Security is 90 percent psychological and 10 percent physical; that is, many see security as protecting people and property from intentional harm, and doing so by focusing on, for example, physical or digital barriers. This is of course entirely appropriate; however, it only forms part of the security ‘picture’, because security also connotes the psychological state of being secure, being free from fear.
As stated on the Security Professional Registry of Australasia website (www.SPR-A.com.org), “The concept of security is more than just protection. Security also means enabling individuals to live in their communities free from fear. Persons registered must recognize and achieve a balance between providing the competencies and ethics of ‘protection’ on the one hand with the social need for ‘belonging’ on the other.”
When talking of security leadership, particularly when considering leadership in relation to a serious or catastrophic event, it is necessary to address the creation of a security culture, a culture of resilience, and the type of leadership required to achieve it. This article puts together some ideas, comments and suggestions from a number of ‘experts’ and then presents a small case study from the author’s own experience.
As stated by information security expert Joseph Granneman, “Success in building a lasting information security program can be achieved only through influencing organizational culture. The most important factor for any CISO building an information security program is the ability to change the organizational culture. The main indicators of an organization’s readiness for cultural change will be the existence or lack of executive support.”
Granneman refers to the often stated maxim that, without being driven from the top, organisational cultural change seems doomed. Other conceptual approaches to leadership advocate for a bottom-up approach. But whatever approach is adopted, most focus on the attributes necessary of a successful leader.
Security Magazine’s Lynn Mattice and Jerry Brennan reported , “Chief Executive Magazine last year  published the results of a survey they conducted of CEOs asking them to identify the top 10 skills needed for effective leadership. The results were as follows:
1. adaptability to change
2. strategic thinking
4. very good communicator
5. being trustworthy and open
7. develops and fosters diverse teams
9. a positive mind-set
10. high self-awareness”
While these are very fine attributes, they address the skills an effective leader should possess, not how or why to exercise them. Care however must be taken, as attributes without action will achieve nothing.
“Effective leadership is not about making speeches or being liked, leadership is defined by results not attributes” (Peter F. Drucker).
Another question that needs be addressed is whether these skills need only be possessed by the leader rather than by a range of people in any organisation. Myles Munroe stated, “Leadership is the capacity to influence others through inspiration, motivate by passion, generated by vision, produced by a conviction, ignited by a purpose.” However, there is also the wisdom of Lao Tzu, “A leader is best when people barely know he exists, when his work is done, his aim fulfilled, they will say: we did it ourselves.”
In an organisation with a resilient security culture, aspects of leadership exist in many parts of the organisation. Of course, building a resilient security culture is not a simple task and certainly requires executive leadership as well. This is particularly the case when building a culture to prepare for and survive a major security incident. It is here that a focus on the psychology of security is paramount. “All of the great leaders have had one characteristic in common: it was the willingness to confront unequivocally the major anxiety of their people in their time. This, and not much else, is the essence of leadership” (John Kenneth Galbraith).
In the article Houston, We Have a Problem: Leadership in Times of Crisis about the Challenger disaster, Winston Scott, a retired astronaut and consultant, outlines what he considers to be the most important steps in preparing for and surviving a catastrophic event. These include:
• Space Mission Lesson #1: Prepare for the unknown – a leader needs to anticipate any potential problems.
• Space Mission Lesson #2: Conquer communication barriers – get to know the members of your team well. Ascertain their communication strengths and weaknesses, particularly in times of crisis.
• Space Mission Lesson #3: Be alert to non-verbal communication – a good leader will pick up on cues to potential problems and misunderstandings before they arise.
• Space Mission Lesson #4: Ask for help – a leader must demonstrate an immediate understanding of the problem. You cannot appear wishy-washy, even if, at the moment, you do not have a clue what is going wrong. You need to demonstrate self-assurance to show that you are in control. People follow confidence. Keep in mind, however, that confident does not mean omniscient.
• Space Mission Lesson #5: Earn real experience – business leaders, like astronauts, obviously need technical training in their fields, but equally important are maturity and experience at making real-time decisions.
While Scott talks about leadership in a space mission crisis, his suggested steps are valuable for both preparation and dealing with any crisis event. An inference that can be drawn from his five lessons is that successful leaders should have a high degree of emotional intelligence to be able to anticipate problems and understand non-verbal cues, while demonstrating self-assurance, maturity and experience. A big ask, but it is true to say that everyone needs to develop such attributes, no matter where they sit in an organisational structure.
The beginnings of my personal approach to understand and apply some of the issues raised here occurred many years ago when I was president of the NSW Anti-Discrimination Board (ADB).
I had joined the ADB initially as a rather green lawyer to head up a small legal team to give advice and run discrimination cases before the Equal Opportunity Tribunal. This was my first foray into team leadership, and I struggled at first with how best to manage for results. The ADB was a high-stress environment with a large work load of extremely sensitive and politically charged cases.
My first learning was that I did not always have to be the smartest member of the team (even at times when I might have thought I was!). Acknowledging the strengths of the other members promoted trust and open communication. As an aside, I would recommend that everyone try to employ or work with people smarter than them; it is the best way to grow.
Subsequently, I was promoted to be principal conciliation officer and deputy president. My challenge then was to work cross-functionally across the different branches of the ADB. My difficulty was that I was a lawyer and now charged with managing a large team of conciliators within a culture where lawyers were not considered adept at conciliation. My learning here was to listen and learn from the staff that had the skills that I lacked. Being open to learn, give positive feedback as often as possible and accept criticism where deserved also engendered trust.
Ultimately, I managed to change the focus of the ADB from advocating for complainants to working with actual and potential respondents to attempt to eliminate discrimination and reduce complaints. This was achieved by stating a clear purpose and ensuring all staff understood and accepted it.
One day after being appointed president of ADB, I was walking through the reception area when a dozen or so balaclava-wearing members of National Action (an ultra-nationalist group) burst through the doors and demanded of me to see the president. I informed them that I was the president, but they did not believe me!
As it was clear to me that their main purpose was intimidation, I chose to remain calm and present them with a question: If I was not the president, then why would I say I was in the face of their intimidation and, if I was the president, then the intimidation had not worked. This caused sufficient confusion in the group. Eventually, the spokesperson demanded to speak about immigration, so I simply asked him what he had to say. As this was not expected and they had no sensible arguments, relying on intimidation alone, which had not been successful, they eventually left.
During the time I was talking to them, my office manager had seen what was happening and managed to get all the staff out of the office and down the back stairs. This was good security management which did not need a direction from me.
While I make this scenario sound almost humorous, a number of my staff required counselling, which I of course made available to all who requested it. I was extremely proud of my staff for the way they had handled the situation. They did so because we had a culture of helpfulness, open communication and trust.
This was the first, and not the last, experience in security leadership that I have experienced, each of which have taught me more about leadership but, more importantly, about myself.