« Non-Fiction Review: Coaching: Evoking Excellence in Others by James Flaherty | Main | The Onion: Phelps Returned to Sea World Tank »

Coach Your Way to Better Security

As noted earlier, I've recently read James Flaherty's excellent book Coaching: Evoking Excellence in Others. My original purpose in reading this book was to help generate content for an internal training course I'm developing on savvy skills for consultants (I also read Ron Fry's Ask the Right Questions Hire the Best People for the same project). However, as I began reading this work, it occurred to me that what Flaherty describes is really a philosophical shift that has great applicability to the information security profession. In particular, this line jumped out at me: "...command-and-control organizations cannot bring about the conditions and competencies necessary to successfully meet the challenges holistically. For the most part, organizations know this and have attempted to reorganize themselves using the principles of total quality management and reengineering." (p2) Put in a security context, what he's saying is that all these top-down initiatives may be good and fine, but they only serve to reinforce the self-defeating practice of a command-and-control management structure, disincentivizing people to step up and act responsibly.

Within information security, perhaps the number one place where we see this sort of situation is in policy enforcement. Most organizations today have policies, but how well are they enforced? If they are enforced, is it through a heavy-handed approach, or because everyone is onboard? From a psychological perspective, the bottom line - as always - is that people will only change either because they want to or because of a trauma. Unfortunately, as Flaherty notes, simply providing stimuli (pain or reward) is not generally enough incentive on either account.

The purpose of coaching, then, is to treat people respectfully and trust them to do the right thing. Flaherty goes on to say that "coaching is a way of working with people that leaves them more competent and more fulfilled so that they are more able to contribute to their organizations and find meaning in what they are doing." (p2) Again, is this not an ideal outcome for security practitioners? Is it not our preferred outcome that people with an organization will internalize and consistently follow good security practices?

Coaching is designed to produce three outputs:
* long-term excellent performance (achieving objective standards)
* self-correction (focusing on building competence, not being/remaining indispensable)
* self-generation (continuous quality improvement)
Each of these values is targeted at the individual, but could also be applied to organizations as a whole. They also sound remarkably similar to the detect/correct/prevent approach that we in information security know so very well. In order to achieve optimal risk management in the long-term (which is the baseline of a good security program) we want to structure security practices such that we can measure performance against known good benchmarks, and we want the program to be continually evolving based on both internal and external feedback.

One area of Coaching that I found interesting was Flaherty's discourse on the failings of "amoeba theory." Amoeba theory is based on the notion that you can "train" an amoeba to do what you want it to do by providing stimuli (pain or reward). Don't want it to go left? Poke it. Want it to move to the right? Place food to its right. This approach is very similar to the "big brother" (or "nanny state") approach that we have seen, particularly of late. In this approach, you have a heavy-handed policy (possibly a super-strict web proxy) that smacks you down when you cross an artificially created line, even if that line prevents you from innovating to get your job done.

Amoeba Theory

Flaherty outlines 5 reasons why the amoeba theory does not product long-term benefits and results, which again show eerie parallels to policy enforcement:
1) Amoeba theory does not generate long-term results because as soon as the stimulus ends, the behavior ends.

2) Contrary to popular opinion, people are actually a lot more clever than amoebas, and as such we can learn to get the reward without performing the required action (gaming the system, if you will).

3) Applying amoeba theory eliminates the opportunity for self-correction because people are simply responding to stimuli instead of embodying actual change (again: people either change because they want to or because of trauma - amoeba theory is not trauma).

4) Amoeba theory is very dangerous because it habituates people into being directed instead of self-directed, effectively driving people toward becoming passive, non-thinking drones. This approach penalizes initiative, innovation, risk-taking, and creativity.

5) The amoeba theory also removes the opportunity for people to be self-generating because, again, it severely penalizes any "out of the box" thinking or acting that could otherwise be beneficial. In particular, it puts a significant focus on the immediate, undermining the objective of building long-term competence. (as a side-note, this seems to be a particular cultural attribute in the US these days that seems to threaten the long-term success of the country - but that's a different diatribe for a different day;)

The last thing to note before getting into how to apply coaching is that Flaherty encourages us to "...account for behavior by understanding it as what follows from the way the world is showing up for someone. ... it's not events, communication, or stimuli that lead to behavior, it is the interpretation an individual gives to the phenomenon that leads to the actions taken." (p8) In security, this means that people bring their own interpretations and focus and often lack the "language" necessary to make new observations about their environment (we'll talk more below about what these terms "language" and "observations" mean).

In the business world, and indeed within information security, what we're really talking about here is understanding the needs of the business and making sure that our conversations can be understood. If we're not able to effectively communicate with each other, then we're likely to pursue security practices that are contrary to the perspective and interpretation of our internal clients. This disconnect could lead to working at odds with the business, rather than in a manner that enables the business in a risk resilient manner.

Operational Principles of Coaching

Flaherty outlines 5 principles of coaching within the book. Those are:
1) The relationship is the background for all coaching efforts. Before you can begin any sort of coaching activities, you first need to have a relationship. In infosec, this is perhaps one of our greatest challenges because we're often seen as the bad guys, or as the outsiders, or as the people who are coming to put up obstacles to obstruct the business. Nothing should be further from the truth. Information security is about enabling the business, reducing risks that will effectively minimize loss while maximizing opportunity. To achieve these highly desirable outcomes, we must have a good working relationship with others in the organization. Says Flaherty: "The relationship must be one in which there is mutual respect, trust, and mutual freedom of expression." (p11) How many times in infosec do we violate some or all of these attributes of a good relationship?

2) Coaching must be pragmatic. Too often security is pie-in-the-sky and loses sight of what is truly important to the business. Ultimately, this point is about realizing that security relies on making good trade-off decisions. As noted in my post on "A Systematic Approach to Risk Management", we need to be looking at what changes are realistic and useful for each given risk scenario and positioning the business to make decisions that best manage those risks within the preferred tolerances. Says Flaherty: "The rigor of pragmatism requires that as coaches we continually undo our conclusions, and face each coaching situation with a willingness to learn anew and find out that what we learned last time does not apply now." (p11)

3) "Two Tracks" (work coaches do with clients and work coaches do with themselves). Flaherty notes that coaching really functions at two levels - as the work that we perform for others and as the self-improvement we do for ourselves. This point is really rather important in that we need to always be working to not only further ourselves, but others (or vice versa). If you don't get out and see new technologies and practices on a regular basis, then the entire world might be passing you by, limiting your ability to innovate.

4) Clients are always and already in the middle of their lives. I think this point is really great. The business is always in motion, and to expect that we can just step in and demand 100% of the time and budget and operations is simply unreasonable. Whenever we approach risk management and information security within an organization, we must always do so within the context that the business must continue to operate.

5) Techniques don't work. This last point is rather amusing, and is best applied to management. Ever had a member of management go to a conference and then come back all fired-up about some new way to do something? Have you ever noticed how most people will just duck-n-cover until things blow over? More importantly, though, is that techniques do not work in bring about the desired outcomes of coaching methodology, and they can actually back-fire by causing resentment as people realize that a technique is being used on them. (p12)

Coaching Tools of the Trade

Flaherty lists the basic tools of the coaching trade as language, observation, and assessment (sound familiar at all?). About language, he says "...language provides for us the horizon of possible actions, experiences, relationships, and meanings." (p30) Observation he describes as the ability to observe in context without judging or alternating, also putting those observations into language in seeking to understand the structure of interpretation (for both the coach and the client). He describes assessments as comparing observations to standards of practice. In the end, the goal is to become a more acute observation and a more ground assessor, which means learning a language that allows making new observations and assessments. (p36)

It seems that the applications of these tools to information security are quite clear: we must be able to effectively communicate with others, which means that we must understand their language, while also introducing new language to them to better understand us. Once the basis for communication is established, then it is incumbent upon us in infosec to make observations - in context! - and then assess those observations against known good practices, communicating our findings. Again, though, it is imperative that these findings and recommendations be placed in a proper context and framework of understanding. The business is continuing to operate, and thus will not be guaranteed to have the necessary resources to address every little whim. Rather than expect a from-the-top lightning bolt of change, we instead need to work with people to help them understand and internalize these observations and assessments in order to facilitate long-term improvements in competency and behavior.

The Flow of Coaching

The last several chapters of the book talk about the typical flow of coaching relationships with in-depth discussions and suggestions on each section. Flaherty describes the normal flow as follows (p40):
1) Establish Relationship
2) Recognize Opening
3) Observe/Assess
4) Enroll Client
5) Coaching Conversations

In this area, not all steps in the flow may directly translate into our work as security professionals. However, allow me to cherry-pick some key points.

On the coaching relationship, Flaherty notes that a good coaching relationship must be based on mutual respect, mutual trust, and mutual freedom of expression. Within information security this can be a significant challenge. In particular, many of us have a tendency to marvel at the stupidity of users, managers, and even administrators. Why would you click on a suspicious attachment? Why wouldn't you harden the heck out of a host? Why wouldn't you authorize all my budget for security tools? These questions undermine the relationship we have with our customers, and they belie our failings to establish a good working relationship; that we've never established the language necessary to support our observations and assessments.

The other aspect to this problem of effective communication is finding openings for discussions. The bottom line is that timing is everything. If you show up at your manager's office in the middle of a crisis to talk about something that's not nearly as critical, then you shouldn't be surprised when you get shooed away.

The book provides good descriptions about types of assessments for working with people in a direct coaching relationships. For our purposes, we in security and risk management are very familiar with the concept of assessments, and thus have myriad resources at our disposal. I won't belabor the point except to note that assessments are one of our fundamental tools of the trade.

Lastly, Flaherty talks about the types of coaching conversations. He breaks them down into the following categories (p126):
- Type One: the single conversation aimed at building or sharpening a competence
- Type Two: a more complex conversation held over several sessions
- Type Three: a profound and longer conversation intended to bring about fundamental change

From the infosec perspective, I think these are good categories to keep in mind as we approach people with the intent of helping guide them to improved security practices (note that I'm saying "guide" here - this is not manipulation and should not be viewed or approach as if it were - manipulation is a negative practice and can back-fire just like techniques). I would say that in most cases, our conversations are going to be Type One, designed to help fix a given practice here or there. However, that being said, there will always be larger projects that require more significant security architecture or risk management conversations, which would then fall under Type Two. The third conversation, Type Three, strikes me as those "come to Jesus" sit-downs where you've identified a major failing within an organization and need to bring serious attention to it. Such a conversation may pertain to the realization that an organization has a major unaddressed exposure as a direct result of an oversight or failing, and may be linked directly to bad decisions made by senior people within the organization. It's tempting to say that Type One conversations are the easiest to have, but it's important to still approach them in a manner commensurate with the approach described above.


I think that there's a lot to be learned from Coaching: Evoking Excellence in Others and recommend it to anyone working in infosec (especially consultants and auditors). The overall approach is not something that we see within the normal operations of a business, and yet they are very powerful concepts. Perhaps the greatest lesson from the book is that we can help institute change within people and organizations without having to be demanding or manipulative. In fact, we may be able to accomplish more if we simply work with people, establishing a shared language and making observations, than if we use a more traditional command-and-control approach.

All of this is not, however, to say that executive sponsorship is not needed with security programs. On the contrary, we need executive sponsorship to ensure that programs are properly resourced. Beyond that, though, this approach represents a unique style that could have far better results than we typically see.


TrackBack URL for this entry:

Post a comment


This page contains a single entry from the blog posted on August 20, 2008 9:57 PM.

The previous post in this blog was Non-Fiction Review: Coaching: Evoking Excellence in Others by James Flaherty.

The next post in this blog is The Onion: Phelps Returned to Sea World Tank.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.