“Taking action is the true motivator”, said John F. Kennedy. Actually what he really said is “there are risks and costs to action. But they are far less than the long range risks of comfortable inaction.” A corollary of these is “leadership is action, not a position.” The point to all of these catchy quotes is that they make you think about what is critical in a security posture.
Taking action gives you the means of focusing your efforts on what is truly important and what is not so important. This means that your actions are ultimately going to determine your security, not some position, not some statement, or a written document. As important as security policy and security posture are and I talk about them plenty. Your need to take action is even more important.
Best Laid Plans
Have you ever noticed that there are so many well thought out plans out there? We have committees and teams all dedicated to coming up with a great plan. And many times they do exactly what they are supposed to do. So why is it that many times once these committees are done everyone packs up and moves on. And the plan fails. Why is this? Because of the most critical part, the piece that gets left behind many times is the execution. The implementation of the plan, then who is responsible and when is going to be done. Those are the critical moments in any project and data security is no different.
We get the plan in place and we leave the execution up to someone else. We leave it up to another guy, many times a subordinate. And without our leadership, this execution fails or does not even get started, to begin with. That is the time when taking action is the most effective.
Execution And Security
Data security needs a plan and it needs a policy to give that plan direction and a formalized process. That part we know by now. But once the plan is in place and the policies are written now comes the important part getting it moved off of the paper and into the real world. This means leadership like the quote above. Leadership is action, not a position. Leaders are measured by their actions and will be judged by this after the project is long finished.
So in a data security project some questions you need to be asking. Who is going to implement this policy or that initiative? And who is responsible for its final implementation? Who is going to make sure that this information is communicated clearly to your entire team? What are the milestones of a successful implementation and are these in the plan?
Has anyone ever heard the story from Sun Tzu in the classic “The Art Of War”? To paraphrase he brought before the emperor and asked about his legendary skill in organizing troops to fight a war and win. When he replies yes, the emperor is skeptical and asks Sun Tzu if he could train his concubines to drill correctly like an army. Sun Tzu says yes, and he gathers up the concubines together and appoints a leader from the group. Then he starts to line them up and train them.
The concubines are giggling and laughing and goofing off. So Sun Tzu says “this is my responsibility as a leader to make sure this little army is well organized and drill to dictates of the emperor. “ So then Sun Tzu goes over to the drill leader the main concubine and chops off her head. The emperor is very upset because she was one of his favorites. But Sun Tzu says I take my responsibility very serious and so should your army. The emperor was not laughing anymore. The concubines now drilled correctly and looked like a regular army. And the emperor now knew he had a general who could protect his country.
And extreme example but it makes the point leadership requires discipline and correct execution. It was not enough that Sun Tzu knew how to implement tactics to win in battle. He also needed to execute on them. The stakes are not nearly as high in business but the lesson is a good one.