top of page
  • Phil Venables

A Simple Manifesto for Leading Security and Risk Teams

I’ve been using variants of these principles for many years in many contexts, both for security and broader risk management teams. I have found it a useful set of meta-goals to help lead various scales of organizations. Hopefully you will find some of them useful.

  • Manage Risk. We are first class risk managers serving our customers, communities, and employees. We can't always deal in absolutes - everything we do leads to a risk management decision.

  • Embrace Change. While we need to be rigorous and consistent in our methods, we also need to be agile and embrace change to adjust to the world around us. Change is often the moment when we can magnify new approaches and improve things.

  • Continuously Improve. While there is always room for big leaps in what we do, the reality is that most of our success will be tied to continuous and persistent improvement in small steps every day - all year.

  • Simplify. If we relentlessly simplify (not dumbing down) what we do: process, tools/automation, deliverables, interactions and communications then we will serve our organization better and have more enjoyable jobs.

  • Plan and Communicate. We will maintain consistent, transparent and communicated plans and roadmaps for what we do. There will be no off-book or shadow lists of commitments. 

  • Support Professional Development. We will encourage and support people’s professional development and mobility within the team and the wider organization. Every one of us is on the recruiting team. Be constantly looking for talent with special focus on diversity in all forms. Not only is this the right thing to do, but just as importantly it makes us more representative of our customers and increases our diversity of thought which improves outcomes. 

  • Escalate Fast. Issues or suspected incidents should be raised quickly even if it has to skip-level up the management chain. If you ever have to think too hard or are doubtful about escalating something then the answer is always escalate.

  • Balance Work and Time. We expect everyone to work hard and deliver first class work, but we know this isn’t sustainable if load is excessive, so we also expect you to escalate difficulties and be respectful of time (yours and others). 

  • Trust the Team. Trust all levels of the organization. People will always surprise us with their capability. Trust your peers to support you - but work constantly to clarify delivery expectations and remove process ambiguity. Never ascribe to malice what is more likely error or fatigue - show some empathy for others. 

  • One Global Team. We work as one global team. We have to be organized into functions, regions and other units for division of labor, but it is inexcusable to not act as one team. 

2,148 views0 comments

Recent Posts

See All

Maturing a security program in any type of organization is not just to increase specific control effectiveness but also to increase its scale, predictability and reliability - otherwise that effective

In the last post we talked about the challenges and opportunities of using individual and organizational incentives to ensure effective security risk management. This can be aided by the right design

Force 6 : People, organizations and AI respond to incentives and inherent biases but not always the ones we think are rational. // Central Idea: Risk management should be driven by incentives - but

bottom of page