Mission matters: watch your signals
I was at a company-wide all hands meeting and one of the executives came on stage to rally the troops, like you do. There was music, there was fanfare, there was applause and I probably wanted to be elsewhere. Not into the cyber-rockstar thing. Still, don’t let the show fool you – he was a sharp executive. Particularly in his understanding of capital market dynamics: the push and pull of investor confidence, industry headwinds and tailwinds, and the undercurrent of human emotion that fuels the availability of capital in the first place.
In the course of his address, the statement “our product is our stock price” happened to come out. No wait, that was on Silicon Valley. But close enough. Y’know, if you’re a shareholder… you’re damn right it is. In fact, if you’re at the company primarily because of your equity… that view is pretty compelling. If the stock price goes up, you win. It’s easy to align around that mission if you’re holding the right cards.
But what if you’re not? If you happen to be, say… on the security team, and your vested interest in the company revolves more around what it does for customers than what it yields to investors, what does that message do for you?
If you’re thinking “absolutely nothing,” it turns out it’s a little worse than that. You’ll come out of that all-hands even less motivated than you were when you walked in. Hearing that your company’s raison d’être is about putting dollars into already dollar-laden pockets is simply not a compelling message (or a compelling reason to come to work). A message like “we’re here to keep our customers safe,” or “we want to level the playing field,” or even “we’re here to stick our finger in Sauron’s eye or die trying,”… that’s what you’re there for.
Well, that’s great and all, but if you’re in charge of security at a larger company whose mission actually has nothing to do with security, then it falls on you to make sure your team understands that THEIR mission isn’t quite so transactional. Here are four things you can start working on today to set the tone for security in your organization that will have a lasting impact on your team.
1. Check compensation
Mission matters, but so do basic financials that allow for a place to live and eat. No, the world is not so simplistic as Maslow would have you believe, but you know as well as I how competitive the security space is. You can’t turn on a cyber Twitter feed without at least three “OMG TALENT SHORTAGE” headlines scrolling by these days. Over-dramatized clickbait as it may be, your security staff can likely get a job somewhere else and make more money at any point. Get access to market data and make sure you, your boss, and your HR team are educated on the realities of the security talent pool.
2. Define your mission and vision
Why do you exist? What exactly are your doing for your customers? How do you know when you’re successful? There’s no end of information about how to establish these so I’m not going to rehash that here, but it’s worth taking time out of your day, and with the support of your team, to ensure everyone is aligned on these two statements.
3. Check your culture
The #1 pitfall of mission/vision efforts at any company is not letting the words you write down alter behavior. Netflix captures this best in their deliberate, documented approach to culture. Do your decisions align with your culture? Do they align with your mission, and will they help you achieve your vision?
“Many companies have value statements, but often these written values are vague and ignored. The real values of a firm are shown by who gets rewarded or let go.”
4. Tell stories
It may feel a bit weird to jump from b-school propaganda to your kids’ pre-bedtime activities, but being able to tell a great story is an essential part of management in general… and especially important in high-stress, high-impact work like security analysis and incident response. Not only do stories allow your security team to relive and celebrate their achievements (versus pushing happiness past the cognitive horizon), it builds credibility across the organization and reminds everyone what they’re working for.
One step at a time
Realistically, there’s no shortage of work for you to tackle. Taking a step back to focus on something as high level as mission or vision might look like a waste of time. For some, “dealing with HR” is a trial unto itself that you’ll want to put off as long as possible.
If nothing else, you probably already have a staff meeting every week. Next week, add a story. If a particularly good one pops up, find a way to share it with teams outside your organization. Get a few wins under your belt and build up the energy to tackle some of the higher level (but likely more impactful) work of 1 – 3. Best of luck!