My guest today, Steve Durbin, shares why empathy, agility, and resilience are vital to managing risk and keeping your organization secure. Steve shares the biggest threats to organizations right now and how empathetic leaders foster the resiliency needed to adapt. We discuss how CISO’s and risk officers can create an empathetic culture where trust and transparency flow to help protect the organization. Steve shares how letting go of control can keep you safer, and how curiosity and listening help you communicate in ways people understand. He candidly shares that CEOs who don’t understand empathy are a risk. And finally, Steve offers ways to balance a culture of experimentation and empowerment with effective risk management.
To access the episode transcript, please scroll down below.
Key Takeaways:
- When assessing risk, people are your greatest risk, but they are also your greatest asset and your greatest opportunity for solutions.
- It is not the machine or the algorithm that will solve your risk problem; it is your people.
- You risk losing your best people if you’re not willing to adapt to what needs to be done for the best of your organization, employees, clients, and other stakeholders.
“You increase awareness by explaining why people need to be aware, why they should care, and you may have to make it personal.” — Steve Durbin
About Steve Durbin: CEO, Information Security Forum
Steve Durbin is Chief Executive, Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments.
He is a frequent speaker and commentator on technology and security issues, and, since 2016, the host of the ISF Podcast.
Formerly at Ernst & Young, Steve has been involved with IPOs, mergers and acquisitions of fast-growth companies across Europe and the USA. Having previously been senior vice president at Gartner, he has advised a number of NASDAQ and NYSE listed global technology companies.
Steve has served as a Digital 50 advisory committee member in the United States, and he has been ranked as one of the top 10 individuals shaping ow organizations and leaders approach information security careers. He has also been featured on the top 20 most influential list of leaders whose companies have a vision that shapes the conceptual landscape of their respective industries.
Steve is a Chartered Marketer, a Fellow of the Chartered Institute of Marketing, Forbes Business Council Member and a lecturer at Henley Business School, where he speaks on the role of the Board in Cybersecurity.
Connect with Steve:
Information Security Forum: securityforum.org
LinkedIn: linkedin.com/in/stevedurbin
YouTube: youtube.com/channel/UCyTu0HsWQd_ucrt0Zo0042A
Connect with Maria:
Get Maria’s books on empathy: Red-Slice.com/books
Learn more about Maria’s work: Red-Slice.com
Hire Maria to speak: Red-Slice.com/Speaker-Maria-Ross
Take the LinkedIn Learning Course! Leading with Empathy
LinkedIn: Maria Ross
Instagram: @redslicemaria
Facebook: Red Slice
Threads: @redslicemaria
FULL TRANSCRIPT:
Welcome to the empathy edge podcast, the show that proves why cash flow, creativity and compassion are not mutually exclusive. I’m your host, Maria Ross, I’m a speaker, author, mom, facilitator and empathy advocate. And here you’ll meet trailblazing leaders and executives, authors and experts who embrace empathy to achieve radical success. We discuss all facets of empathy, from trends and research to the future of work to how to heal societal divisions and collaborate more effectively. Our goal is to redefine success and prove that empathy isn’t just good for society. It’s great for business. In the world of corporate risk, what is often viewed as the weakest link, that’s right, people. This can often be why leaders fear letting go of control and create rigid rules that may not work for everyone or actually hinder resilience. But that means that if you have the right people, leaders with the right skills, your people can also be your greatest defense to combat the wide variety of security challenges that exist today and nimbly adapt to changing conditions. My guest today shares why empathy, agility and resilience are actually vital to managing risk and keeping your organization secure. Steve Durbin is the chief executive of the Information Security Forum, or ISF, and a leading expert in cybersecurity strategy and emerging threats in both corporate and personal environments. He hosts the ISF podcast and is a frequent speaker on technology and security issues, formerly at Ernst and Young and Gartner, he has advised global tech companies on IPOs, M and A’s and security strategies, recognized as a top influencer in information security. Steve is a Forbes business council member, a lecturer at Henley Business School and a fellow of the Chartered Institute of marketing today, Steve shares the biggest threats to organizations right now and how empathetic leaders foster the resiliency needed to adapt. We discuss how CISOs and risk officers can create an empathetic culture where trust and transparency flows to help protect the organization. Steve shares how letting go of control can actually keep you safer, and how curiosity and listening helps you communicate in ways people understand. He candidly shares that CEOs who don’t understand empathy are a risk and finally, Steve offers ways to balance a culture of experimentation and empowerment with effective risk management. This is an eye opening conversation to all my data driven, technology driven, folks out there who think empathy has no place. Take a listen. Welcome Steve to the empathy edge podcast. I am very excited to talk to you today about the state of risk and global influence on leadership and on organizations today from your specific vantage point. So welcome to the show.
Steve Durbin 03:16
Thank you, Maria. Nice to Nice to be here. Thank you for inviting me.
Maria Ross 03:20
So before we dive in to talking about all the things and how management of information and management of people can help us live with and manage through the risk that we face today, tell us a little bit about your story and how you got into this work. You know you are now chief executive of the Information Security Forum, but how did you get here, and what are you most passionate about?
Steve Durbin 03:41
Yeah, I never, I never set out to work in security. I didn’t really know much about it, to be quite honest. I came to security. I was at EY. I was doing a lot of M and A work, working with a lot of entrepreneurs, sort of startups, that kind of thing, fast growth organizations. And one day I was I was approached about joining the ISF, and I’d never heard of them, and I’d never really come across security at all, which is interesting. And if you think about the amount of m and a work that goes on, not to have even considered the role of security would seem perhaps strange today, but going back, I don’t know, 1516, years, it was the norm, and so I was intrigued, and it was really sort of presented to me as more of an opportunity to grow an organization, so the security bit wasn’t really overplayed, and that was how It all started. And you know, here we are 1617, years on, I’m still here. And the security space keeps changing. It’s very, very fast moving. It is, in its own way, very entrepreneurial. It’s going to become increasingly so as well when we see things like aI coming in and the different ways in which people are going to have to respond. To that. But there was no sort of master plan. There was no sort of, you know, never is a bed and say, you know, THAT’S IT security. That’s the thing for me, yeah, because I started out in in literature, really, that was my that was my degree, yeah, that is really interesting. And then worked in technology from there and, you know, consultancy, and then ended up where I am today. So, yeah, wow.
Maria Ross 05:28
Well, I mean, I think that also gives you a more holistic view of things. I think when people, when you have people just that are in single silos and single tracks approaching their work, sometimes that that causes us to not see risks or not see opportunities because we’re so single minded. So I really appreciate that you have kind of this well rounded background, and you’re coming at it from that perspective. So let’s dive into security, because it’s really interesting to me. Obviously, we’re in a time of disruption. We’ve got cybersecurity threats, we’ve got aI we’ve got geopolitical forces impacting organizations. Leaders are dealing with a lot. And so what do you think are the biggest threats right now, not only from a security perspective, but from an organizational perspective? Where do you think CEOs and C suite leaders need to focus right now in terms of the threats that are out there to their organization?
Steve Durbin 06:19
Yeah, I think, you know, many people at this point would probably expect me to dive into technology, and I don’t see it that way at all. Actually. I see it as being fairly and squarely in that sort of people wheelhouse. And the reason that I say that is twofold. First, when things go wrong, it is people who dig you out. We can pretend that we’ve got the best technology in the world, that we’ve got all the great backups, but I’m not aware of any organization that’s gone through a significant breach or significant downtime that has said, okay, you know, feet up. Let’s go. We’ll go down the coffee shop, because technology is going to get it all working for us. Doesn’t work. It’s people right to do it. And then on the flip side, then people are often, you know, viewed as being the weakest link in the security chain, and get a bad rep from from from being that. And it’s true that a lot of you know, phishing, malware, all of those sorts of things come in because people click on the on the wrong links and but that’s human nature. So I think you know, when you go into the boardroom, it’s all too easy to get involved in a conversation around chat, GPT and AI and, you know, and I’ve been there and I’ve had those conversations because it’s the latest shiny new toy, but people are at the at the heart of it, if you step away from that and what are the sorts of things that we need to be concerned about? Well, geopolitics is up there. You know, it’s fairly and squarely right at the top of the list. The rise in in cyber crime, obviously, whether that be state sponsored or whether it be otherwise, that’s up then as well. And most boards are concerned about ransomware, and they ought to do about that, how they’re going to respond to it. So those are the sorts of things from a security standpoint. But ultimately, you know, when an organization assesses risk, it’s in, it’s in the context of what it’s trying to do expand, is it trying to introduce new products and all of those sorts of things. And again, I’ve noticed that sometimes the security component, the risk component, can get lost in some of the enthusiasm that you would hope is smart by an organization wanting to do something fresh, new, different. But those are, those are the sorts of things that we’re talking about, mostly at the moment, and the sorts of things that organizations are are concerned about
Maria Ross 08:55
so so much to dive into there. I want to talk a little bit. And obviously why you’re here is because people are at the heart of both the risk and the opportunity and solution around what we’re facing right now. But I want to talk a little bit about that. So when you’re working with clients or you’re working with other organizations and leaders, what are the types of skills that are required from our people now to really be able to handle these risks and be able to meet the moment and adapt to what’s coming at us.
Steve Durbin 09:26
Yeah, you know, again, if you look at it through the security lens, and just go back not that many years, and actually, you still see it today, when people are advertising for, say, a chief information security officer, you know, they want somebody who’s in their 30s with 40 years experience, you know, completely unrealistic. The reality of the matter, I would say, is what you’re looking for is people who are naturally curious, people who are able to bring different elements of the business to the room. Risk challenge, who are going to be able to contextualize it, ground it, convey the risk in a language that people not just understand but buy into. Because ultimately, of course, what you’re trying to do when you identify a risk of some sort is to put in place some kind of mitigation that be a plan for the day that you hope never comes, or whether it be a real mitigation plan for something that needs to be addressed in the here and now, inevitably, you’re going to have to sell that message to somebody, and you’re going to have to support them through the implementation of whatever that project or plan happens to look like. So if you struggle stringing two words together, you’re going to be up against it. And again, that’s stating the bleeding obvious. But so often I see organizations still, you know, trying to entrust some fairly sophisticated people interactions to people that are probably best suited to really working with the machines, working with the technology, doing all of the great things that needs to be done in that in that space. So it’s about really understanding, I think, who is best placed to deal with the challenge, the issue that you have, and making sure that you’ve got your best players on the field at the right time, and that is, you know, I suppose, the biggest job of of any senior executive. It always makes me smile, because if you talk to anybody who’s you know, going through the career, going up the career ladder, they’ll always say they want to manage people. Now, that seems to be the whole sort of goal, doesn’t it? You know, I’ve got to manage people. I’ve really arrived when I manage people. And it’s interesting, you know, you talk to some of them after they’ve been doing that for a short while, and they wish they’d never started, because people are just hugely difficult, yeah, to manage, yeah. And if you get it right, it’s immensely rewarding. But, you know, it has its ups and downs.
Maria Ross 12:01
Well, I think, you know, we talk a lot on the show on the difference between management and leadership, and managers really manage tasks. Leaders can empower people. And I love, of course, I love what you’re saying, because that’s why you’re on the show. But it’s this idea of being a leader who can listen curiosity. The number one trait of empathic leaders, the number one trait of empathic people is your ability to put your ego aside and listen and understand that there might be a different perspective, there might be a different point of view. And this is really that you know what you’re saying is really that tie in and making that business case for diversity and inclusion, because when we have people with different points of view, we might see risks we would have missed, or we might uncover opportunities that we overlooked, because people have a different vantage point. And so being a leader, well, I love what you’re saying about this idea of being a leader who can listen, who can be curious. But also to your other point, this is speaking straight to my brand strategist. Heart is the ability to articulate that message. And this is why clarity is actually an element and a marker of empathy. When you can really be clear with someone, you can hold someone accountable to an expectation that you’ve clearly set. And to your point, being able to clearly articulate the risk, being able to clearly articulate the mitigation strategy and get people’s buy in is so crucial, and we we tend to skip that when we’re hiring for the resume, or we’re hiring for the the university somebody attended. We really need to be a little bit better in the hiring process of looking at a leader in terms of how do they interact with people, because that’s where the empathy comes in, and that’s where, you know, it’s confident empathy, it’s not strong empathy, but it’s this idea that I can actually listen and I can adapt to the people in front of me based on their needs and based on how they can best receive a message. So I love that you’re saying this,
Steve Durbin 13:53
you know. And Maria, I think you’re absolutely spot on. You know, for me, the best leaders understand that they need to explain the why. Why does somebody have to do something? And all too often, I think, you know, you come across some leaders who perhaps have forgotten that that’s what their role is. And you know, you sort of veer towards the dictator leader, the sort of command and control leader. And you know, that has its place. And from time to time, we will, all, you know, flip into that because we’re that’s appropriate for that point in time. But I do think that increasingly, and this is very, very true in the security space. You know, we talk so much in security about the need for increased awareness? Well, you increase awareness by explaining why people need to be aware, yeah, why they should care Exactly. And you may have to make it personal, yeah. And so I think that you know, this isn’t some sort of, you know, fluffy leadership, it’s actually exceptionally practical efficiency. Yes, and has been shown to work. And that is the message, I think, that that sometimes it’s very easy to lose sight of, you know, as you sort of, you know, elevate to the to the busy heights of running an organization, you know, you forget you actually need to put people around you as well who are just going to nudge you and remind you right, why you’re there?
Maria Ross 15:22
That’s huge reason. Yeah. I mean, in my most recent book, the empathy dilemma, when I talk about the five pillars of being both an effective and an empathetic leader, within within clarity is is a tactic of building a culture of why, being able to explain to people it’s and it’s not coddling. It’s not, you know, I laugh when I hear these leaders say, like, well, I just need to tell them what to do, and they should just do it, you know, yes. And if you want your people running at full capacity and optimize their contribution to what you’re doing, give them a reason why. This is why purpose driven organizations do so well. Is because you’re giving giving people a reason to perform, a reason to innovate, a reason to think about it, and a reason to accept, even if it’s a decision they don’t like or agree with, you’re at least giving them a reason to say, Okay, I don’t really agree with it, but I kind of get it. I understand why we need to do this and why it’s important, and that, you know, follow the data, follow the research on that boosts engagement and performance and innovation and all of those things within a culture. But I love your perspective, because you know, a lot of what I talk about is related to how empathy is practical within the workplace and how it actually enhances the bottom line. And you know, nothing to me is more practical than security and risk. There’s nothing more sort of data driven and analytical to me as a very right brain thinker. So I love that you’re tying this to the importance of if you want to manage and mitigate risk effectively, it still has to come down to your people. And you said something earlier that I kind of chuckled at inside, because I do a lot of talks now around the role of empathetic leadership in the age of AI. And you talked about, you know, it’s not the machine or the algorithm that’s going to solve your security problem or that’s going to solve your risk problem, it’s your people. So as you’re working with leaders, now, how are you finding their reception to that message? Do they get it? Do some of them still need to kind of connect the dots around the fact that they do need to be more of a people centered leader in order to mitigate risk and to keep their organization secure. What’s sort of the consensus you’re finding within the executives that you talk to? I
Steve Durbin 17:32
think the consensus is that people are finding it really tough. You know, the world is not in a great place. There is a need for increased agility from an organization to be able to respond to things that change on a very, very regular basis. You know, whether that be the implementation of tariffs, whether it be the outbreak of war, whether it be the implications that that conflict might have on the supply chain, whether it may be a whole range of different things that are, you know, hitting hitting leaders and their businesses and yes, you know, particularly the C suite, the board, obviously, they have to continue to meet the expectations of the stakeholders, The shareholders, the employees. So it’s an immensely stressful time at the moment. And so I think that even the best the most, the leaders that get it the most when it comes to the need for some of these things we’re talking about, even they are going to fall off the wagon from time to time. And I think that’s okay. I think one of the things that you have to one of the most difficult things that the leader has to do is to allow himself or herself the space to get it wrong. It doesn’t matter if you get it wrong. What’s what’s important is how you make it right. And that, I think, is, is the sort of the dawning realization that that we’re starting to see with some fairly advanced thinkers in that, in that space. But there are so many different elements to consider, you know, because if you’re a fairly traditional organization, maybe family run always behaved in a certain way, you know, my way or the highway, you know, then, then bringing in some of these, these, these concepts, perhaps a little alien, much easier, perhaps, if you’re entrepreneurial, fast growth startup, because you can, you don’t have any baggage, right? I think it’s really interesting to see, and, and you’ve probably done this, you know, to sort of categorize, not in a destructive way, but to categorize some of the leaders that we’re seeing at the moment who are dealing with just the post pandemic. You know this shift from perhaps well, you could all work at home now, you all need to work in the office. And you know there’s, it doesn’t seem to be a massive amount. Amount of halfway house in some of these things, right? And again, for me, I think these are not some of the issues. The issues should be, what is in the best interest of providing the service, the product, to the client base. How are you going to get the best from your employees in doing that? And then let’s worry about whether or not they ought to be in one big, multi story building, right, or spread around the world, right? And I think all too often that piece sometimes is missed because, we can become so dogmatic about it, you know, and people, people will always want to know why it is that Susan can work from home, whilst Thelma has to go into the office, yeah, all of this sort of thing. And you can get caught up. Yes, meaningless debate was, if you start, if you go back to the why, you know, why it’s important for people to work collectively together. You know, is that the best way of doing it? And if so, well, then actually, this discussion about whether or not I have to go into work or work from home, I find tends to go away, of course. One example that I’ve observed,
Maria Ross 21:19
yeah, I mean, it’s, I call this the snap back to bossism, post pandemic. It’s like some leaders who are saying, you had your fun being treated like humans. Now it’s time to get back to work. And I believe a lot of that is from fear. I do a lot of talks and a lot of advising around this. It’s that it’s the companies I’ve had folks on my show, where it’s the companies that have a have an experimental mindset of work has changed. We’re not going back. People have seen what they’ve been capable of doing in a different work structure, and we’re not going back. So instead of fighting it because our leaders are just too scared or don’t trust their people enough, if they’re not, they can’t see them for the entire work day and have them all within the same four walls. Let’s experiment with different ways of doing this. And let’s because nobody has it figured out. I spoke to the CHRO of box, and they’re doing a lot of experimentation around this, and they’re like she said, you know, show me someone who actually has this on lock, who understands what they’re doing. We’re all learning as we go, and we have to have that experimental mindset of we tried it this way. Here’s what went well. Here’s what didn’t we we listened to our employees. We measured productivity. We measured sentiment, you know, and they’re constantly tweaking and tuning to see where they can land on this. Versus a leader who’s just like, I don’t want to learn how to lead in a new way. I want to go back to the way things were, because that’s where I’m comfortable. And so everybody needs to be back in the office, even if it doesn’t necessarily make sense. And so, you know, talk about risk. You risk losing your best people, if you’re if you’re not willing to sort of adapt to to how things need to get done. But I love the way you just you narrowed it down. And this is what I try to always get them to think about, is what is going to be best for the organization and our customers or clients, or whoever our constituents and stakeholders are. That’s what it comes down to. And if we have leaders who are unsure or afraid of leading in a hybrid environment or a remote environment, we need to upskill them, like to me, you know, again, you and me, it kind of seems very simple, but it’s very hard to do in practice, I think for people, and a lot of it is based in fear. Would you agree?
Steve Durbin 23:30
I would, and I think the other thing I would say to that is that it’s never going to stay static anyway, exactly. So you can come up with the finest blueprint for what the world might look like, and tomorrow, all gets torn up because something else happens. So the key to it all, I think, is agility, this ability to allow experimentation. You know, if I, if I look at, you know, my own business, how we operate. We try to do the right thing. If it’s appropriate to have people working together in one location. For a reason, we do it if it isn’t, we don’t. I mean, I do remember post pandemic saying to people, you know, the last thing I wanted was for them to be wasting, you know, three hours a day commuting since right, we perfected the art of remote working. That being said, if you actually need to get in a room with someone right, brainstorm on a flip chart, then, you know, then do it. Yeah. And so allowing people, I think, to make the right call based on what’s needed at the time, without being constrained by by some of these things. It is, I think the real, the real art of the leader when it comes to that kind of creation of of the environment. But I think you’re right. I think there is so much fear out there of getting it wrong, you know. And I suppose. Think if we look at turnover rates, you know, I mean, I don’t know what the what the life expectancy of a chief executive is in an organization, it’s not that long now, you know, nor is it for, say, a CMO, whereas CHROs tend to stay around a little bit longer. But you’re at the C suite, you know, you’re not there for a great deal of time. And if you go into Security, then I think it’s down to something like 12 to 18 months, which is just crazy.
Maria Ross 25:23
Yeah, I was just on a, like a think tank call yesterday, and someone actually had that data around what the what the average tenure of a CEO was 10 or 20 years ago, and what it is now, and it’s definitely gone down. And I know you know from my, my proximity to CMOS, for example, that tenure, at least in tech, is approximately 18 months. Yeah, so, yeah, it’s not a long time. And so again, you’re constantly shifting. And this kind of leads me to a question, kind of an organic question here is, how do you balance that, that constant change and that need for experimentation from the vantage point of being able to manage security and risk. So if you’ve got, if you’ve got your chief security officer, you’ve got your RISK COMPLIANCE OFFICER, experimentation is not necessarily their friend all the time. So how do you, how do you balance that within a culture of being comfortable with experimentation and design thinking, with keeping the organization locked down and
Steve Durbin 26:19
safe? Yeah. I mean, the last he wanted to is for have somebody who’s playing around with, let’s try this security protocol today, and if it doesn’t work, well, you know, we’ll try different
Maria Ross 26:30
Exactly, exactly, especially with a remote or a hybrid workforce, you
Steve Durbin 26:33
know. Well, exactly. Yeah, exactly. No, I think that in that instance, you know, it comes down to more of a sort of philosophical discussion around what is the role of security? And for me, the role of security is to support the business to achieve its objectives in a safe manner, so that when things go wrong, the organization is sufficiently resilient that it doesn’t suffer as badly as it would have done without you now that is a very different approach to security, I think, in terms of the definition of it. And I’m sure that, you know, some of our members listening to this will think I’ve lost the plot, but I do actually believe that’s what it’s becoming. And I think successful CISOs get that. They get that they are there to support the business. They’re not there to prevent the business doing things. They’re there to provide advice, guidance, to consult with with the business as to what might look, you know, good for them, and to understand the risk associated with some of the different elements that they’re that they’re implementing. So, you know, I use myself as an example. So I travel a fair amount. I’m also targeted on a regular basis with phishing attacks and all of the things that mostly it’s not, it’s not new news is it, in order to manage and mitigate that risk. If I’m traveling, I don’t have access to any of our sensitive corporate systems at my email, but that’s it. So I can’t access the HR system or the, you know, payroll, and I can’t access payroll anyway. Actually, I don’t need to ifd does that, but so I’ve stripped back very deliberately what I can access as a means of managing my risk profile when I’m traveling to the extent that I do obviously want to make office different matter. So that’s something that’s that’s very simple, and yes, I had to change the way that I worked slightly to accommodate that, but it’s a very effective and efficient way of working. What he also does, which I think is really good, is it means that other members of my team have to pick up certain things, so I’m no longer this single point of failure, right? And I like to think they like it because it means
Maria Ross 29:08
distributed management, yes.
Steve Durbin 29:12
But by doing that, what you’re also doing is introducing a higher degree of transparency so people can see why things are happening or why we want to do what we what we’re intending to do, and they’ve got first hand experience of some of that. And so gradually as well, what that produces is a much flatter organization and a much broader opportunity for people to have sensible conversations about the importance of certain risk elements, or indeed about the business as a whole, right more ideas as to how you might change, as to how you might more effective, and so the benefits that you begin to see from a very simple decision that’s that was taken because I was really actually fed up. Of every time I went to the US, my credit card was, was the details were stolen. You know, I’d have had much fishing. It was particular part, and so it was just brought about by by that the benefits that we’ve seen as a result, I would never have anticipated. And you know, if we’d sat down in a room and tried to come up with them, we would have been a waste of time. So I think that, again, just being open to introducing more agility, difference, change, trying something, you know, one of my biggest frustrations is that we’re not people don’t try new things often enough, right? Within a sandbox type environment, you have to have guardrails, yeah, of course, yes. And so in security, I think there’s, there’s an immense amount of opportunity for people to think differently in terms of raising levels of awareness, there’s also a need for some fairly locked down protocols processes that are in line with standards, because that just makes a lot of sense, right? And I think that the trick, from the CISO perspective, running a security department is make sure you’ve got the right people doing the right things, and yeah, and yeah, and just to help communicate those
Maria Ross 31:23
and that, you know, that’s, that’s what my work is all about, is that the old leadership paradigm is dying. And, you know, you made a point earlier about command and control. I’ve had several military leaders on this show where they talk about command and control works in the heat of battle. We’re not in the heat of battle, 24/7, in an organization. So then it doesn’t work. We need more collaborative. We need more partnering with versus powering over in order to get the best results. And so that example that you’re you’re talking about, is really an idea of you’ve got to let go as a leader. You are not going to be able to control everything, you’ve got to be able to create a culture where you’re empowering people to do their part, and you’re collaborating, you’re you’re listening. We talked earlier about getting curious, but that kind of, you know, risk mitigation that you’re talking about in that example, doesn’t happen if you’re trying to hold everything close to you as a leader, we’ve got to be able to trust we’ve got to be secure enough and confident enough in our own abilities that we know we’re bringing in a team that will give us different perspectives may challenge us on occasion because of the place where they sit and the vantage point that they have. So I love what you’re saying, because that’s a very practical example of where some leaders might have a hard time letting go of the control.
Steve Durbin 32:47
Yeah. So I think that’s right. And I think, you know, again, back in that whole security space, you know, I’m big fan of running cyber simulation exercises, business continuity planning, for want of a better description, you know, when an incident happens that is not the time to be freestyling,
Maria Ross 33:06
exactly. That’s the time that might be the time for command and control. Yeah, that is the time, yeah.
Steve Durbin 33:12
But when you are rehearsing, when you were going through a simulation exercise, and that is the time for just playing with it a little bit, you know, analyzing. How did that go? How do we compare with other organizations? You know, is this what good really looks like? How did you know what went wrong? So I think that, again, creating the space for Play has benefits, even if you’re going to ultimately be in a command and control situation, right? Don’t want people to be fiddling about with things in that in that scenario, you don’t have the time. It’s too you know, I octane. It’s too stressful.
Maria Ross 33:51
Absolutely, absolutely. So as we kind of wrap up, I wanted to ask you a question about navigating division in the workplace. So you kind of could look at division in the workplace as a risk, as a risk to the business, as a risk to it being fulfilling its mission, fulfilling its purpose, and serving its stakeholders. But where does navigating division in the workplace? Does that fall under for you? Does that fall under the category of risk? Is that something that a Risk Officer or CISO or somebody like that should even be concerned about? Are they just concerned about technological risk and environmental risk?
Steve Durbin 34:33
I’m not sure that I understand what navigating division means, to be honest.
Maria Ross 34:36
Okay, so navigating conflict and navigating maybe potentially culture rifts within your organization, for the example we were talking about earlier, if you’ve got, if you’ve got a mutiny on your hands because of return to Office policies where those have actually been done intentionally and thoughtfully, let’s say, in this fictitious scenario we’re talking about is that actually something in the purview of a compliance. Officer of a risk officer, or does that still sit squarely in HR?
Steve Durbin 35:04
I think it has to sit squarely in HR, okay. I mean, I think that there is also a bit of a tendency that we need to avoid, of thinking that the higher you go in the organization, you have this ability to do everything. You’re omniscient, omnipotent, and you’re not, and I firmly believe that you know, certainly, again, if we look at my own organization, my CHRO is far better placed to deal with all of those sorts of things than I will ever be or any of my other senior leadership team. However, I would not expect her to do the job of the CTO, because the CTO is there to do that job. So I think it’s about people understanding the lanes that they that they must stay within their
Maria Ross 35:53
zones of genius. Exactly.
Steve Durbin 35:54
That’s a great way of describing it, yeah. And also understanding that by cross communicating, they’re going to be better than just handing down these sort of edicts as to as to how we should do. Some of the things that drive me crazy, you know, is when people implement bits of technology and they don’t explain why I’m a big sort of why thing, I’ve always, I love it in my thing, right from when I was a child, you know, I always probably don’t know why I should do something
Maria Ross 36:21
you and every other child in the world? Yes, absolutely.
Steve Durbin 36:26
And it just, it’s just sort of stayed with me. And I think that you can solve so many problems by explaining things better at the beginning and getting the right people involved who actually know what they’re talking about, who are being, you know, paid to do that job, rather than somebody coming up with a better idea. And this applies to business with security and security with business as well. It’s throughout. It permeates the organization.
Maria Ross 36:52
Would you go so far as to say that having a CEO who doesn’t think that way is a risk to the organization? I think
Steve Durbin 37:00
it is today. Yeah, I think it is today. That’s not to say that they don’t exist. I mean, there are plenty of them out there. I mean, we can look at many examples. Yes, exactly. But I think if you’re going to, I think if you’re going to endure, if you’re going to be successful, you know, we touched on earlier, the fact that CEOs don’t stay around for very long. So from a board standpoint, there’s always a risk when you hire a new CEO, that you can do all of the diligence until the person hits the ground. You’re never going to know whether they’re going to make it or not make it. You want to try to keep them for as long as possible. And I think that the ones that will endure in the future have will have this stability to be much more flexible, agile. Call it what. You will have a much broader perspective than perhaps some of the more traditional ones that we’ve still got in place. And the challenge, I think, there, is it’s just something else that we’re expecting the CEO to do, in addition to managing the shareholders, you know, there’s the stock price and all of those sorts of things. And, you know, I don’t want to come across some sort of bleeding heart, but it’s a pretty lonely, old job as well. You know, not many people who really want to, lots of people who really think they would want to be it, yeah, CEO, fantastic. But actually, it’s probably, you know, one of the most lonely jobs. Yes, when it’s going, Well, fantastic. Yeah, when it isn’t, then you know, you’re on your own, right,
Maria Ross 38:31
right? Well, that’s why many of the successful CEOs I’ve spoken to and advised they are part of accountability circles. They’re part of peer support groups. They’re part of, work, you know, places and spaces where they can feel less lonely and also sanity check themselves. So and they’re the ones that tend to be more empathetic and agile CEOs, because they know I don’t have all the answers. You wouldn’t be going to an accountability or group or support group or peer group if you if you thought you had all the answers, you’d think you wouldn’t need it. So the ones that I find are most successful, and they’re balancing that performance, that high performance, with empathetic and people centered leadership, are the ones who are willing to put their ego aside and say, I still always have more to learn. And that’s how they also feel less lonely. To your point is they try to surround themselves with other people that can help them grow and help them learn. Yeah,
Steve Durbin 39:23
absolutely. I think you have to, you have to have people around you who are not afraid to challenge from whom you can you can grow. You can pick up different things. And, you know, I think in every interaction, there are things that you can learn. I mean, my my favorite is actually spending time with, with some of the much graduates and things that might join us, because they great perspective. They’re not, they’re totally unencumbered, right? Corporate politics and nonsense, and it just, they just call it as it is, you know? And they’ve got great ideas, yeah. So I love. Being able to try to create space for some of that and just let them try it.
Maria Ross 40:05
I love that. Well, this has been such a great conversation. Steve, thank you so much for your insights and for for really helping us understand. You know, what I’m taking away from this is actually it is a risk to your organization if, if your leadership can’t be agile and can’t be people focused like that’s sort of my, one of my headline takeaways from today. So thank you so much. We are going to have all your links in the show notes for folks, but for anyone on the go right now, where’s the best place they can find out more about you and your
Steve Durbin 40:33
work? Oh, the easiest one is, is obviously LinkedIn. People can find me on that specifically around what what I do, what the ISF does. Then again, if they go along to our website, which is security forum.org then my details are there. Fantastic. Either way,
Maria Ross 40:52
great security forum.org, well, thank you so much for your time today. It was a pleasure to connect. No nice talking to you Maria, and thank you everyone for listening to another episode of the empathy edge podcast. If you like what you heard, you know what to do. Please rate and review and share it with a friend or a colleague, and until next time, please remember that cash flow, creativity and compassion are not mutually exclusive. Take care and be kind For more on how to achieve radical success through empathy. Visit the empathy edge.com there you can listen to past episodes, access show notes and free resources. Book me for a Keynote or workshop and sign up for our email list to get new episodes, insights, news and events. Please follow me on Instagram at Red slicemaria, never forget, empathy is your superpower. Use it to make your work and the world a better place.
