I've been a manager for about 16 years. At first, I was the supreme micromanager. I wanted daily status reports. I looked over shoulders. I constantly asked questions.
Looking back, I'm embarrassed at how poorly I managed people. By the time I was managing security people, I had learned a lot.
First of all, these guys (that's an all-inclusive, male-and-female "guys") are really smart. Most are smarter than their manager, so pretending you know everything is an unwise approach. You should know enough to converse intelligently and to understand the issues. But you can't know everything about every device on the network. You just need to know which security issues should be addressed and have a good idea of how to address them.
I used to think that a good manager of technical people has to be fairly technical herself. But I've found that no matter how hard I try, I can't keep up with the pace of technological innovation. Every innovation has a security component.
If I spend a weekend learning the nuts and bolts of designing a customized virtual private network, I fall behind on understanding the security implications of Microsoft's latest operating system.
So, here are my three simple rules for managing the smart guys.
No. 1: Hire really good people
What is a "good hire"? That varies depending on what you want. I want people I can trust. Trust implies all kinds of things: commitment and dedication to the job, to the agency, to the project and to the team. I want to be able to trust that my employees are going to show up every day, work hard and stay all night when the network goes down.
I want my employees to be dedicated to teamwork, meaning that I can trust them to help out a colleague and not undermine others' work. They must tell the truth, the whole truth and nothing but the truth, no matter how unpleasant it may be.
How do I determine that someone is trustworthy? Job history tells a lot. References are helpful. But most of all, I rely on looking the applicant squarely in the eye and evaluating what I get back. Is that fuzzy logic? It certainly is a gut-instinct thing.
You can usually spot a fishy situation if you're paying attention. Someone who lies on a resume, doesn't have good references, doesn't pass a background check or just can't back it all up in an interview is not to be trusted.
Give candidates plenty of opportunities to talk and maybe bury themselves. Ask questions like, "What was your best and worst experience in doing security work?" What you're looking for is information on how the candidate handles pressure and whether he tends to blame others or accept responsibility.
I don't waste my time asking things like, "Show me the command lines to configure a DMZ on a Cisco Pix firewall." Anyone can look that up in two seconds. The ability to store command lines in your head is indicative of nothing other than a great memory. Besides, most of these guys have a direct link from their brains to the keyboard and won't necessarily be able to come up with the answer in an interview situation.
After trustworthiness, I look for intelligence. I want someone who can work through a complicated scenario independently and come up with a good answer or a number of options, with all the pros and cons thought through.
No. 2: Set them free
Once you have the right people in place doing the things they are good at, leave them alone. Managers often don't understand that creative thinking and intellectual curiosity are what it takes to solve complex problems. These processes function poorly under time limits and rigid schedules. Yes, we have to meet deadlines. But creative problem-solving can't be squelched, stomped on or denied if you want to solve real problems.
My only role is to check in every so often to see if there's anything I can do for the smart guys. I also enjoy the conversations I have with them and debating the pros and cons. Then I go away, hoping I have sparked more creativity and curiosity.
This is how you get good solutions and happy smart guys.
No. 3: Give credit
Never, ever take credit for what the smart guys do. I recall one time racing out of the office to catch a plane. I would be gone for over a week, but I had a problem I hadn't been able to solve. None of my guys had been able to solve it either, so I had bought a few books on the topic. Unfortunately, I hadn't had time to read them all. As I left, I tossed one of the more informative books to one of my senior guys and asked him to figure it out. Later, he e-mailed me a perfect solution. I told him to go ahead and take it to the CIO.
I recall feeling a tad jealous that he got all the credit. But then I thought to myself, "Whoa! Isn't this what you had hoped for? Isn't this why you hired him?" So, I congratulated him and bragged about him to my boss. Today, he remains one of the most honest and intelligent guys I know.
Is it possible that three simple rules can make you a great manager? Yes. Hire the right guys, set them free, and give them all the glory. It works. Now back to finding some really smart guys!
What do you think?
This week's journal is written by a real security manager, "C.J. Kelly," whose name and employer have been disguised for obvious reasons. Contact her at mscjkelly@yahoo.com, or join the discussions in our security blogs: computerworld.com/blogs/security.