top of page
  • Phil Venables

A Simple Manifesto for Leading Security and Risk Teams

I’ve been using variants of these principles for many years in many contexts, both for security and broader risk management teams. I have found it a useful set of meta-goals to help lead various scales of organizations. Hopefully you will find some of them useful.

  • Manage Risk. We are first class risk managers serving our customers, communities, and employees. We can't always deal in absolutes - everything we do leads to a risk management decision.

  • Embrace Change. While we need to be rigorous and consistent in our methods, we also need to be agile and embrace change to adjust to the world around us. Change is often the moment when we can magnify new approaches and improve things.

  • Continuously Improve. While there is always room for big leaps in what we do, the reality is that most of our success will be tied to continuous and persistent improvement in small steps every day - all year.

  • Simplify. If we relentlessly simplify (not dumbing down) what we do: process, tools/automation, deliverables, interactions and communications then we will serve our organization better and have more enjoyable jobs.

  • Plan and Communicate. We will maintain consistent, transparent and communicated plans and roadmaps for what we do. There will be no off-book or shadow lists of commitments. 

  • Support Professional Development. We will encourage and support people’s professional development and mobility within the team and the wider organization. Every one of us is on the recruiting team. Be constantly looking for talent with special focus on diversity in all forms. Not only is this the right thing to do, but just as importantly it makes us more representative of our customers and increases our diversity of thought which improves outcomes. 

  • Escalate Fast. Issues or suspected incidents should be raised quickly even if it has to skip-level up the management chain. If you ever have to think too hard or are doubtful about escalating something then the answer is always escalate.

  • Balance Work and Time. We expect everyone to work hard and deliver first class work, but we know this isn’t sustainable if load is excessive, so we also expect you to escalate difficulties and be respectful of time (yours and others). 

  • Trust the Team. Trust all levels of the organization. People will always surprise us with their capability. Trust your peers to support you - but work constantly to clarify delivery expectations and remove process ambiguity. Never ascribe to malice what is more likely error or fatigue - show some empathy for others. 

  • One Global Team. We work as one global team. We have to be organized into functions, regions and other units for division of labor, but it is inexcusable to not act as one team. 

2,193 views0 comments

Recent Posts

See All

Incentives for Security: Flipping the Script

We’re getting it wrong on the messaging for incentives to do security - and people are pretending it’s landing when it isn’t. There are 5 main categories of security incentives: Loss avoidance. The pr

Security and Ten Laws of Technology 

There are many well known, so called, laws of technology. Moore’s law being particularly emblematic. Let’s look at some of them and see what the security implications have been for each and what might


Commenting has been turned off.
bottom of page