Monday, November 14, 2016

Ken Hartman - Leadership Essay - Tryanny of the Urgent

I will not normally post SANS.EDU student work on my blog, but they are working on the web site right now and I wanted to show an example of a successful ISE 5600. I nominated this as an exemplar and it was accepted. 

Reasons for nomination:
- Quality writing, the 94 on Grammarly needs to take in account the places Grammarly is not correct. 
- Important topic.  Granted I may be biased, but I read the Hummel book of the same title back in college and it helped shape my decision making process for life.
- Topic consistency. Many students get lost in this assignment by writing about transformational leadership in general instead of an aspect of transformational leadership. 
Stephen

The Tyranny of the Urgent and the Transformational Security Leader
ISE 5600 Leadership Essay
Author: Kenneth G. Hartman, ken@kennethghartman.com
Advisor: Stephen Northcutt
Accepted: November 1, 2016

Abstract
In many companies, the information security team has minimal resources and operates in a very reactive mode, moving from one crisis to another. Without strong transformational leadership, information security teams can become victims of the tyranny of the urgent. Recent cross-disciplinary research in brain function and evolutionary psychology can serve as a powerful motivation model for transformational leadership. This type of leadership enables a security leader to construct transformational experiences that elevate an organization’s security posture while meeting the individual needs of colleagues and thus preventing burnout in the process.


Introduction

Security executives face unprecedented challenges as the landscape of information security shifts via rapid developments in technology and the growing sophistication of threat actors (LookingGlass Cyber Solutions, 2016). In many companies, the information security team has minimal resources and operates in a very reactive mode, moving from one crisis to another (LookingGlass Cyber Solutions, 2016). However, not every urgent activity is truly important or will have a lasting impact on the destiny of an organization or its people. Charles E. Hummel (1967) coined the phrase “tyranny of the urgent” to succinctly express this realization in a pamphlet he authored, writing, “The urgent task calls for instant action…the momentary appeal of these tasks is irresistible and important, and they devour our energy” (p. 4).
How can a security manager cope with the tyranny of the urgent? Managers must use principles of transformational leadership.  James M. Burns (1978) first articulated the notion of the transformational leader by contrasting it to a transactional leader who grants and withholds rewards. Transformational leaders develop followers into leaders through empowerment and aligning the goals and objectives of the follower with those of the leader and the organization (Bass & Riggio, 2008).
The following sections aspire to create a compelling model for positive change in the day-to-day operation of a security program that a transformational security leader can start to employ immediately.  The Covey Time Management Matrix, discussed below, can be used to differentiate between different types of urgent and important tasks.  Burnout can occur when one attends to the urgent tasks required by the organization at the expense of his or her needs.  By using the matrix and insights from recent research into human motivation, the transformational security leader can create experiences that empower their followers to satisfy their drives in the process of meeting the organization’s critical needs.  

Covey Time Management Matrix

In his classic work, First Things First, Stephen Covey (1994) builds upon Hummel’s ideas concerning the tyranny of the urgent with his Time Management Matrix, shown in Figure 1.

Urgent
Not Urgent
Important
Quadrant I
Quadrant II
Crisis
Preparation
Pressing problems
Prevention
Deadline-driven projects,
Values Clarification

meetings, preparations
Planning


Relationship building


True re-creation


Empowerment




Not Important
Quadrant III
Quadrant IV
Interruptions, some
Trivia, busywork

phone calls
Junk mail
Some mail, some reports
Some phone calls
Some meetings
Time wasters
Many proximate
"Escape" activities

pressing matters


Many popular activities


© 1994 Covey Leadership Center, Inc.

Figure 1. Covey Time Management Matrix

In this book, Covey (1994) elaborates on the addictive nature of urgency:
We get a temporary high from solving urgent and important crisis. Then when the importance isn’t there, the urgency fix is so powerful, we are drawn to anything urgent, just to stay in motion. People expect us to be busy, overworked. It’s become a status symbol in our society—if we are busy, we’re important; if we’re not busy, we’re almost embarrassed to admit it…It’s also a good excuse for not dealing with the first things in our lives (p. 4).
Covey explains that in Quadrant I, we use our expertise to solve pressing business needs. He states that procrastinating or neglecting Quadrant II activities may cause them to become urgent. Quadrant III activities masquerade as important because of their urgency. These activities are only important to someone else — if they are even important at all. The Time Management Matrix allows one to evaluate how he or she is spending precious time (Covey, 1994).
If a security professional is a victim of the tyranny of the urgent, that person may neglect to create important relationships, perform necessary strategic planning, or take actions that are needed to give their work meaning.  Transformational security leaders recognize the importance of Quadrant II activities for themselves and their teams.

Urgent Security Matters and Burnout

Security professionals must be ready to respond to security incidents and the never-ending stream of new vulnerabilities at a moment’s notice. On top of this responsibility, they are also charged with the tasks of remediating findings from compliance auditors and performing application security reviews for teams that aggressively pursue opportunities for business growth (Hartman, 2015). These urgent tasks generally fall into Quadrant I (Important and Urgent) of the Covey Time Management Matrix. Unfortunately, sometimes these pressing demands fall into Quadrant III (Urgent but Not Important) relative to the individual security professional’s sense of purpose and meaning. These activities may be critical to the survival of the business but can crowd out the individual’s personal and professional self-care.
As a profession, information security requires long hours and a constant need to upgrade individual skills. The job is often thankless; yet, there is little room for mistakes (Leite, 2011). Improving oneself is a Quadrant II activity, which is frequently neglected due to the tyranny of the urgent causing frustration to many information security professionals.
These realities in the information security field can lead to burnout, as claimed by panelists at the 2012 RSA Conference. Information security can be an isolating profession that, at times, seems at odds with the growth agenda of an organization. Joshua Corman from Akamai Technologies stated, “We spend so much time worrying about malware and woes in this industry that we forget to take care of each other” (as cited in Goodchild, 2012).  These sentiments make the inclusion of transformational leadership in security management more critical than ever.  Transformational security leaders take care of their needs and the needs of their followers—not just the pressing needs of the organization.
Some perceive that the security profession promotes paranoia, highlighting that security agendas often adopt a negative frame to justify projects while other parts of the organization improve productivity and generate new business. Often, there is not a clear win for the security professional, unlike there is for doctors, trial lawyers, and firefighters who are also in high-stress occupations (Korolov, 2015).
Based on his review of a broad mix of philosophical and religious literature, Covey (1994) claimed that we all have four fundamental needs, “to live, to love, to learn, to leave a legacy” (p. 45). Meeting these needs is clearly a Quadrant II (Important but not urgent) activity. When one fails to satisfy these personal needs, he or she is deprived of a sense of purpose and will begin to experience symptoms typically associated with burnout (Covey, 1994).  These symptoms can include exhaustion, cynicism, doubts about one’s ability to deliver results, and even rage in more extreme cases (Goodchild, 2012).

Transformational Leaders and Motivation

While burnout and the tyranny of the urgent can create a bleak picture of the information security industry, it creates a unique opportunity for a transformational security leader to make a significant and positive difference.
Recent cross-disciplinary research in brain function and evolutionary psychology confirms Covey’s assertion regarding our four fundamental needs. This new research can serve as a powerful motivational model to the cognizant security leader. A Harvard Business Review (HBR) article citing this brain research claims that humans are hardwired with four drives that influence behavior and emotions (Nohria, Groysberg, & Lee, 2008). Nohria et al. (2008) examined each of these four drives using the following indicators: engagement, satisfaction, commitment, and intention to quit. Given the current state of turnover and the shortage of security professionals (Korolov, 2015), these indicators should be of interest to the astute security leader attempting to combat burnout on the security team. Furthermore, Nohria et al. (2008) claim that their research revealed that an individual manager has significant influence over the way employees satisfy the four hardwired drives that underlie motivation, which include: The Drive to Acquire, The Drive to Bond, the Drive to Comprehend, and the Drive to Defend.

The Drive to Acquire

Humans are all driven to acquire scarce resources, including shelter, clothing, food, and money. The satisfaction we feel when meeting this innate human drive seems to be based on one’s comparison with what others possess. However, this drive cannot be fully satiated because humans always want more. Nohria et al. (2008) point out that the drive to acquire is not limited to physical goods, but also extends to experiences and events that improve social status.

The Drive to Bond

Like many animals, humans have a drive to bond within groups and collectives. When this need to bond with others is met, it evokes positive emotions of love and caring. However, when the drive to bond is unfulfilled, individuals feel loneliness, alienation, and lack of purpose. Nohria et al. (2008) claim that this explains why motivation increases if employees are proud to belong to an organization. It also explains why betrayal by the group devastates morale.

The Drive to Comprehend

There is a human need to make sense of the world, to create meaning out of the events in our lives, and to produce theories and rational explanations. People tend to get frustrated when things seem senseless but are invigorated by working out the answers. The drive to comprehend explains why employees are motivated by challenges and opportunities to learn and grow. It also explains why employees with talent will change jobs if they no longer feel stretched (Nohria et al., 2008).

The Drive to Defend

Like many animals, humans have a fight-or-flight instinct, but the drive to defend is more than the tendency to protect property and loved ones from external threats through either defensive or aggressive behavior. The drive to defend extends to defending one’s reputation and legacy. This drive also includes the need to promote justice and to create a safe environment to allow each other to express opinions and ideas. The drive to defend explains why people resist change. When one has not met their need to defend properly, feelings of resentment, fear, and other strong negative emotions will manifest. Conversely, when the drive to defend is satisfied, one feels a sense of confidence and security (Nohria et al., 2008).

Creating Transformational Experiences

A security leader equipped with insight about the Covey Time Management Matrix and the nature of the four hardwired drives is in a unique position to construct transformational experiences that elevate an organization’s security posture while also meeting the individual needs of his or her followers.
The fact that so many security professionals face burnout is particularly troubling because many motivated and skilled people are initially attracted to the field of information security due to one more of the following reasons:
·      The allure of acquiring hacking skills, and getting paid a competitive wage;
·      An opportunity to secure and defend an organization that is committed to them;
·      Networking (bonding) with peers and the security celebrities who speak at security conferences; and
·      An interest in trying to comprehend the latest security research and threats. (Bird, 2013)
Pine and Gilmore’s (1999) book, Experience Economy, recognizes that economic activity has been shifting away from goods and services toward transformational experiences. While the thrust of their book is about creating transformational experiences for customers, their insights are equally applicable to employees. Pine and Gilmore note that clients seek out transformational experiences, like attending business school or a martial arts program, to become different, changed, and transformed:
When you customize an experience to make it just right for an individual—providing exactly what he or she needs right now—you cannot help changing that individual. When you customize an experience, you automatically turn it into a transformation. (p. 165)
If a security leader wishes to attract and retain motivated followers to help secure and defend the organization, the leader should craft transformational experiences that create opportunities for high performers to distinguish themselves and receive the deserved acclaim and performance rewards. Although rewards should discriminate between high and poor performance, this should not come at the expense of collaboration and teamwork. The security leader must foster an atmosphere of camaraderie and even friendship out of recognition of everyone’s human need to bond. The transformational security leader must craft experiences for followers that encourage continuous learning and reward knowledge transfer back to the organization, making it more secure in the process. Lastly, why not tap into everyone’s natural drive to defend? Focus that need on securing the organization rather than defending oneself from ad hominem attacks (Nohria et al., 2008). The transformational security leader must allocate time to perform “important but not urgent” (Quadrant II) and nurturing activities in an intentional manner, or they will be crowded out by the crisis of the day.

Enjoying the Journey

Transformational experiences are much like a journey. They are guided by a leader but are still very much an individual process (Pine & Gilmore, 1999). Why not enjoy the process? Mark it with milestones and take the time to celebrate the important landmarks. Recent research shows that sharing experiences makes them more intense (Boothby, Clark, & Bargh, 2014) and reduces feelings of isolation (Cooney, Gilbert, & Wilson, 2014).
Lastly, security leaders should not let the tyranny of the urgent prevent them from recognizing that the security professionals they influence are some of the most committed, adaptive, and driven people in their organization.  Instead, the transformational security leader should use the Covey Time Management Matrix to focus the commitment and drive of their followers by crafting experiences that challenge individuals to meet their innate needs to acquire, bond, comprehend, and defend in such a way that the outcomes of these experiences meet pressing organizational needs in the process.




References

Bass, B. M., & Riggio, R. E. (2008). Transformational leadership. Mahwah, NJ: Lawrence Erlbaum Associates.
Bird, K. (2013). Expert advice on why you should work in information security ... Now. Retrieved from http://www.rasmussen.edu/degrees/technology/blog/expert-advice-why-work-in-information-security/
Boothby, E. J., Clark, M., & Bargh, J. A. (2014). Shared experiences are amplified. Psychological Science, 25(12), 2209-2216.
Burns, J. M. (1978). Leadership. New York, NY: Harper & Row.
Cooney, G., Gilbert, D. T., & Wilson, T. D. (2014). The unforeseen costs of extraordinary experience. Psychological Science, 25(12), 2259-2265.
Covey, S. R. (1994). First things first. New York, NY: Simon & Schuster.
Goodchild, J. (2012). RSA conference 2012: Stress and burnout in infosec careers. Retrieved from http://www.csoonline.com/article/2131034/security-leadership/rsa-conference-2012--stress-and-burnout-in-infosec-careers.html
Hartman, K. G. (2015). What every tech startup should know about security, privacy, and compliance. Retrieved from https://www.sans.org/reading-room/whitepapers/compliance/tech-startup-about-security-privacy-compliance-35792
Hummel, C. E. (1967). Tyranny of the urgent! Downers Grove, IL: InterVarsity Press.
International Organization of Standardization (ISO). (2013). Information technology–Security techniques–Code of practice for information security controls Switzerland. IEC 27002: 2013 (EN). Geneva, Switzerland: ISO/IEC.
Korolov, M. (2015). CSO burnout biggest factor in infosec talent shortage. Retrieved from http://www.csoonline.com/article/2977604/infosec-staffing/cso-burnout-biggest-factor-in-infosec-talent-shortage.html
Leite, A. D. (2011). 6 reasons why you should NOT work with information security. Retrieved from http://www.myinfosecjob.com/2011/08/6-reasons-why-you-should-not-work-with-information-security/
LookingGlass. (2016). Information security threat landscape: Recent trends and 2016 outlook . Retrieved from https://www.lookingglasscyber.com/wp-content/uploads/2016/04/LookingGlass-2016-Information-Security-Whitepaper.pdf
Nohria, N., Groysberg, B., & Lee, L. E. (2008). Employee motivation. Harvard Business Review, 86(7/8), 78-84.

Pine, B., & Gilmore, J. H. (1999). The experience economy: Work is theatre & every business a stage: Goods and services are no longer enough. Boston, MA: Harvard Business School Press.

1 comment: