‘Decision Makers’ Articles at Brandeis GPS Blog

Written by James Curtiss | @JamesCurtiss2

flock_of_birds

This post originally appeared on the Sales section of Inbound Hub. To read more content like this, subscribe to Sales.

Leadership can be a difficult characteristic to understand. Which qualities make someone a good leader? Do those same qualities translate to all aspects of life, or can a person successfully lead a sports team but fail in the boardroom? Are people born leaders, or can anyone inspire others to follow them?

I won’t pretend to know the answers to these questions, and I doubt that many people do.

But when I think about what it takes to be an effective leader, I am invariably reminded of late summer conversations with my grandfather on the deck of his home on the island of Martha’s Vineyard. We talked about anything and everything together — from the current state of Red Sox Nation to the most effective technique for shucking the cherrystone clams we collected earlier that day. But, on occasion, the discussion would drift towards more business-oriented topics and I got a free lesson in leadership studies from one of the very best.

To provide a little background, Don Davis, my grandfather, left a distinguished career in corporate America in 1988 to pursue his “retirement” as a professor at MIT’s Leaders for Global Operations program. During his 22-year tenure at the school, he shared the lessons he learned from his time in business and inspired more than a few of today’s most influential leaders.

As I am sure any of his former students will tell you, it would be nearly impossible to boil down all of his lessons into a single blog post. Fortunately, those same students were kind enough to compile a Memory Book after he passed away in order to share some of his most important teachings, namely the 20 leadership mantras that were core to his curriculum.

Here are those 20 mantras, along with some insight from our Martha’s Vineyard discussions. (For a more personal explanation of how these mantras helped various students succeed in business, you can find the Memory Book in its entirety here.)

1) Leaders don’t choose their followers. Followers choose their leaders.

One cannot simply choose to lead a group of people. You may be a leader in title, but you’re not a legitimate leader if your followers do not believe in you and your vision.

2) Followers choose leaders they trust, respect, and feel comfortable with.

If you don’t have the trust and respect of your followers, how are you supposed to make the connection necessary to inspire them to achieve great things?

3) Be yourself. The number of leadership styles is limitless.

There is no scientific formula for what makes a good leader, only a belief in your own ability as well as the ability of your followers to be successful.

4) Leaders need a base of power and authority — but the more they use it, the less there is left.

Needless to say, effective leadership requires a certain amount of authority. Like most forms of capital, that power is finite. Use it sparingly and only when necessary.

5) The best leadership is based on persuasion.

Anyone can have a vision. Leaders have the ability to persuade others to believe in their vision.

6) Leaders set the ethical standards and tone of their organizations by their behavior.

As a leader, you set the example. Don’t do anything that you wouldn’t want printed on the cover of the New York Times. Your followers are avid readers.

7) Integrity is the bedrock of effective leadership. Only you can lose your integrity.

Unethical behavior is a slippery slope. Avoid the slope at all costs because everyone slips.

8) “Selfship” is the enemy of leadership.

A true leader cares more about the success of his/her followers than their own success.

9) Be quick to praise, but slow to admonish. Praise in public, but admonish in private.

If you’re going to praise someone, do it big. If you’re going to reprimand, make sure it is warranted and do so in a respectful manner.

10) One of a leader’s key responsibilities is stamping out self-serving politics when they emerge.

As a leader, your job is to inspire the entire group. No single person is bigger than the group, not even the leader.

11) Be sure to know as much as possible about the people you are leading.

How can you inspire someone if you don’t know what motivates them?

12) One manages things, but people lead people.

It may be a bit cliché, but at the end of the day, followers are human beings. Don’t lose sight of that reality.

13) Diversity in an organization is not only legally required and socially desired — it’s also effective.

Every problem, obstacle, or issue has a different solution. Different perspectives make it much easier to identify the right solution.

14) Leadership should be viewed as stewardship.

Leader and teacher are synonyms, even if the Thesaurus tool in Microsoft Word doesn’t agree.

15) Don’t make tough decisions until you need to. Most will solve themselves with time.

Procrastination isn’t always a negative tendency. Don’t jump to conclusions. Sometimes you just have to give the problem time to work itself out.

16) When making decisions about people, listen to your gut.

Believe in your ability to identify the right talent. It’s your vision, so you should be able to recognize when a person embodies that vision.

17) People can see through manipulation and game-playing. Everyone can spot a phony.

This goes back to the mutual respect and trust that must exist between a leader and follower. Don’t undermine that mutual respect via manipulation. You’ll lose followers.

18) Learn to say, out loud, “I was wrong” and “I don’t know.”

You may be a leader, but you’re not omniscient. Don’t pretend to be.

19) If you know a plan or decision is wrong, don’t implement it. Instead, keep talking.

Don’t try to jam a square peg in a circular hole. Work with your team to figure out a way to round the edges of the peg so it fits properly.

20) Each of us has potential to lead, follow or be an individual contributor.

Potential is limitless and everyone has the ability to contribute to the success of a particular vision. It all depends on how strongly they believe in that vision.

There is no recipe for what makes a good leader, but these mantras can provide valuable guidelines. I wouldn’t trade those talks on the deck for anything.

Click here to subscribe to our blog!

By: Derek Brink

Reblogged from: https://blogs.rsa.com/fuzzy-math-security-risk-model-thats-actually-risk/

Sharpen your number two pencils everyone and use the following estimates to build a simple risk model:

Average number of incidents: 12.5 incidents per month (each incident affects 1 user)
Average loss of productivity: 3.0 hours per incident
Average fully loaded cost per user: $72 per hour

Based on this information, what can your risk model tell me about the security risk?

My guess is that your initial answer is something along the lines of “the average business impact is $2,700 per month,” which you obtained by the following calculation:

12.5 incidents/month * 3.0 hours/incident * $72/hour = $2,700/month

But in fact, this tells us almost nothing about the risk—remember that risk is defined as the likelihood of the incident, as well as the magnitude of the resulting business impact. If we aren’t talking about probabilities and magnitudes, we aren’t talking about risks! (We can’t even say that 50% of the time the business impact will be greater than $2,700, and 50% of the time it will be less—that would be the median, not the mean or average. Even if we could, how useful would that really be to the decision maker?)

Let’s stay with this simplistic example, and say that your subject matter experts actually provided you with the following estimates:

Number of incidents: between 11 and 14 per month
Loss of productivity: between 1 and 5 hours per incident
Fully loaded cost per user: between $24 and $120 per hour

This is much more realistic. As we have discussed in “What Are Security Professionals Afraid Of?,” the values we have to work with are generally not certain. If we knew with certainty what was going to happen and how big an impact it would have, it wouldn’t be a risk!

Based on these estimates, what would your risk model look like now?

For many of us, our first instinct would be to use the average for each of the three ranges to compute an “expected value”, which is of course exactly the result that we got before.

Some of us might try to be more ambitious, and compute an “expected case,” a “low case,” and a “high case”—by using the average and the two extremes of the three ranges:

Expected case = 12.5 * 3.0 * $72 = $2,700/month
Low case = 11 * 1.0 * $24 = $260/month
High case = 14 * 5.0 * $120 = $8,400/month

It would be tempting to say that the business impact could be “as low as $260/month or as high as $8,400/month, with an expected value of $2,700/month.” But again, this does not tell us about risk. What is the probability of the low case, or the high case? What is the likelihood that the business impact will be more than $3,000 per month, which happens to be our decision-maker’s appetite for risk?

Further, we would be ignoring the fact that the three ranges in our simple risk model actually move independently—i.e., it isn’t logical to assume that fewer incidents will always be of shorter duration and lower hourly cost, or the converse.

Unfortunately, this is the point at which so many security professionals throw up their hands at the difficulty of measuring security risks and either fall back into the trap of techie-talk or gravitate towards qualitative 5×5 “risk maps.”

The solution to this problem is to apply a proven, widely used approach to risk modeling called Monte Carlo simulation. In a nutshell, we can carry out the computations for many (say, a thousand, or ten thousand) scenarios, each of which uses a random value from our estimated ranges. The results of these computations are likewise not a single, static number; the output is also a range and distribution, from which we can readily describe both probabilities and magnitudes—exactly what we are looking for!

Staying with our same simplistic example, we can use those estimates provided by our subject matter experts plus the selection of a logical distribution for each range. Here are my choices:

Number of incidents: Between 11 and 14 incidents per month—I will use a uniform distribution, meaning that any value between 11 and 14 is equally likely.
Loss of productivity: Between 1 and 5 hours per incident—I will use a normal distribution (the familiar bell-shaped curve), meaning that the values are most likely to be around the midpoint of the range.
Fully loaded cost per user: Between $24 and $120 per hour—I will use a triangular distribution, to reflect the fact that the majority of users are at the lower end of the pay scale, while still accommodating the fact that incidents will sometimes happen to the most highly paid individuals.

The following graphic provides a visual representation of the three approaches.

Based on a Monte Carlo simulation with one thousand iterations—performed by using standard functions available in an Excel spreadsheet—we can advise our business decision makers with the following risk-based statements:

There is a 90% chance that the business impact will be between $500 and $4,500 per month.
There is an 80% likelihood that the business impact will be greater than $1,000 per month.
The mean (average) business impact is about $2,100 per month—note how this is significantly lower than the $2,700 figure computed earlier; the difference is in the use of the asymmetrical triangular distribution for one of the variables.
There is a 20% likelihood that the business impact will be greater than $3,000 per month.

If warranted, we can try to reduce the uncertainty of this analysis even further by improving the estimates in our risk model. (There will be more to come, in upcoming blogs, on that.)

What to do, of course, depends entirely on each organization’s appetite for risk. But as security professionals, we will have done our jobs, in a way that’s actually useful to the business decision maker.

About the Author:

Derek E. Brink, CISSP is a Vice President and Research Fellow covering topics in IT Security and IT GRC for Aberdeen Group, a Harte-Hanks Company. He is also a adjunct faculty with Brandeis University, Graduate Professional Studies teaching courses in our Information Security Program. For more blog posts by Derek, please see http://blogs.aberdeen.com/category/it-security/ and http://aberdeen.com/_aberdeen/it-security/ITSA/practice.aspx