The hood pegged open, showing off a masterpiece of an engine, a small crowd gathered as the sense of anticipation built in the air. People smiled, tapped the person next to them and pointed. Few words were spoken, as if no one wanted to miss what was about to happen.
With a grin on his face a Cheshire cat would be jealous of, the owner leaned in the open car door, gave everyone the thumbs up sign and turned the key.
The engine roared to life in a thrilling, specific manner.
Unlike the sound of the engine turning over to start the daily commute, this engine meant business. It was both throaty and clean. The entire experience drew the crowd in as people nudged forward to witness the engine and soak in the feeling.
[Get tips for communicating security to non security people]
Surprisingly, nobody clapped. However, the look of satisfaction -- mixed with a tinge of envy -- was clear.
An admitted "pickup truck guy," the highlight of my weekend was the opportunity to look, listen and feel number 11 of 100 of the Roush-built "Nitemare" -- a sleek black 2007 Ford 150 Pickup truck that had been taken directly from the factory to Livonia, Michigan for a treatment known as "Roush Stage 3."
While admiring the engine -- where each part was specifically selected, designed, polished and included -- I noticed something more impressive: the engine was signed.
More than a badge signifying the Roush treatment, this was the actual signature of the engine builder, engraved into a plate affixed to the engine. Designed to showcase craftsmanship, signing the engine is the ultimate sign of quality.
It impressed me that someone signed their work -- especially knowing their effort was likely to be on display.
What signing your work looks like in security
The same approach to craftsmanship and desire to affix your signature to the work we do as security professionals can propel the team or an individual career to success.
Here are three ways to create the quality and experience worthy of your signature.
1. Define the outcome
2. Design the experience
3. Build a brand within the brand
These steps apply to teams and individuals -- enterprise and consulting. In the end, it's about the approach to quality and how we shift what we're doing to produce work worthy of a public signature.
Define the outcome
When considering the outcome of the transformation, Roush clearly considered the performance, but also included the visual appeal of the engine and the experience of lifting the hood, starting the engine and driving the truck. With the outcome clear, it was possible for the engine builder to deliver excellence.
When it comes to managing risk and improving security, the outcome tends to start less clear. The word "security," holds multiple meanings and shifts based on experience and context. The key is to engage in enough conversation to find the element(s) that matter. Sometimes, the outcome is a functional goal that benefits people, and security is something to be included.
Having a clearly defined -- and shared -- outcome makes it possible to create work worthy of signing, work that someone else is proud of and wants to show off to others.
Design the experience
The Roush team relied on a blend of science and art to create an experience. The look of the engine (and entire compartment) was impressive. The sound of the engine firing up drew attention across the parking lot. Best of all, this truck was designed for daily driving.
To put the importance of design into context, consider this:
In 2007, Ford sold 690,589 150 trucks (all models, according to Wikipedia)
100 were modified and 99 sold as the Nitemare.
The one I saw, #11, had the engine signed.
A truck that started stock was now special, and yet was still used as a daily driver. In fact, it was special and unique enough that it was being shown at a car show for Mustangs. One truck -- out of nearly 700,000 produced -- was on display, drew people in, gathered them around and caused a fair amount of "oohs," "ahs" and even some drool.
In security, we have the same opportunity. We can buy stock products and use them in stock ways. It will likely help us reach a goal. Or we can take those elements and tweak them a bit -- designing an experience to meet the needs of the people we serve (and possibly ourselves). In the end, we're likely to enjoy the experience while turning some heads.
Building a brand within the brand
The name on the engine package is Roush, but the signature block is of the person, the craftsman who took the time to work on that specific engine. While each engine package is the same, no two engines are precisely the same, and no two outcomes are exact, either. Its the individual that brings the sequence to life.
The same holds true in security -- signing your name to your work is ultimately an individual task. However, I'm not suggesting you build your own brand independent from the business (which I've seen some people do recently); instead, honor the brand of the group. In the end, your brand is signing your name to the brand.
It's the brand within the brand: quality of design, of execution, of outcome. Note to security leaders: is the brand of your team worthy of people signing their work?
Actually sign your work?
More than a digitized version of your signature attached to emails or inserted into a page in a document, this is a suggestion to actually consider the process of signing your work.
When the engine package is finished, the engine builder engraves their name in a plate affixed to the engine. They know hundreds, maybe thousands of people will be admiring (or examining) their work, with their name prominently on display.
This is a thoughtful capstone of someone who takes pride in his or her work. When used the same way for information security, it sets you -- and the entire team -- apart and demonstrates a pride for others to examine, admire and appreciate.
Whether a policy, training or an implementation, is your work good enough that you'd sign your name to it?
About Michael Santarcangelo
Author of Into the Breach, Michael Santarcangelo is the founder of Security Catalyst, a practice devoted to harnessing the human side of security. Michael offers keynote presentations, seminars and consulting on security awareness, effective communication of security, security career management for teams and support for security leadership. Learn more at http://www.securitycatalyst.com or engage with Michael on Twitter (@catalyst).