Pacing Yourself in Security
--
Managing the security knowledge gap
This article is about leading Security in an organization. I promise. But first, a story:
When I decided to run my first marathon, I joined a running club, which grouped the runners according to speed. Each group had a pace coach — the person who ran with the group and kept them generally on time target. The fastest group (the sub-5 minute milers) would leave first, loping off like the greyhounds they were. Then the 6-milers, the 7-milers, and so on, until my group, the 10 minute milers, would shuffle off, like the bulldogs we were.
When you train for a marathon, each week your “long run” becomes a bit longer, until your longest training run is about 20 miles. Now, if you’re a greyhound, you can run 20 miles in less than 2 hours. But if you’re a 10-minute mile an hour runner, it takes at least 3 hours to run the same distance. It was during one of those long runs that the 5 minute pace coach joined the 10 minute running group — and he suffered.
You see, when you run long and slow, you have a different running style, and you use different muscles. When you run long and slow, you spend more time on your feet, and you take more steps — your feet know it. When you run for almost an hour longer than the greyhounds, you use food less efficiently, and need more of it. And our poor greyhound pace coach wasn’t used to any of that. By the end of the training run his legs and knees ached, his feet hurt, and his energy level was through the floor.
So what does this all have to do with being a Security Leader?
The longer you work in any profession, including security, the more experienced you become. Like the greyhounds, you can run faster, more efficiently, and with less relative effort. You know the language, you know the functions. You know what your security team does, and how it relates to other organizational groups. You know how to get where you need to be and if you’re just allowed to run, you could get there.
The folks around you are in different pace groups. Some of them don’t even really want to be there, but are there because someone else (like a regulator or an auditor) has told them they have to start running. Likely, the higher up the organization they are, the slower the pace group they…
