Last summer I spent a few days with a company to assess the human side of their operation. As part of the process, the CSO and I walked the hallways, talked with people and then discussed our observations. During lunch on the second day, I asked about his team, specifically how he managed his team to get the results he was responsible for.
As I listened to his response, I couldn't help but smile. He employed "Roadhouse" rules.
One of the greatest "B movies" of all times, Roadhouse is the tale of Dalton, a professional bar bouncer (technically, the "cooler," the leader of the bouncers), and how he cleans up corruption in a town as he restores a bar with a rough reputation to a hotspot.
In a memorable scene, Dalton gathers the bar staff and explains his three simple rules:
- Never underestimate your opponent, expect the unexpected
- Take it outside, never start inside
- Be nice
Roadhouse has some parallels to the role many of us face as security leaders in our respective organisations. We're the cooler head, paid well and called upon to produce change and protect the organisation. To support the process, we have a team of people to work with us and face a constant (dare we say "persistent") series of attackers.
While introduced in a bar, the "Roadhouse Rules" work for security teams, too. Here are some insights with each of the rules in context:
Never underestimate your opponent
While it seems like this rule is a given for security, it helps to step back and consider the opponent. While the stress and frustration of daily operations leads to the feeling that our colleagues and clients are the opponent we face, they are on our team.
Our opponents are varied, and they are always active.
Most security professionals are already vigilant, so this rule is an opportunity to keep focus on the real opponent. Better, consider it an invitation to engage colleagues in the process of exploring opponents, get their help to discover the unexpected so that everyone is more prepared.
Plus, having colleagues on the lookout makes it easier for everyone to manage risk.
Take it outside, never start inside
In the movie, there is a scene where an unruly patron wants to fight Dalton. He "agrees" and offers to take it outside. Once they all walk outside, he smiles, turns around and walks back into the bar.
By taking it outside, there was no fight.
Fighting inside generally results in damage. In the movies, it's generally broken bottles, tables and bones. In the organisation, it tends to be reputations, budgets and the success of necessary initiatives. With this in mind "take it outside" can be applied in a variety of ways, including:
- Take a break and take the concern outside, literally. Go for a walk to get some perspective.
- Instead of fighting with insiders about their perspective, "take it outside" to shift their perspective and introduce the view of an attacker, and work to gain common ground on how to best address that challenge.
- Get some outside help to clarify the point, support the assertion or otherwise address the issue without fighting.
Regardless of the approach, be wary to start anything inside without first thinking about taking it outside.
Like saving the best for last, this rule packs the biggest punch and is the most important.
After introducing this rule, the bouncers offer their challenges, in an attempt to prove why this rule doesn't work. Dalton explains, "This is just a job, nothing is personal."
In security, take the same approach: be nice. Realise this is just a job (or at least others see it as such) and when people fight, attack and undermine, it is more likely a function of them doing their job, or trying to, and not a personal attack.
This rule has a corollary. Be nice, until the time comes to not be nice. When asked when that is, Dalton explained they wouldn't know. It wasn't their job to determine when to not be nice, instead, it was his job to tell them. The same goes for security.
As part of a team, the responsibility to be nice is paramount. If, not necessarily when, it is time to not be nice, that is the call of the executive, probably the CSO. As the security leader, this responsibility is something that cannot be taken lightly.
In my experience, being nice always provides additional outlets and sets the stage for future elements. However, we have all experienced times when niceness just doesn't work. In that case, have at, but exercise caution.
Watch my back and each other's, and we'll be fine
A good reminder that our role is to look out for each other, and everyone on the team needs to protect the leader. Incorporated into this advice is the need for the leader to follow the rules outlined above and provide for the career progression and management of their team.
Successful security leadership requires effective connections and a solid team. "Roadhouse rules" is a simple approach that brings immediate benefits.
Find your next job with computerworld UK jobs