Patrick Lencioni is a leading management consultant who has written several books and appeared in the Harvard Business Review. John Hartmann is a leading security practitioner at Cardinal Health. CSO brought these leaders together to tackle the tough questions on a tough problem: effective management in security.
When we asked Cardinal Health's security chief John Hartmann whom he'd like to see us interview, we weren't surprised to see former US Federal Bureau of Investigation head Louis Freeh on his list. But we were surprised to see Patrick Lencioni. Turns out Hartmann took five pages of notes while reading The Five Temptations of the CEO, one of Lencioni's books on effective management. What questions would a CSO pose to a management guru? We asked Hartmann to do the interview himself, with CSO Senior Writer Scott Berinato moderating. Excerpts from the conversation follow.
John Hartmann: Patrick, the CSO deals with a slew of issues that aren't easily communicated. You've said that often things aren't necessarily complicated, but people make them complicated.
Patrick Lencioni: Right. People overcomplicate things sometimes because they're overeducated or because they're looking for a silver bullet or a subtle, sleek solution to a problem, when what is really needed is consistent mastering of some simple behaviours over a long period of time. Unfortunately, when it's simple, people sometimes get bored with it, and they think, Well, there must be something more here, which is difficult to prevent from happening. So success is simple, but simplicity is difficult.
The best companies are not the most intellectually sophisticated and complex ones. It's the ones that have the courage to make things simple. Jack Welch, they said, had five major initiatives in 25 years. Most companies have five major initiatives every quarter.
CSO: Is security particularly vulnerable to this overcomplicating? Technically it is quite complicated, even if management of it shouldn't be.
Lencioni: Yes. It's easy to fall prey to the flavour of the day because there's always a new product coming out. But the first place where security is important is in attitude and behaviour. I would take a company with a security mentality but slightly outdated technology over one with great technology but not the security attitude.
Hartmann: Developing a consensus across the decentralized organization is a huge challenge for many don't think that it's usually a good thing. When it comes about naturally that's wonderful, but generally, consensus is a way of ensuring mediocrity. You need conflict, an airing of opinions so that the leader of the organization can make a decision having factored in all of the various ideas and opinions of all the constituencies. But the leader should not try to make a decision that pleases everyone. Consensus is trying to develop a decision that's equally palatable to everyone or, often, equally unpalatable. Consensus fails to meet anyone's desires, but it does so equally, and so it's accepted. And that's how we get mediocrity.
Consensus is particularly bad in security because nobody wins any award for keeping his constituents happy if it means not delivering security. It's like, if you wait until there's consensus—
Hartmann: You've waited too long. Let's swap the word consensus for implementing standards.
Lencioni: Yes. Somebody has to dictate the final decision. And the only way to do that is to invite and, in fact, demand conflict up front. Waiting until later is a way to doom an effort. If there's been enough conflict constituents will accept that decision.
CSO: So John, the CSO will be that person making the final decision after getting a lot of conflicting opinions. And conflict is good here?
Hartmann: It is.
CSO: But that sounds like it invites a new management issue. There will be people who—if the final decision John makes is not to their liking—are going to be put off by that. Others just don't handle conflict well.
Lencioni: Right. What has to precede conflict is the building of trust. When people trust that the other people are not trying to be selfish or hurt someone else, then there's going to be the ability to engage in conflict without it turning personal or vindictive.
Hartmann: And I think the model that I've seen work well before is where you lay your assumptions and your biases out on the table in advance.
Lencioni: Absolutely. I talk about vulnerability-based trust. And that means you're willing to say, OK, I clearly have this bias, this experience, this self-interest. Now, having stated that, let's talk about this and make the right decision.
Hartmann: I know you've written also about building teams. What advice can you give CSOs who often find themselves in a decentralized organization, drawing on skills and opinions of folks from legal, from human resources, from risk management and so forth?
Lencioni: In security, you're dealing with a matrixed environment; you don't have hierarchal authority over people. So it's critical that you build trust up front. That's not going to come through power politics; it's going to come from collaboration. Not necessarily consensus but collaboration.
CSO: Managing up with something like security is hard. The CEO maybe doesn't understand it. The CFO doesn't necessarily want to pay for it. HR doesn't want to recruit for security because it's expensive. How can CSOs manage up?
Lencioni: In an area like security, nothing speaks louder than passion. You have to believe it in your gut. You have to live it. In security—this is probably true for people in the CIA or the police department for that matter—it's not just a job. There's a larger purpose to this, and if you get discouraged by people who don't get it, you're not going to be successful. Now, you have to combine that with some emotional intelligence so that you're presenting it in a way that people understand. But ultimately, good leaders, good CEOs, are going to understand that passion, and you're going to win them over.
Now, the other thing you have to have, in addition to passion, is a lack of fear of losing your job. I know that's easy to say.
Hartmann: Along with the passion, along with the balancing between business needs and what's practical for a corporation is knowing when to make the decision and the ability to adjust your decision as you go. I'd love to see you [talk about one of the concepts from your books]: clarity over certainty.
Lencioni: People in security have to be able to make a decision without perfect information. They can't wait until they know all the answers, because it's often too late. And they have to do that without a fear of being criticized or being wrong or, ultimately, of losing their job. Security officers have to be more independent in the sense that they're taking ownership and responsibility for security, sometimes to an even greater extent than the chief executive or the executive team.
And if they do that honestly, and with passion and without fear, and if they can make decisions without a fear of being wrong—now, that's a tall order, but that is probably what's required.
You know what's interesting as I'm thinking about this, John, if you want to be popular, you shouldn't be in this field.
If you're working to be the chief security officer so that you can say, I'm in charge of security and I feel good about that, it won't work. Probably, if there's one job in the company that can't afford that—other than the CEO—it's the CSO. You're only as good as your last non-event. Status only detracts from your attentiveness and your diligence. I want you to have a healthy paranoia, which means I want you never to feel comfortable, never feel complacent and never feel particularly satisfied with what you've achieved.
Hartmann: Patrick, can you talk a bit about accomplishing your goals through others?
Lencioni: That's a difficulty for a security person. If an executive says to the head of security, Listen, I'd like you to go sell my people on all of this, I'd say, That's a waste of time. The CSO should say [to the executive], I'm going to sell you, and you're going to sell them.
Hartmann: That's a good one. In my opinion, companies that have recognized the need for a CSO have at least, at some significant executive level, some commitment to security.
Lencioni: Exactly. If you're going to hire that person, have the courage to go to people and say, Don't screw with him. If you want people to debate the return on investment, that debate needs to happen at the executive level. But if you think they have to keep debating it down the chain, that's crazy. And a chief security officer needs to be patient and persistent in getting the executives to figure it out. Once they commit, it should be a done deal.
CSO: You talk about collaboration, having a firm hand making decisions, simplicity. I can see people rolling their eyes and saying, Teamwork, blah, blah, blah. A theme in your writing is that these are just words until you apply brutal honesty. Can you talk a little bit about bridging that gap from saying things like teamwork and really creating it through this brutal honesty?
Lencioni: Teamwork is not a virtue; it's a choice. Teamwork is something that people have to be willing to sign up for. And saying it but not doing it is worse that not doing it at all.
So, when people sign up for it, they have to say, I'm going to build trust with my teammates. I am going to engage in conflict. I'm going to commit to things. I will hold them accountable and let them hold me accountable. And I will focus on results, not on my own agenda or my own ego. And those are hard things to do.
Teamwork is actually a natural fit and a requirement for great security because things happen so quickly, and you have to be so on top of things. The cost of not holding each other accountable, of not committing to a common solution, of not trusting each other and engaging in conflict is huge.
Who's best at this brutal honesty? The military, fire departments, people who live in crisis situations.
Hartmann: Your last comment, obviously, hits home. What about CSOs holding their direct reports accountable?
Lencioni: So often people don't like to hold others accountable because they look back and realize they never really clarified what they expected. They kind of said, Do your best. Having a really good discussion up front about what you expect from people both behaviourally and in terms of outcome is a great way to give even the most hesitant manager or leader the courage to hold someone accountable.
Hartmann: Well, I guess it's easy to hold accountable the folks that work here directly for me. But when there is a security policy or rule that's been mandated for the company and in some remote part of the world some little portion of the company doesn't comply, it's much more complicated trying to get enforcement or accountability.
Lencioni: The best thing I can say there is, go back to the executive team. I remember once I went to the executive team and asked for a million dollars for the leadership and management training, and the company said, "Hey, Pat, what's the ROI on this?" I said, "You know something, I can't tell you exactly. But you have to understand in your gut how critical this is. So I'm going to take it right off the table with you guys." And I told them, "We have to do this because we believe in management training. If we're waiting for a spreadsheet, then we're never going to do it."
CSO: Was the brutal honesty and the passion communicated to them? Because I think that the ROI question probably turns John's stomach every time he hears it.
Hartmann: Fortunately, after four years here, we're kind of past that. But I can tell you that early on there was nothing but the ROI question.
CSO: And you have to kind of go, Well, the ROI is that nothing will happen.
Hartmann: Now, we talk about what are we saving from a business interruption standpoint by taking certain mitigating steps—by looking at what we may lose, as opposed to what we're going to get back. That's been really successful for us.
CSO: So, the CSO can sell his results?
Lencioni: Yes, I think so. But I think that's something probably that a lot of people in that field aren't very good at. Because the nature of the people that go into it is kind of no nonsense.
Hartmann: I would agree with that. The softer skills, I think, are the most important ones. Having the ability to communicate a set of priorities, to pull together a team of people who can give advice, and then take a decision and drive results, I think that's really important. And I think that some of those issues aren't well suited to the often black-and-white thinking of security professionals.
Lencioni: Chief security officers are in an interesting situation in that they're taught not to trust, and they have to verify because over-trusting is, by definition in security, ill-advised. At the same time, they have to develop trust with their constituents within the company. Vulnerability is not an easy thing for a security person to do.
CSO: John, do you feel like since 9/11 last year your job has changed?
Hartmann: Yes. In some ways the sales piece of the job has become easier. There's a recognition now that, gosh, things out there in the real world can affect the way our business works. Visibility has changed slightly.
Lencioni: But things haven't changed all that much.
Hartmann: Right. The fundamentals haven't changed.
CSO: That's an interesting point because a common refrain all last fall and winter was that everything has changed.
Hartmann: Everything has not changed. We just need to keep doing what we've been doing a little bit better. At our corporate headquarters, we used to screen our visitors in the lobby. Now, we screen them at the guard gate. It's just slightly different. We've been doing the same thing for years at our company, but we just kind of kicked it up a notch.
Lencioni: It's like being a great parent. I once met this guy on the way back from Utah who had seven kids, and they were doing really well in school. And I asked, "What's the secret, sir?" And he said, "Give them boundaries and hold them accountable to those. And just tell them you love them forever." Those are all very simple, hard things to do.