The Golden Security Circle

The Golden Security Circle

Our second blog on management models applicable for Digital Security is all about creating a compelling vision.

Introduction

A common practice in Digital Security is to improve the level of security by implementing a framework (e.g., ISO27001/2, ISF, COBIT, NIST, etc.). Deficiencies in compliance with these frameworks are then defined and improvements can be executed. These improvements are defined in a security plan, which is sometimes misnamed as a security strategy.

The main misconception is that this Framework implementation is a vision or a strategy, where it is in fact, only the remediation of the Framework. The same goes for words like “zero-trust” and “confidential-computing” that are dropped randomly. But these are not visions, these are basically (very good) strategic approaches to securing data that require change of mindset, leadership and craftsmanship. 

Vision and Strategy
The Vision is a goal. It is not the same as a Strategy; business strategy tells you how a company is going to achieve (or maintain) its Vision. The Strategy is a plan, the tactics are how the plan will be executed and the Vision is the end-result[1].

The problem with the above-mentioned Digital Security “strategies” is that it won’t resonate with the people executing the “strategy”, often leading to unsuccessful results (e.g. results are delivered too late and/or without a lasting result). One of the main reasons for this is that there is no clear vision or no vision at all for digital security that forms the basis for the “strategy”. According to John P. Kotter[2], one of the eight reasons changes fail is the “lack of a Vision”. Another reason why change fails is “Under-communicating the Vision”. 

Most of the digital security plans also consists of multiple changes that needs to be made in either the technology, processes or with people. Therefore, a Security Vision is needed to change successfully and embed digital security in a more sustainable way. 

Since we noticed in practice that some security professionals think a “compelling” security vision is something like “we need to comply to ISO27001 or COBIT”, we will shed light on how to create and communicate a more compelling vision than just compliance.

The “why”  

A well-known management model that can assist in creating a compelling vision is the “golden circle” by Simon Sinek. Sinek got famous with his TED talk and his book “Start with Why: How great leaders inspire everyone to take action”[3]. The essence of his Talk and book is that “people don’t buy what you do, they buy why you do it“. As a short recap the most well-known part of the talk is:

If Apple were like everyone else, a marketing message from them might sound like this: “We make great computers. They’re beautifully designed, simple to use and user friendly. Want to buy one?” “Meh.”

Indeed, uninspiring. Then the way Apple does it:

“Everything we do, we believe in challenging the status quo. We believe in thinking differently. The way we challenge the status quo is by making our products beautifully designed, simple to use and user friendly. We just happen to make great computers. Want to buy one?”[4]

As an example, below we give a digital security vision that is based upon our belief that human behavior, either a regular employee, IT user or IT administrator, is the key differentiator in making digital security a success.   

An Example:
We believe that the key differentiator in making our company more secure lies within ourselves and our behavior. The way we try to accomplish this is by overcommunicating and training our staff in digital security to get secure behavior in everyone’s DNA. We train to recognize threats and behave secure, implement clear reporting lines and have solid standard operating procedures to prevent, detect, respond and recover from an incident. 

Involve relevant staff

Next to the “attractiveness” of the Vision, it is also important to involve relevant staff in establishing a compelling Vision. When doing this make sure to not only involve security staff in this visioning process, but also staff from IT, HR and the most important business processes. This will help you in creating a vision that is understood by more people than just the security staff. 

One of the working methods we often use in workshops is the “Letter from the Future”[5]. In this working method, the participants write a letter to themselves from the future. The letter describes where they are and what they are doing and what they did to get there. The participant can also advise themselves. In the session, this is discussed and used to work out actions that can realize an ideal situation in the future. Next to the Vision, this could also give a first idea about the strategy that needs to be followed. 

A somehow similar approach, called “working backward”, is followed by Amazon[6]. A product owner starts with writing an internal press release about a finished product, instead of starting with an idea for a product and trying to sell it to customers. The target audience is the customer. If the benefits mentioned in the press release aren’t very interesting or exciting to the customers, the product will most probably not be built.

Next to this working method we also often visualize the Vision and high-level strategy. A Cartoonist is very well trained in not only visualizing the Vision, but also in making sure the message is understood by everyone who reads it. An example of such a visualization is given below. This example is a part of a larger strategic map which is used with permission. 

Quantum-Communicate

As mentioned by Kotter, Overcommunicating the Vision is also of essence to make any change a success. As mentioned by Sinek the Vision also needs to be compelling to have people believe the Vision. Next to that, the message needs to be tuned to the different target audiences. 

The need to tuning your message to the target audience is clearly described in the article “Communicating a Corporate Vision to Your Team”[7]. It is noted that there are two important things when you want to communicate a vision. First, you have to target your message. IT has different needs than marketing, HR, customer service desk, etc. Second, augment logical reasoning with an emotional appeal to inspire. That’s how you get buy-in, and how you shift the team’s response from “I have to,” to “I want to” It’s common knowledge in a lot of management models that if people “want it” change can actually happen. In summary the writers use the following four steps to put people into action:

  • Think about your audience – What do they care about the most?
  • Target the message to their needs – how is the vision relevant to them?
  • Lay out action steps – What are specific, measurable goals and deadlines?
  • Engage their emotions – How will they benefit in the end, to be part of a dream?

Conclusion, “I have a Dream”

Having a Vision is not only relevant for an entire organization but also relevant for every change you would like to make. Next to actually having a vision, over-communication the vision in a compelling manner that is tuned to the audience and has emotional engagement is an absolute must to change people’s attitude from “I have to” to “I want to”. 


[1] Explanation about the difference between vision and strategy described on https://www.dougsguides.com/vision

[2] Leading Change: Why Transformation Efforts Fail, John P. Kotter, Harvard Business Review, 1994

[3] Simon Sinek, Start with Why: How great leaders inspire everyone to take action, 2011, Penguin Books Ltd

[4] https://www.youtube.com/watch?v=qp0HIF3SfI4. In this TED talk from Simon Sinek the Golden Circle is explained.

[5] Sasja Dirkse-Hulscher, Angela Talen, Het Groot Werkvormenboek, dé inspiratiebron voor resultaatgerichte prestaties, vergaderingen en andere bijeenkomsten, September 2007, Boom.

[6] https://www.quora.com/What-is-Amazons-approach-to-product-development-and-product-management/answer/Ian-McAllister

[7] Kelly Decker & Ben Decker, Communicating a Corporate Vision to Your Team, HBR, July 10, 2015