Leadership Lesson: Think Differently
"1. Think differently
Don’t be afraid of challenging the status-quo. True excellence as a security executive and leader demands you are willing to think differently. Dare to think big and differently! "-- From (http://blog.csoboard.com/cso/2007/07/security-excell.html)
When I shared the presentation "Leadership Lessons for Security Excellence", here on my blog a few weeks ago, I received many responses. Thank you to everyone for sharing your thoughts and providing feedback.
One of those responses, an email from a friend and colleague really moved me. My friend shared that after working for 20 plus years in his particular industry, he felt his organization and industry didn't reward employees for thinking differently. Today, my friend is looking forward to leaving his organization in order to be able to explore this and other interests.
This made me think, why don't organizations reward employees for having the courage to think differently? However, those organizations that do reward employees are highly successful.
Allow me to illustrate. Google, who is considered one of the most admired companies, is so admired in part because Google rewards employees for being creative and thinking differently. Rewarding employees for thinking differently is not the only factor contributing to Google's financial performance. However in the long run, I'm willing to bet that Google will be more successful than their competitors in terms of employee satisfaction, performance, and financial bottom line by allowing their employees to think differently.
In December 2004, as a CISO for a large non-profit health care system, I was invited to participate on a CISO/CSO panel presentation during the InfoSecurity Conference in New York City at the Jacob K. Javits Convention Center. This panel was comprised of CISOs/CSOs that included:
- Larry Brock, CISO, DuPont
- Mary Ann-Davidson, CSO, Oracle
- Chris Hoff, CISO, WesCorp
- Gerhard Eschelbeck, CTO, Qualys
Pete Lindstrom, Director of Spire Security was the moderator for the event. During our panel discussion of how organizations could best adapt to the threats of zero-day based security risks, I took the opportunity to share one of the ways we, as a health care system, took action and thought differently. Let me share with you what I shared then.
As a CISO in health care, I'd noticed that most health care information technology vendors had unclear or non-existent secure coding practices integrated into their software application development life cycles (SDLCs). At the health care system were I was working at the time, we decided in conjunction with the Information Technology department to mandate detailed questions and review process into all RFPs for vendor evaluations. We questioned vendors in detail on their secure coding practices contained in their SDLCs .
While today most information security breaches occur at the application software layer, in 2004 most organizations (especially in the health care industry!!!) were not thinking about mitigating risks from that perspective. In this process, by being willing to question and make vendors accountable for secure coding practices in their SDLCs, we were miles ahead of most competitors in mitigating risks, including zero-day based risks!
I challenge you to think differently. Dare to think differently in your work and leadership. You may be surprised by the results. Wishing you the best on your new vision to think differently.
Comments