Paper 1

3/27/23, 10:07 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec43 18/64

There are seven key areas that information security officers

should honestly evaluate themselves as to where they stand.

Why seven? The reason is that the human mind has difficulty

juggling more than seven things at once. Too many goals lead

to frustration, confusion, hopelessness, and procrastination to

start any of them. Narrowing the focus to a number of key ar-

eas and developing an action plan to build upon the strengths

and enhance the areas needing improvement will contribute

greatly to a security leader’s career. When a technical security

analyst is faced with a situation where something does not

work, the approach is to go to the documentation, manuals,

and test; seek advice from colleagues; and try, try again until a

solution is found. The same approach applies to enhancing

leadership skills; it is an iterative process of trial and error,

and focus on the discipline of leadership. Stephen Covey’s

landmark book, The Seven Habits of Highly Effective People

(2004), first explored the value of providing a seven-step, easy

to comprehend method to achieve greater results. These com-

petencies are not the soft skills noted in the earlier section,

but rather represent the higher-level application of the soft

skills toward organizational effectiveness. In other words,

once the soft skills have been developed, the security leader

should be able to use that knowledge to achieve greater re-

sults by practicing the seven competencies. The seven compe-

tencies for effective security leadership are shown in Figure

3.2.

3/27/23, 10:07 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec43 19/64

Figure 3.2 Seven competencies of effective security leadership.

1. Understand the Organizational Culture

Organizations establish a culture or “the way things are done

around here” that is unique to the organization. Culture is cre-

ated over time based upon the past and present leadership,

history, geographic dispersion, collaborative versus hierarchi-

cal decision making, profitability, industry regulations, and

each individual person within the organization. Every individ-

ual brings their own unique set of values, backgrounds, expe-

riences, and capabilities into the workplace every day, in

other words their own individual “culture.”

The effective security officer understands how the organiza-

tion works, what is accepted and what is not. Do people nor-

mally bend the rules to get the job done? Does the organiza-

tion reward taking chances for innovation or does it view

those activities as violating the prescribed rules? Does a