Characteristics of highly effective security leaders
IBM recently released its 2013
What strikes me about this list is how much it applies just as much to the boots-on-the-ground security practitioner as it does to the CISO. It's food for thought for IT security people at any level. The points that strike me the most are:
Establish A Strategy: Too many practitioners get caught up in the day-to-day grind, tactical issues and daily fire-drills. But to the maximum extent possible, practitioners need to thing about the overall strategy, help define it, and _let the strategy define them_. In other words, prioritize your work choices to the strategy. Of course, if a manager says, "go do this," you go do it. But you should always use the organization strategy to shape your work when you can. Strategies are NOT just for the people at the top.
Build Trust: I think it was Dave Ramsey that said anyone who doesn't think they're in the trust business isn't in business very long. Practitioners would do well to remember that. I'm not suggesting that security practitioners start wearing the dreaded suit and tie to work every day. But realize when you are making commitments whether explicit or (and especially!) implied on behalf of your organization and people remember failed commitments for a long time.
Focus On Overall Risk: This one is similar to Establish A Strategy, but it's more operational. Practitioners have to make tough choices every day about how to spend their time and how to spend their budget. Asking yourself which course of action is going to be best for reducing overall risk is a pretty good sorting mechanism. If you can break it down to the classic "probability times potential loss," great. If not, trust your gut.