Are You Tired Of Relying On Failure
As The Only Way
To Squeeze Security Budget From The Business You’re (Quite Often Literally) Killing Yourself To Protect?
Yes. You read that right. I said one of the most repeated themes I hear when I speak to CISOs, their direct reports and genuine Security Architects (who I collectively refer to as “security leaders,” because they’re the ones that make the decisions that really matter) is this:
“We’re just waiting for a breach. It’s the only way we know we’ll get any money!”
Who knows? Maybe you yourself have said something very similar—or at least thought it.
And it’s probably one of the most soul-destroying feelings we can have. We know what needs to be done. We’ve been tasked with building a team capable of doing it. We have mountains of evidence that says quite clearly – and sometimes in SENSATIONAL HEADLINES – what will happen when we don’t. And yet…
We Just Can’t Get Them to
SIGN THE FREAKIN’ CHECK!
And when that happens, we feel the pressure even more. We feel it in our neck and shoulders… We feel it in the pit of our stomach… We feel it when we arrive home after a long day and when asked to help with homework, or asked, “How was your day, honey?” all we REALLY want to do is yell at the people around us who we love so much.
All that stress does some pretty nasty things to our bodies and our minds—not to mention sits us perilously close to the edge of a downward spiral that’s hard to break. Once we get too overwhelmed, we can’t remember things…we make poor decisions…and we often get caught being more “truthful” than the people around us are ready to hear.
In some cases, the latest research says it makes CISOs even think seriously about leaving the industry because they can’t keep up with the pressures…the never-ending grind of keeping “nothing” happening…and the lingering threat that whenever that breach you’ve been hoping for actually happens so you’ll finally get the money you’ve wanted…
It May Be Your
Last Day on The Job.
But consider this:
In the midst of all that spiraling stockpile of stress, where it’s difficult to make a decision…to think…or sometimes even remember your own name, it’s also very, very hard to step back and ask the simple question: why?
Why can’t we get them to sign the budget allocation we know we need to do the things WE KNOW we need to do?
What is it that makes their hands hesitate?
What is it that really causes the resistance that holds our ideal security program hostage?
It’s also sometimes very hard to ask the right questions.
So, you might be wondering, “I can think of LOTS of questions. How do we know they’re the right questions?”
We know they’re the right questions when we start to appreciate their view of the world. How, with all these other internal initiatives going on, security isn’t more important. Why, even with all the increased legal and regulatory scrutiny any global company is under – and with clear, documented examples of hostile nation states engaging in industrial espionage or disruption of operations – security is still “a necessary evil” and only a “cost center” or even sometimes seen as “getting in the way” of making money.
Put another way, despite all of the lip service, media attention, government regulations and industry emphasis on the importance of security, we ultimately need to figure out:
Why Don’t We
Have Their Attention?
…that is, until something breaks—and they HAVE to worry about security because we’re in their face. And they realize that we’re in their face because someone higher up the org chart may end up with their name in a national newspaper headline.
Who likes anyone you only see when “they’re in your face” and telling you something’s broken?
I certainly don’t. And I’m pretty sure your business customers – some of them at least – feel the same way.
So, our TOP PRIORITY should really be: figuring out a) why we don’t have their attention and b) how do we make a habit of showing up when nothing’s actually broken.
But it isn’t…is it?
Instead, survey after survey – and conversations with our peers – tell us our top priorities are:
It’s all about the threats. It’s a game of Whac-a-Mole played on a global scale, with millions of moles ready to jump out and get us at any time, and while we’re trying to wield a hammer made of hundreds of different security tools—sometimes held together with duct tape. And when – not if – we miss one:
We Lose Real Money,
We Lose Real Customers,
And We Might Even Hurt Somebody!
And we know it’s going to happen.
It’s like that line in the classic Ray Stevens song The Streak: “Don’t look, Ethel!” It’s too late. We can’t help but look. We’ve already been breached.
We’re human, and it takes effort to bypass our brain’s natural tendency to focus on what we know, or all the bad things we’ve been told can happen. So, we sit…just waiting until they do, so we can close that open loop.
What little energy we have left to think about “changing the way things work” often gets sucked out of us every day…alert by alert…vulnerability by vulnerability…and meeting by meeting—having the same conversations with the same people about the same problems we’ve already talked about 100 times before, and yet, can’t get addressed because we don’t have the budget to buy more tools we think will help…or hire people we know we need…or even buy the time to make the improvements we want to make.
It’s like that oozing zombie hand that reaches up out of the ground, grabs the ankle of the screaming teenage girl, and pulls her under the inky-black dirt: we can’t escape.
We Can’t Escape With The Same Thinking That Got Us Here.
We need to think differently. We know that.
But what we don’t always know is…how.
And because learning to think differently when you’re hanging off a bullet train going 200 mph by one hand while the other hand is dragging around 250 security controls, an overworked and over-stressed team and your mind is racing trying to figure out how to use your next fleeting 5 minutes with the Board of Directors until next year, AND, up ahead, you see you’re about to shoot into a distinctly “train sized” tunnel…
It might be good to know that there was someone standing on the top of that train with magnetic boots and who was ready – and able – to reach out and do their best to pull you inside before you lose your grip (or before you make a CISO-shaped, greasy spot on the side of a mountain).
Knowing that someone’s in your corner. Someone who can help you see things just a little bit differently. Someone who doesn’t have years – or sometimes even days – of indoctrination into “how we do things around here” and isn’t going to unconsciously discard “crazy ideas that would never work” or tiptoe around any “sacred cows” that might be preventing you from solving the real problem.
And, to me, that real problem is giving your customers (because you do have them)…
Value That They
ACTUALLY Care About.
It’s that “Yes, damnit. I know that” problem.
It’s that “I know we need to do it, but I can’t find the time” problem.
And it’s that “I’d love to find out what they really want, but I can’t get a meeting with them” problem.
That’s actually the problem that defines everything about what the Effective Security Leadership Coaching Program is designed to do and how it works.
After 25 years working with both business and technology…and after getting a Computer Science Degree…and after working on large-scale projects with governments and global organizations…and after helping over 200 students of the SABSA® methodology earn their official certifications—and NOW, as I help CISOs and other Security Leaders transform their teams…
How To Deliver – And Measure – Real Security Value Is Clearly The Only Question That Matters.
All the rest is commentary.
And sometimes, having someone “without a horse in this race” and an outside perspective is all it takes to unlock the one insight necessary to totally transform your world.
Sure, you’ll still need to keep the day-to-day stuff running, and it doesn’t mean that the threats will go away.
But the goal of the program is to help you see things you might not otherwise notice, to give you perspective on what you’re doing, to help you prioritize your overflowing “urgent and important” pile…
…and to hopefully help you get more satisfaction, more peace of mind and more performance out of both yourself and your team—all without spending several hundred thousand dollars on a full-scale transformation program.
Here’s just some of the topics I’ve addressed with my coaching clients:
• The startling discovery (from over 10 years of MIT research) that proves once and for all buying more cybersecurity technology will NEVER solve your organization’s cybersecurity problems (and what you can do instead)
• The number one rule you MUST follow when trying to hire a security professional (and how when you DON’T do this, your job postings will only be filled by opportunistic, unqualified and undesirable applicants who lie on their resume)
• How to produce AWESOME security reports the Board and executives will love (you’ll know the exact things to say—even if you only have 5 minutes)
• 3 “tricks” which are the surest path to getting confidence you’ve made the right investments in security controls (and how to make sure you keep that confidence over time)
• The vital importance of understanding the “improvement paradox” and what it means for ANY program improvement investment you make—so you can solve the right problems and avoid digging a new grave in the “failed change program” cemetery
• The most powerful cure for CISO stress and preventing staff burnout (and, no, it doesn’t come in a powder, bottle or paper wrapper)
• A unique technique accidentally discovered by John Sherwood and David Lynas that changed everything about demonstrating the value of your security program (and how it’s used to make it crystal clear exactly WHERE and WHY you’ll spend your budget this year)
• The ugly little secret that security vendors don’t want you to know (that, in fact, their very existence depends on you never really believing)
• How to escape the shadows and get credit for “fixing problems that never happened” or that (almost) nobody noticed (without having to wait for a major breach to focus the attention of management on cybersecurity)
• A simple “laundry list” of things you need to know before you write any job description for your team (and if you’ve been struggling to hire – and keep – people, you’ve probably missed one or two)
• The pure magic of a well-defined security governance model (that you can use EVERY time, the SAME way, and be confident you’ll be doing EXACTLY the right thing, the right way and in the right place)
• The “big lie” of cybersecurity risk assessments (and how by doing this, you’re almost GUARANTEED to be focusing on the wrong risks)
• The ugly little secret that cloud, virtual infrastructure and “zero trust” vendors don’t want you to know: there’s ALWAYS an edge. The real problem is how you go about figuring out what’s on each side of that edge and what you’re really gonna need to do to enforce it—because…
The great myth about complexity is that you can eliminate it. You can’t. All you can do is just move it around – and hopefully – bury it away so deeply that, on most days, you can get by with “forgetting” how complex everything really is. I mean, let’s face it, between 1970 and 2019, the basics of driving a car are pretty-much the same. But…
The Mechanism Itself Is About A Billion Times More Complex!
All you need to do is just have the right approach to identify it and make sure it doesn’t “leak out” into the everyday world—so you don’t need to have a degree in Computer Science and Mechanical Engineering just to drive your car!
• The ugly little (open) secret that our current reliance on security tactics has run its course (and the principles you need to learn TODAY that will put you 10 years ahead of most of your peers)
• 3 critical security team roles you should NEVER outsource (and why if you do, you run the risk of creating chaos in your team and increasing your job stress exponentially)
• Examples of the deadly disease of premature optimization security often catches from their fellow technologists (and how these cases can wreak just as much havoc as an uncontrolled Ebola outbreak while hungrily eating away at your credibility with the business with a seemingly insatiable appetite)
• The correct way to manage “improvement lag” so you properly set expectations (for yourself, your team and your customers) and don’t end up making promises you can’t keep or giving up before real change can take place
• What to NEVER say to “the business” if you want to build your credibility and gain their trust (and the simple phrase to help you ALWAYS remember it)
• The real reason adopting security frameworks and methodologies fail to deliver the results you expect (and 5 ways you can avoid falling into the same trap)
• Why even seasoned security vendor CEOs are saying what has worked for you in the past CAN’T continue to work for you in the future (and what it will really take to get – and stay – ahead of the bad guys)
• Why managers almost always fail to understand it isn’t simply a choice of “work harder” vs. “work smarter” (and why you MUST do both—and how to balance them successfully)
• The one-and-only, proven-effective way to prepare yourself for the security requirements of tomorrow right now (and the thing that even many, highly-experienced security professionals not only don’t understand—much less even consistently define)
• Why “the business” wants nothing to do with you (or why they look at you the same way they do a slick, “ambulance chasing” lawyer with potentially questionable ethics. And the difficult shift of mindset you MUST make to show them you really are there to help them conduct business safely and make money in the real world)
• How focusing people and budget on building a world-class SOC team to deal with the current tsunami of threat intelligence is actually going to WEAKEN your security program’s effectiveness
• The subtle reason why the approach you may be taking for security not only strengthens the mortar on the silos everyone claims to want to tear down, but how it also…
Disempowers Not Only Your Real Security Customers but Your Security Team Itself!
• The deceptively simple techniques that let you ACTUALLY “see” your infrastructure through the lens of the applications running on it—one at a time, and in as much or as little detail as possible (and no, I’m not talking about yet another “magic tool” here. This is something that you’re gonna have to learn to do yourself. The tools – when they exist – will just make it easier and faster.)
• How the security profession truly needs to “change our approach” (and why it isn’t necessarily the “change” the control vendors would have you believe you need to make)
• Everything you need to know to re-zone the “agent sprawl” of your infrastructure landscape (and maybe even eliminate some of those outdated, redundant or unnecessary controls in the process)
• Exploding the myth of “all we need is more security data and then we’ll be able to know exactly what’s happening” (and discover the “life saver” that will keep you from drowning in a stormy, stinking sea of SIEM, making sure that it always works for you rather than you becoming its slave)
• The heart-breaking reason even the people most dedicated to fulfilling the mission of security – to keep the organization “open for business” – are still suckered into making the wrong choices about where to invest their time and energy
• How you can smash silos in your team by playing games (yes, GAMES!)
• The 3 mistakes even experienced CISOs make when trying to increase the performance of their teams that eventually lead to constant fire-fighting, burnout and employee turnover (and the scientifically proven ways to stop making them)
• How you can break the deadly habit of focusing too much of your team’s budget and effort on infrastructure (even though it’s often the most natural, comfortable and easy thing for your team to do)
• And a whole lot more, including…
Why you MUST challenge your external threat intelligence reports… The reason most security maturity scores are meaningless… When it’s ok to NOT write documentation… The parts of the NIST CSF you can safely ignore… Why you should tear up your security policies…and, perhaps the best part of all…
How You Can Deliver “Agile Security”—Even When Your Organization Isn’t!
But here’s the thing…it just might not be for you.
Some people I’ve spoken to just don’t really believe in coaching. They don’t really think building their own skills and self-awareness is going to make much difference to the way security runs on a day-to-day basis.
With that kind of bias, their mind is already closed tighter than a raw recruit’s sphincter the first time they “take a walk” at only 500 feet, and, regardless of what I might say or what I might do to help them see differently, it’s just not worth it—for either of us.
Other people think that somehow, “coaching” is just another name for “minion.” Or that this is some kind of consulting engagement in disguise.
There aren’t any deliverables in a coaching program. That’s not how it works.
And in fact, it might not even be possible to achieve the objectives we’re working on. It can happen—and for a bunch of different reasons beyond anything either of us can control.
So you need to be very clear what you’re signing up for. I’m here to share my knowledge, expertise and experience to help you find new answers, validate your thinking and help you learn new skills. That’s my job.
Your job is to create value for your organization. I can’t do that for you. So – please – make sure you’re crystal clear on exactly how this is going to work, or it’ll end up being…
An Unmitigated Disaster!
Still other people really do see the need, and they know, while they might get there eventually on their own, it’s better to go together if you want to go far, as the old African proverb says.
Ultimately, those good intentions get swept away by the day-to-day whoosh of life in the modern security team of an organization earning billions of dollars in revenue a year. They get busy. They’re always rescheduling the calls, or they pick something that isn’t really a critical blocker for them, so they don’t have the fortitude and the persistence to actually do something about it—for good.
It’s really a “nice to have” vs. a critical necessity.
So, they sign up for the program, they pay their money, and become just like those people who pay the “gym tax” of a health club membership they never use:
They Get Zero Value And Waste Their Company’s Money
And while you might be thinking, “Well, what do you care? You get paid either way.”
It’s a valid question.
Here’s the answer: IT SUCKS!
And it sucks because I know I can help them, but I can’t do the work for them. I can’t solve their problems. They own them, not me. So, if they don’t put in the effort, nothing really changes.
So, it sucks for both of us, actually.
If you want to be successful and get real value from this program, you’ve gotta show up. You’ve gotta do the work. I’m not your Mom. You have one of those already. I’m not going to hold your hand…get you out of bed in the morning…make you breakfast…and make sure you’re not late for school.
Those days are over. This is the real world.
Also, contrary to what you might think, I don’t just let anyone into the program—especially if I don’t believe they’re going to actually do the work.
And that’s because, frankly, my time is valuable too, and I have better things to do than to show up, trying to help you when you’re not really committed to thinking or doing things differently than you are today.
“I’m too busy,” just isn’t an excuse.
You can be busy, and of course, things happen, but there’s a big difference between those people who have setbacks, or who have to put things on hold, but yet still fight tooth-and-nail to claw through whatever was holding them back (because they believe they can do better) and those people who just “get sidetracked” or who blame their lack of progress on anything – or anyone – instead of taking the responsibility for their own lack of action.
If you’re one of those people (and I’ve had a few slip through)…
PLEASE Don’t Sign Up For The Program!
If you’re the kind of person who believes there’s always something you can learn, and if you’ve tried and tried and tried…and TRIED to solve some pesky problem that seems resolutely unsolvable…
…or if you’re the kind of person who values constructive criticism, honest feedback and alternative points of view…
Then you’re probably someone I can help. I won’t know for sure until we talk, and the only thing I can truly guarantee is that…
I Don’t Have All The Answers.
However, I might have some of the right questions that can help YOU find the right answer in YOUR organization to the ultimate riddle of security:
What Do YOU Mean By “Security”?
Here’s how the program works:
Each coaching cycle is 3 months. During those 3 months, we’re going to have a weekly, one-hour call where we can talk about whatever you want. We can review your policies…we can talk about aligning with your organization’s business strategy…we can talk about whether your security strategy makes sense…we can talk about hiring issues…we can do a deep dive on a risk assessment and its mitigation plan. It really doesn’t matter. It’s about addressing the problems you need to solve right now so that you can move on to whatever it’s stopping you from doing.
In every session, we’ll be validating your progress on a set of coaching objectives for the cycle that we agree together. Those coaching objectives drive every interaction we’ll have, and they’re about making sure you get what you want out of the program. Of course, during the cycle, we can change them. That’s not a problem. But, they’re both our guide and our yardstick to make sure you’re getting what you need from your investment.
Each of our calls will be recorded, both audio and video if you wish, so anything we say or anything we share is captured for reference, and we can build on it over time.
Between calls, you’ll be able to engage with me in real time using Flock (it’s like Slack, but green), and we can exchange an almost unlimited number of emails to address follow-up items, questions, or so you can share your work in progress. Now, I say “almost unlimited” because it is a privilege to have that kind of access to me, and I’ll do my best to respond within 24 hours. However, if you overload me with emails, or the emails you do send aren’t relevant to our coaching objectives, I WILL kick you out of the program—guaranteed. And that’s because:
Coaching Is A Relationship Based On Mutual Respect
…so if we don’t respect each other – including our time – then we’re not going to be able to work together.
If, for some reason, things aren’t working out, then I also will do as much as I can to help get things back on track. If that means additional calls, longer calls, or anything we agree might help, then that’s what we’ll do. Of course, that’s also under the assumption that you’re keeping up your part. If things aren’t working out, and you’re not getting the value you expected from the program because you’re skipping calls, or you’re not doing your homework, or you’re just not engaged—then that’s nothing I can fix. So, ending the coaching relationship might be the only way forward.
Again, part of the reason I don’t just let you sign up with a big BUY NOW button is that I want to get a feel for who you are, what you want to accomplish and establish whether I really can help you.
But remember…based on the problems you’re facing,
I Might Not Be Able To Help.
The problem might be too big to solve between the two of us…the problem might need more than coaching…the urgency might not be enough to keep you focused…the problem might not fit with my areas of expertise…or there just may be barriers within your organization that don’t allow you the space and flexibility to do what you’d need to do to fix it and move forward.
Any of those reasons are things we need to identify up front, so that’s why the only way to get into the program is to schedule a screening call using the button below. If all goes well on the call, and we’re both happy moving forward is the best bet, then I’ll arrange for payment to be processed. In most cases, this is as simple as an online credit card transaction, so you don’t have to worry:
The Program Won’t Break Your Training & Development Budget.
However, if we need to make other payment arrangements – like getting a PO and submitting an invoice – then we can work through those on the call.
We can accommodate your needs in this respect. We’ve done it before, and we can do if for you too if necessary.
Once the payment’s been processed, then I’ll send you a few emails, welcoming you to the program and giving you the links to the formal coaching agreement. That coaching agreement includes the NDA provisions enabling us to talk about whatever we need to address. I’ll also have you fill out a detailed induction form to get as much information from you about what you want to accomplish with the program so we can spend the first call working on defining your coaching objectives.
From there, we’ll agree a mutually-convenient call schedule and then…
Get Started Solving The Problems You Want To Solve As Soon As Possible!
So, now that you understand what the program is about and what you’ll be signing up for, if you:
…then click on the button below to…Schedule Your Screening Call TODAY!
P.S. There’s only a limited number of slots, and when they’re full, they’re full. You’ll just have to wait until someone completes their cycle and decides they don’t want to continue.
If you want to make sure you’re on the list when the next one opens, I suggest you high-tail it to the button above RIGHT NOW and see if the Effective Security Leadership Coaching Program is right for you.