, the "soft" or difficult-to-quantify factors have consistently sown to be more important to the long-term performance of security managers and the progression of their careers (Whitten, 2008). The ability to create and sustain trust becomes the most valuable attribute that a security manager can cultivate and grow as they selectively apply techniques, technologies, processes and procedures throughout an organization to ensure security and ongoing stability while ensuring their role contributes to the attainment of the strategic plans and initiatives.
Transformational Leadership And Attainment of CISO Level Performance
Security managers who progress beyond their roles as sustaining an organization to leading it often become CISOs. This progression from maintaining and accomplishing security strategies to defining them and creating a compelling security vision for an enterprise is often predicated on their ability to become transformational leaders (Krishnan, 2004). And the progression to transformational leadership is one of the more unquantifiable aspects of any security manager's career, yet paradoxically the most important.
The CISO capable of leading their organizations by integrating security, safety, the protection of personnel, corporate assets and mitigating risks through preemptive and insightful planning is only as effective as their transformational leadership skills enable them to be (Whitten, 2008). Nearly all CISOs are highly skilled from the context of IT planning, disaster recovery planning, security break investigations, defining and executing security breach strategies, and the development of vendor qualification criterion definition (Wood, 1991). The ability to orchestrate these skills over time and continually build on a strong foundation of trust however is essential for their careers.
The studies of exceptional CISOs used as the foundation of this analysis indicate that the highest performers have four key attributes that are integral to their leadership styles. These include individualized consideration, intellectual stimulation, inspirational motivation and idealized influence. These four elements form the foundation of transformational leadership strategies of CISOs who are translating their vision of enterprise security management for their organizations into reality (Whitten, 2008). Studies…