CSO/Leadership

 

 

https://sm.asisonline.org/Pages/Dancing-With-Yourself.aspxDancing With YourselfGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-12-01T05:00:00Zhttps://adminsm.asisonline.org/pages/mark-tarallo.aspx?_ga=2.235866438.650069683.1543244114-1119989502.1541012085, Mark Tarallo<p>​You can't manage others if you can't manage yourself.  And for any manager, including a security manager, effective self-management requires a certain level of professional self-knowledge. Achieving that can be trickier than it sounds, given the human tendency to overrate one’s own abilities and performance. </p><p> “We are wildly overconfident in most domains. We are wildly bad at self-assessing,” says Khalil Smith, a former leadership development expert at Apple who is now a practice leader at the NeuroLeadership Institute. To illustrate, Smith cites a driving survey in which 80 percent of respondents rated themselves as better-than-average drivers, a mathematical impossibility. This also applies to leadership, he adds. </p><p>“Most managers think they’re really good managers, and a lot of them aren’t,” Smith explains. “Confidence and competence are not correlated.” But if self-knowledge requires great effort to attain, the results will be worth it, experts say. It will ultimately allow managers to maximize their strengths, minimize their shortcomings, and modify their responses and behaviors, all for the cause of becoming more effective leaders.</p><h4>​Strengths Analysis </h4><p>“History’s great achievers—a Napoleon, a da Vinci, a Mozart—have always managed themselves. That, in large measure, is what makes them great achievers,” wrote Peter Drucker in “Managing Oneself,” a 2005 article published in the Harvard Business Review. Drucker is considered one of the fathers of modern management; he developed one of the first executive MBA programs in the early 1970s. </p><p>Drucker’s article, which was an excerpt from his book Management Challenges of the 21st Century, is still considered the seminal work on self-management; if anything, it has grown more relevant as the emphasis on values-based leadership has become more pronounced. In his piece, Drucker advises managers to answer a series of questions about themselves, and then offers best practice guidance in each area: What are my strengths? How do I perform? What are my values? Where do I belong? What can I contribute?</p><p>In the first area, Drucker tells managers that the one true way to discover their strengths is through feedback analysis. The analysis method is simple: after every key decision or key action made, the manager should write down what he or she then expects will happen. A year later, the manager compares these expectations with the actual results. Within three years, Drucker argues, the analysis will reveal where the manager’s strengths lie. </p><p>In addition, the analysis will reveal “what you are doing or failing to do that deprives you of the full benefits of your strengths,” Drucker writes. </p><p>Take, for example, a security manager who creates a new security plan, and then writes down the expectation that the plan will be implemented in a year. A year later, if there is no progress, the analysis may point to the fact that the manager’s weak advocacy and people skills were insufficient to make the plan a reality.</p><p>Gary Bradt, an executive leadership coach who has written about self-management, says this type of analysis is particularly important for a manager who aspires to climb the ranks of an organization. In some firms, when a manager reaches a certain executive level, the position hinges on two skill sets: managing people and high-level strategy. But for some security managers, who were promoted based on their technical mastery of security, high-level strategy and people skills may not be their long suits. “You have to know that,” Bradt says, so that you can get proper training to succeed. </p><h4>How Do I Perform? </h4><p>“Amazingly few people know how they get things done. Indeed, most of us do not even know that different people work and perform differently,” Drucker writes. To ascertain this crucial knowledge about oneself, he advises managers to ask themselves another series of questions.</p><p>Am I a reader or a listener? This first question can make all the difference in performance. To illustrate, Drucker offers the example of two U.S. presidents. When Dwight Eisenhower, a reader by nature, held press conferences as Supreme Commander of the Allied Forces in Europe, he read all submitted questions in advance. That advance reading allowed him to speak in polished sentences once he was in front of reporters. But when Eisenhower was president, reporters were not required to submit questions in advance. As a result, Eisenhower performed terribly at press conferences, rambling on endlessly and avoiding the point of questions.</p><p>Unlike readers, listeners process information best through their ears. Lyndon Johnson was a legendary Senate Majority Leader in part because he could retain and distill everything he was told by countless lawmakers, Drucker writes. (Managers who are listeners may want to take advantage of books on tape—a source that Bradt relies on. “I am an auditory learner,” Bradt says.) </p><p>Another related performance question is, How do I learn? Some people, like Winston Churchill, a poor student who became an acclaimed author, learn by writing. Others learn through copious notetaking. Beethoven, who left behind numerous sketchbooks, reportedly said that when he put an idea in a sketchbook, he never forgot it. Still others learn by hearing themselves talk. Drucker cites a CEO who called his entire senior staff into his office once a week and then talked at them for two or three hours. But some learn only by doing. </p><p>The importance of this performance self-awareness extends to the manager’s staff, Bradt says. He offers a negative example of this from his graduate school days, when Bradt was charged by his study group to summarize an assignment. He provided the group with a series of terse bullet points, which were meaningful to him but much too minimalist for the group. “I gave them what I would need, not what they would need,” he says.</p><p>Effective leaders, on the other hand, know what types of learners and performers their direct reports are, so that they can give them what they need to succeed, Bradt explains. Drucker, who agrees with this sentiment, argues that it should work in all directions. Coworkers should know the strengths, the performance modes, and the values of their coworkers. And employees should observe their managers, find out how they work, and adapt their methods to what makes their bosses most effective, Drucker writes. </p><p>Other key self-management questions involve the working environment. Managers should ask themselves, Do I work well with people or do I work best alone? “That’s where the importance of self-awareness comes in,” Bradt says. “Some love interacting with people, and love working in a team environment.” The latter should be aware that they might find it difficult to be at their best in a more solitary executive position, he adds. </p><p>Finally, there is the president-versus-vice-president issue: Do I best perform as a decision maker or as an adviser? Some perform swimmingly as advisers but cannot take the burden and pressure of making final decisions. “This is a reason, by the way, that the number two person in an organization often fails when promoted to the number one position,” Drucker writes. Others need an adviser to force them to think, so they can make decisions with self-confidence and courage.</p><h4>​Values and Contributions</h4><p>To be effective in an organization, a manager’s values must be compatible with the organization’s values, Drucker argues. They do not need to be the same, but they must be close enough to coexist. Bradt agrees and adds another wrinkle: an organization shows its true values in its daily operations. A firm may state in its mission statement that “our people are our most important assets,” but if that company decides to do nothing to address its high turnover and bad working conditions, it is obviously not living its values. “Values are real when you use them in day-to-day decisions,” Bradt says. </p><p>For a new manager, the interview process is a good time to touch on these issues. Knowing one’s values allows the interviewee to discuss his or her approach to the new opportunity. For example, a security manager being interviewed for a new assignment may make clear that he or she firmly believes in continual professional development for staff, and thus ask about the possibility of providing workplace training programs and continuing education opportunities.</p><p>Finally, Drucker argues that managers need to ask themselves: What should my contribution be? This question ties together different aspects of self-management: Given my strengths, my way of performing, and my values, how can I make the greatest contribution to what needs to be done? That question must come in tandem with environmental workplace questions: What does the situation require? What results need to be achieved to make a difference?</p><p>Of course, the answers to these questions will differ, depending on the manager and the job in question. However, Drucker argues that the following benchmark question will be applicable in most situations: Where and how can I achieve results that will make a difference within the next year and a half?</p><p>“The answer must balance several things,” Drucker writes. The results should be ambitious, but not impossible—within a reasonable reach. Second, the results should be meaningful and make a difference. Finally, the results should be visible and, ideally, measurable.</p><h4>​Mitigating Bias </h4><p>Even the most effectively self-managed leaders are biased. “We see the world through tremendous filters. And we are not aware of these filters,” said David Rock, president of the NeuroLeadership Institute, in his address “The Neuroscience of Breaking Bias” delivered at the Society for Human Resource Management annual conference last year.</p><p>And bias can have a large impact on a manager’s decisions, from hiring to assignment delegation to performance reviews. This made bias an important area of study for management scholars, with a traditional focus on what managers can do to reduce their own bias. But scholars have found that reducing one’s own bias is quite difficult to do effectively. “Much work in this space hasn’t really moved the needle,” Rock said.</p><p>That’s generally because overcoming bias is not simply a matter of will. Managers who are motivated to self-examine for bias are still likely to come to the conclusion that they are not biased. Instead, experts say it is more effective to try to mitigate bias by building procedures designed to weed out bias into operational systems. </p><p>An example of this, Rock said, is the use of a stock investment system that is based on a mathematical performance evaluation formula. The formula, which is based on hard data, is a better alternative to simply choosing stocks by one’s gut feeling, which reflects personal bias. </p><p>For managers, one of the most relevant types of bias is similarity bias. Similarity bias is the following feeling: people like me are better than others. The “people like me” similarities may range from ethnic background, religion, race, hobbies, and economic class to professional approach and personality types. Studies have found that this similarity bias can have a major impact on hiring decisions, Rock said. “In hiring, when you take age/gender/race away, you get very different results,” he says.</p><p>But similarity bias can affect more than just hiring. Promotions, succession plans, vendor selection, and assignment delegation are all vulnerable to similarity bias, as well as more subtle influences such as “how I engage with you in meetings—I listen to your ideas a little more than those of others,” Smith says. “I invite you out more often. I review you better.” </p><p>Similarity bias is not a new concept, of course, and some have tried to use it in their favor for career advancement purposes, such as the employee who learns golf to bond with the golf-loving boss, or the interviewee who is coached to consciously mirror the interviewer’s body language.   </p><p>For managers interested in effective self-management, similarity bias, given its potential impact, must be contended with. “We need to mitigate similarity bias, and we need to do it quite proactively,” Rock explained. As a best practice, Smith recommends doing this in a few steps. First, managers should not deny their own bias, but accept it as a natural byproduct of being human. Second, managers should label the bias, so they understand what type of bias it is. </p><p>Third comes the mitigation effort. This can be tricky, Smith says, because once a manager discovers a similarity, it’s hard to unlearn or reinterpret it. So, Smith advises that the manager make the effort to find similarities, or connections, with all other people in the hiring pool, or in the security department, or whatever the relevant group. This is doable, experts maintain, because there are similarities that all people share. “If you can’t find it, you’re not trying enough,” Smith says. This action mitigates similarity bias by putting employees on a more level playing field.  </p><p>Another mitigation method for similarity bias is through reframing key questions. In hiring, for example, many organizations look for hires that will be “a good cultural fit” and enjoyable to work with it on a day-to-day basis. Sometimes, the hiring manager uses what is called the airplane test–if you are sitting next to this person on an airplane and forced to chat for three hours, would you enjoy it? </p><p>But a manager can mitigate similarity bias by reframing the hiring question to: if the plane went down and we had to work in tandem, which candidate would most enhance our chances of survival? “Those are the people you want on your team,” Smith says, because complimentary skills are sometimes more valuable than similarities.  </p><h4>​Feedback and Responses</h4><p>Experience bias is another form of bias that is difficult to reduce. “You cannot see the world not through your own eyes,” Smith says. “Everything we do is colored through that lens.” And so, a manager’s decisions will sometimes be at least a partial product of his or her experiences, even if those experiences are relatively narrow and not reflective of the world at large.    </p><p>How can experience bias be mitigated? By seeking out other perspectives. Smith uses the example of a manager making a presentation. Smith advises that the manager seek out feedback from someone who seems to have a different world view or approach to things, whose opinions seem to be on a different wavelength. By soliciting this different—even diametrically opposed view, the manager can mitigate his or her experience bias.  </p><p>And soliciting feedback can have other benefits, Bradt says. Often, the person offering the feedback is saying what he or she needs. He gives the example of a manager who solicits general feedback from a colleague, and the colleague says that sometimes the manager is often multitasking and does not seem to be listening when they are in a conversation. </p><p>That might not actually be true; the manager may in fact be able to listen closely while multitasking, Bradt says. But the feedback reflects the colleague’s need to be heard. “That’s still extremely helpful,” Bradt says, because the manager learns about the needs of colleagues, which is valuable information for any leader. </p><p>In addition, feedback can also help managers become aware of their automatic emotional responses, Bradt says. For example, a colleague might point out that a manager is quick to forcefully react when challenged, in a way that might be considered overreacting. This can be the starting point for honest self-reflection by the manager, which can be crucial for effective self-management. </p><p>“That’s kind of the biggest challenge. You have a situation, and then you think, ‘What happened there? That really set me off—why? What are my patterns?’” says Bradt. Such reflection could lead to a breakthrough, such as the need to override those hair-trigger responses when necessary. </p><p>If all this seems daunting—good, it’s likely a sign of growth. “You have to make yourself uncomfortable,” Bradt explains. But the core of self-management—modifying your behavior to get desired results—is a skill that can be cultivated, he says. The essence of leadership is having a vision and motivating and inspiring people to do things better, and self-management can be a crucial step to becoming a more consistent and effective leader for others.</p><p>“If I am going to lead other people, I have to be able to manage myself,” Bradt says. </p>

CSO/Leadership

 

 

https://sm.asisonline.org/Pages/Dancing-With-Yourself.aspx2018-12-01T05:00:00ZDancing With Yourself
https://sm.asisonline.org/Pages/Book-Review-IT-Policies.aspx2018-12-01T05:00:00ZBook Review: IT Policies
https://sm.asisonline.org/Pages/Certification-Profile-Jeffrey-A-Slotnick-CPP-PSP.aspx2018-12-01T05:00:00ZCertification Profile: Jeffrey A. Slotnick, CPP, PSP
https://sm.asisonline.org/Pages/Editors-Note---Supply-and-Demand.aspx2018-11-01T04:00:00ZSupply and Demand
https://sm.asisonline.org/Pages/Federal-Misconduct.aspx2018-11-01T04:00:00ZFederal Misconduct
https://sm.asisonline.org/Pages/Career-in-Security-Pathways.aspx2018-11-01T04:00:00ZCareer Pathways in Security
https://sm.asisonline.org/Pages/Building-a-Hostility-Free-Work-Place.aspx2018-11-01T04:00:00ZBuilding a Hostility-Free Workplace
https://sm.asisonline.org/Pages/How-to-Foster-A-Safety-Culture.aspx2018-10-01T04:00:00ZHow to Foster A Safety Culture
https://sm.asisonline.org/Pages/An-Investment-in-Employees.aspx2018-10-01T04:00:00ZAn Investment in Employees
https://sm.asisonline.org/Pages/Editors-Note---Code-Talkers.aspx2018-10-01T04:00:00ZCode Talkers
https://sm.asisonline.org/Pages/Employees-Lead,-Managers-Facilitate.aspx2018-09-26T04:00:00ZEmployees Lead, Managers Facilitate
https://sm.asisonline.org/Pages/Microsoft’s-Howard-Wins-Don-A.-Walker-Award.aspx2018-09-25T04:00:00ZMicrosoft’s Howard Wins Don A. Walker Award
https://sm.asisonline.org/Pages/Exceptional-Volunteers-Receive-Top-Award.aspx2018-09-25T04:00:00ZExceptional Volunteers Receive Top Award
https://sm.asisonline.org/Pages/Marquez-Memorial-Honoree-to-be-Recognized.aspx2018-09-24T04:00:00ZMarquez Memorial Honoree to be Recognized
https://sm.asisonline.org/Pages/Artful-Manipulation.aspx2018-09-01T04:00:00ZArtful Manipulation
https://sm.asisonline.org/Pages/Stay.aspx2018-09-01T04:00:00ZStay
https://sm.asisonline.org/Pages/A-World-of-Risk.aspx2018-09-01T04:00:00ZA World of Risk
https://sm.asisonline.org/Pages/Certification-Profile-Tim-Sutton,-CPP.aspx2018-09-01T04:00:00ZCertification Profile: Tim Sutton, CPP
https://sm.asisonline.org/Pages/Book-Review-Adaptive-Business-Continuity.aspx2018-09-01T04:00:00ZBook Review: Adaptive Business Continuity
https://sm.asisonline.org/Pages/Editor's-Note---Failing-to-Plan.aspx2018-08-01T04:00:00ZEditor's Note: Failing to Plan

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Five-Insights-on-ESRM.aspxFive Insights on ESRM<p>​There are five overall concepts that provide guidance about the nature of enterprise security risk management (ESRM). These concepts describe what ESRM is, what it can do for security managers, how security can gain C-suite approval for it, and how to implement a vibrant ESRM program for the enterprise. </p><h4>ESRM Is a Philosophy</h4><p>ESRM is not a standard, nor is it a rigid set of rules to follow. ESRM is a philosophy of managing security. It is based on standard risk management practices, the same ones that guide most of the other business decisions made by the enterprise. It requires partnership with the business leaders in the organization.</p><p>This philosophy gives the security leader the ability to manage security risks. This ability is not based on the latest incident or scare in the news, nor is it based simply on the manager’s own ideas of what is most important to protect. Instead, it is based on a shared understanding of what the business deems critical for risk mitigation, and what level of risk the business is willing to accept in different areas. This ability also requires that the business fully understand why the security risk mitigation tactics have been put in place, and what the impact of not having those mitigations might be. </p><p>The emphasis here is on business. ESRM philosophy recognizes that security risk does not belong to security. It is a business risk, like any other financial, operational, or regulatory risk, and final decisions on managing that risk must belong to the business leaders. That shift in understanding sets a security program up for a greater level of success because security leaders are delivering only what the business needs, and, more important, what the C-suite understands that it needs.​</p><h4>ESRM Is a Process </h4><p>ESRM is not merely an academic philosophy. A general approach for setting up and running a security program can be derived from it. Under that approach, ESRM in action is a cyclical program, and the cycle of risk management is ongoing:</p><p>1. Identify and prioritize the assets of an organization that need to be protected.</p><p>2. Identify and prioritize the security threats that the enterprise and its assets face—both existing and emerging—and the risks associated with those threats.</p><p>3. Take the necessary, appropriate, and realistic steps to protect and mitigate the most serious security threats and risks.</p><p>4. Conduct incident monitoring, incident response, and post–incident review, and apply the lessons learned to advance the program. ​</p><h4>ESRM Aligns with the Business</h4><p>Aligning the security program with business requirements is the most critical component of the ESRM philosophy. This means that the security program must receive governance and guidance from the business. We recommend the formation of a security council to ensure this alignment. </p><p>There are several ways to implement a council. It could be a loose, informal group that provides input as needed, or it could be a board-level initiative that has formal roles, meetings, charters, and documented responsibilities for ensuring security compliance. The council can be a venue for discussing security topics and risk management strategies, and it can host resolution attempts for conflicts in the process. </p><h4>ESRM Covers All Security </h4><p>There is no aspect of security that cannot be managed in alignment with the ESRM philosophy.  Many security professionals already practice much of the ESRM philosophy without thinking of it that way. For example, performing a physical security risk assessment on a facility is equivalent to the ESRM steps of identifying and prioritizing assets and risk. And setting up a crisis management plan can be considered an aspect of ESRM risk mitigation, as well as incident response.</p><p>The critical difference between programs that do these activities as part of a traditional security program versus an ESRM program is the consistency of approach in ESRM. In ESRM, these activities are not performed on an ad hoc basis but consistently across all areas of security risk. They are not applied to one area of the organization and not to another. And, vitally, they are not performed in a vacuum by security and for security, but in full partnership with the business leaders driving the decision making process for all risk mitigation.​</p><h4>ESRM Is Possible</h4><p>Implementing ESRM cannot be done overnight.  It’s an iterative process that allows your security program to evolve over time into a pure risk management approach. For the security manager, the first step to fully understanding the ESRM philosophy is to communicate it to the executives and business leaders in the enterprise.  </p><p>When implemented thoughtfully and practiced consistently, ESRM can completely change the view of the security function in any organization. The old view of security as “the department of no” will shift when business leaders understand that security is a partner in ensuring that the assets and functions of the enterprise most critical to the business are protected in accordance with exactly how much risk the business is willing to tolerate.  </p><p><strong><em>Rachelle Loyear i</em></strong><em>s ESRM Program Manager for G4S and chair of the ASIS Crime Management and Business Continuity Council. </em><strong><em>Brian J. Allen, Esq., CPP,</em></strong><em> is a member of the ASIS ESRM Commission. Allen and Loyear are coauthors of </em>The Manager's Guide to Enterprise Security Risk Management <em>and the forthcoming book </em>Enterprise Security Risk Management: Concepts and Applications.</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465