The 7 habits of highly effective information security leaders

The balance between operational efficiency and information assurance presents some special challenges.  On one side of the scale, business operations need to be as efficient as possible to meet company objectives.  On the other side, information security professionals seek to secure sensitive and critical information assets to protect the business, its customers, its employees, and its investors.  These two efforts have an inverse relationship; as one increases, the other decreases.  So what’s the answer?  How do we reconcile these two opposing forces?

In the March 2007 issue of the Communications of the ACM there is an article by Stephen J. Andriole that I believe can help with these challenges (“The 7 Habits of Highly Effective Technology Leaders”, p. 67).  I borrowed from that article Andriole’s 7 habits of highly effective technology leaders and adapted them in an effort to differentiate security managers from security leaders.  It’s the security leader who can strike the right balance between business need and information asset protection.

Habit #1:  Information security leaders focus on business models and processes before they focus on security infrastructure or applications.

Too often security managers run out and implement the list of controls, both hardware and software, currently evangelized in the press or by their peers.  The security leader pauses before jumping on the passing bandwagon. 

She assesses the security controls that are reasonable and appropriate given the operational realities of the business.  This is typically done by performing risk assessments and then comparing the cost of remediation in both hard dollars and productivity to the actual business impact of related security incidents.  Risk mitigation objectives then become outcomes for which processes must be designed and implemented.  As with general technology solutions, achieving the right level of information assurance begins with the right processes targeting defined outcomes.

Habit #2: Information security leaders track technology that matters by focusing on the distinction between operational and strategic technology…

Figure 1 depicts Andriole’s operational and strategic technology layers.  According to Andriole, the bottom two layers are commodities.  They add little or no competitive advantage to the business.  The top two layers, if properly aligned with business strategy, can provide significant advantage over the competition.


Figure 1: Andriole's operational and strategic technology layers


Like business applications and solutions that move the business forward, so too security solutions must contribute to the forward momentum.  Security solutions should enable the business to reach its strategic goals by protecting the integrity and availability of information assets.  Further, confidentiality of customer information must be preserved to protect the company brand.  However, these objectives must be reached in way that works in concert with operational processes.

Habit #3: Information security leaders identify and prioritize business pain—and approaches to pain relief—as they move toward the creation of business pleasure.

Security leaders must speak the language of business.  They must develop the types of relationships with business leaders that allow them to understand the pain felt when the wrong security controls are put in place or when security controls are absent.

Business leaders are moving toward more efficient ways to achieve business results through things like cost reduction and increased customer satisfaction.  A security leader understands these concerns and works closely with business leaders to achieve the right level of information assurance while acting as a partner in pain relief.

Habit #4: Information security leaders optimize the value of shared services in centralized and decentralized companies, and they organize around the distinction between operational and strategic technology.  Security leaders also champion governance above and below the operational/strategic line.

It’s a common mistake for security managers to develop solutions that resolve an assurance challenge for a single line of business without taking the time to step back and see the bigger picture.  The security leader works with business technology governance teams to ensure solution design that maximizes business value.  This is often accomplished by implementing a single solution that solves multiple issues across departments or lines of business at nearly the same cost as implementing it for a single entity within the organization.  In other words, security leaders attempt to address the concerns of the forest rather than those of one or two trees.

Habit #5: Information security leaders manage computing and communications infrastructure security professionally and cost-effectively through negotiated service level agreements (SLAs) and measurement best practices.

It’s always a good idea for a security leader to understand the expectations of the business leaders he supports.  These expectations should be set down in one or more SLAs.  Metrics must be created to measure the success rate with which service level objectives are met.  A guide to creating and reporting security metrics can be found at

Habit #6: Information security leaders communicate often and predictably; leaders communicate good news and bad news in business terms…

In a large number of businesses, the successes and failures of the security team go unnoticed until there is a significant security incident.  This is a fast track to unemployment for the responsible security manager.  The security leader reports both successes and failures by representing the relative impact on the business.  Further, she provides business management with action plans for remediation of less than optimal results.

Habit #7: Information security leaders actively market their roles in the company as well as security’s ongoing contribution to the business…

One of the worst mistakes a security manager can make is to fail to continuously sell the importance of security through the IS department, corporate departments, and all lines of business.  Awareness of the importance of security translates into awareness of the value the security team and the policies, standards, and guidelines it enforces.  Proper marketing of successful security outcomes can result in the security leader getting a “seat at the table” where he can help build information assurance into strategic objectives.


Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...


Except for the "leader" crap. How do you regard the rest of us -- as Chilean miners, not knowing what to do and helpless, until you speak that word, "leader"? Jesus, am I tired of that word, "leader". Leave it out.


The most difficult part of my job as IT Mgr at a small firm is to obtain any specific information from the owners as to what the security goals are. I don't know if they do not understand what they want, of if the lack of communcation is a result of their (openly expressed) view that IT is an annoying, but unfortunately necessary, part of the business environment. Do others have this experience?


The ones that, freshly measured, are ahead? The ones that, leash in hand, take us for draggies in the park? The ones that, hand inside coat, point towards the horizon and say "fetch"!? But Jesus can't help you; instead he suffers, bears and forgives. Leading by example ;)


Absolutely. That's part of the reason I prefer to deal with upper management as a consultant rather than an employee. As an employee, you have to play corporate politics games, and use buzzwordisms like the contents of this blog post, to try to maneuver the higher-ups into a position where they think they're informed, and make intelligent decisions. If you fail to "handle" your bosses that way in most corporations, you end up at the receiving end of the blame stick. As an outside consultant, when brought in to deal with network security policy and architecture, you can "call it like it is" more freely because your client is not the only source of revenue you'll see this week. They come to you for help -- you don't go to them for a paycheck and the hope they'll keep you around. Also, the old "familiarity breeds contempt" saw comes into play, in that they tend to ignore your opinions as a known factor if you're an employee, but as a consultant you're the mysterious expert who can solve all their ills. Some consultants take advantage of this to rip off customers while looking like heroes. My favorite result is to jointly look like a hero along with the internal IT guys, arriving at a mutually beneficial result that aids everyone in the end, including the poor beleaguered guy in IT who has probably been trying to tell the VP that a $40,000 Java ERP solution is not the solution to the ills of a company that just needs an extra file cabinet for months, and that a backup server is not a waste of money. I've been on both sides of the IT professional street, after all. I kinda started drifting off-topic. I'll try to pull it all together: Yes, I've had that sort of problem in the past. You need skills at "handling" people -- playing them like a piano -- to get many corporate execs to provide any kind of useful guidelines, as opposed to buzzwords and insane notions built on the latest advertisements for vertically integrated vendor stacks. As a regular employee, the best way to get good policy and good requirements specifications is to make them up yourself, then get the execs to think they were all their ideas in the first place. It's a delicate task, and one for which I haven't much patience. As a consultant, just ensure you get to talk to everyone, and don't give a final recommendation until you've talked to the people that might actually know something concrete -- which includes the internal IT department.

Editor's Picks