Keep It Simple

Make everything as simple as possible, but no simpler.

— Albert Einstein

I had the privilege of spending two hours the other day hearing Harry Kraemer, professor at Northwestern University’s Kellogg School of Management present on Leadership. It doesn’t hurt that before teaching at Northwestern, Harry was CEO of Baxter. As an attendee, I got a copy of Harry’s book From Values to Action.

On of Harry’s key tenets is Keeping Things Simple (page 113). To paraphrase Harry’s example in the presentation, managers often say “this is complicated.” As a security professional, I hear that all the time from fellow security people. “APT attacks are complicated.” To steal Harry’s point, our management teams are paying us to make it simple.

If we are going to be successful selling security to the organization — whether to get funding or get compliance — we need to keep the message simple. Are we building an end-to-end identity management system to integrate the provisioning of our core systems? Or are we implementing a technology to make IT access more efficient? I have a couple of key communications myths I see in security organizations:

• Complication equals funding -- The more complicated the threat, technology, or process, the more likely it is to be funded. The reality is that the CFO should understand what he/she is paying for.
• Statistics-- I've been in a few board meetings where security statistics are reviewed. Typically, the security person spends more time explaining what a vulnerability is instead of explaining how they have less of them.
• Just Say No-- I see this way too often. Instead of explaining how someone can do it right, security people just say you can't do it. This typically results in people who just stop asking.

Instead of a long list of communications tips, it really comes down to Keeping Things Simple. If the CEO of your company won't understand, go back and come up with a betterexplanation.

There are a lot of great ideas in From Values to Action that security professionals can use to be better leaders. If we can start with Keeping Things Simple, I'm sure we will all be better off (and possibly more secure).

As originally posted at jayschulman.com on September 30, 2011.