Manager or Leader? I’ll Take The Third Option Please

Have you ever noticed that a lot of organisations purporting to embrace change and innovation end up hiring the same type of people who are the majority cause of their current challenges?

‘Talent acquisition’ is much like the famous [mis]quote by Henry Ford; “If I’d asked my customers what they wanted, they’d have said a faster horse.”. By sticking to standard job descriptions and not looking for PEOPLE to fulfill the leadership’s vision, companies will get what they ask for, and not what they need.

I’ve never seen a job description yet (that wasn’t written by me, FOR me) that did not set me up for failure before I even began. There are people much better at certain things than me, and who may actually enjoy doing them, why would you give those things to me?

Worst of all, above a certain level of seniority, you wind up being lumped into one of two categories, and if you’re REALLY unlucky, both; Leader and/or Manager.

What if you’re neither?

Here’s a little experiment I conducted:

I typed; “books on leadership” into Google and got >271,000,000 hits. If even 0.1% of those are ACTUAL books, that’s 271,000 books on leadership, some of which may even have been written by a true leader. Possible, but unlikely.

Then I typed “books on being a manager” and got >170,000,000 hits If I apply the same criteria as above, that’s another 170,000 books to plough through.

Finally, I typed “books for neither a manager or a leader” and these are the top 5 hits;

  1. 3 Things That Separate Leaders From Managers – Business Insider
  2. Managers and Leaders: Are They Different? – Harvard Business Review
  3. Why All Managers Must Be Leaders – Forbes
  4. Leaders and managers, leadership and management … – CIPD Courses
  5. Why Managers Can’t Lead and Leaders Can’t Manage

OK, so I’ve completely tipped this in favour of the point I’m trying to make, but not ONE article on the first 5 pages of hits gets close to what I’m saying, which is;

People who are very good at what they do don’t need to be a Leader or a Manager, they need a great leader in whom to believe, and great managers to get the right people on board.

My favourite phrase on leadership is on; “Leaders are like eagles, we don’t have either of them here.”. The same could be said for managers, both leadership and managing people are talents not skills, and the really good ones are equally rare.

What if the skills you need, even temporarily, are actually in someone who’s neither? The odds are they are not, well, not good ones at least.

A good leader has specific attributes that VERY few people have (hence LEADer I suppose), and I truly believe leadership is not something you can learn.

A good manager is, to me, someone who can recognise the talents and skills you HAVE, not the ones they either a) think you might have, or b) want you to have, or c) need you to have for the job at hand.

Focusing on these 2 senior-level talents ignores the vast array of available of other talents that require neither of these attributes to provide enormous benefit. Call them subject matter experts, gurus, trusted advisors, or a whole host of meaninglessly clichéd names, what you get is the same; someone who can take the leader’s vision, and translate it into something the managers can act upon. Leaders usually can’t manage, managers should rarely lead, and neither has the necessary talents / skills / knowledge to bring the vision to life.

So if you have failed at fulfilling either of these roles (as I have many times), maybe they are not for you. But what you DO have could be of equal importance, if you know what it is.

No one likes to think they’re not a good fit for a senior position, but there’s little reason to extrapolate one or two bad ‘corporate’ fits into the rejection of an entire line of opportunities. Just make damned sure you ask the right questions up front. No you can’t guarantee an honest answer, but hopefully you’ll know pretty quickly if they sold you down the river.

Agile + Lean + No Vision = ?

In the digital age, the need to transform your business in the face of competition is only going to become more important, and more difficult. Start-ups can build all of this in from the beginning, and have a whole host of success and horror stories from which to choose their inspiration. Large organisations that have developed slowly over time do not have this luxury, but the fear of ‘disruption’ has them mad-scrambling looking for a way forward.

Increasingly, they are turning to Agile and Lean as ways to kickstart their business transformation efforts.

Let me be clear, I have nothing against either of these tools, but that is all they are; tools. They are a means to the end, not the end itself, and over-reliance ON the tools will eventually lead you astray. Unless the business goals drive the tool choice, and NEVER the other around, all the action items in the world won’t get you where you need to be.

This requires a Vision.

And not just one vision, you need a vision per department. There’s no point trying to promote change when your HR department still hires people in exactly the same way, and are looking for the exactly same ‘corporate fit’. What you’ve always had got you here, only something else will get you somewhere different.

IN security for example, an example of a vision statement goes something like; “We will provide world-class defence for all information assets to enable and optimise all corporate goals and exceed client expectations.”

There are millions of these vision STATEMENTS out there, but three things that a lot of organisation who tout them seem to lack are; a) an understanding of what “defence for information assets” actually entails, b) what the most important things are to the foundation of such an effort, and c) the ability to execute that plan at the right level.

For example; Everyone who’s been in security for more than 5 minutes should know that without a policy framework, you have nothing to build your security program on. You then work out very quickly that any policy framework not signed and evangelised from the highest levels of an organisation will be basically ignored. An information security policy framework (ISPF) signed by the CSO is unlikely to followed wholeheartedly by the the other C-levels, an ISPF signed by the CEO will.

Quick Advice: If you’re a security expert, never work for someone who is not prepared to at least ask the CEO to sign something, especially policies, it’s just not worth it.

It is very easy to bandy words like Agile and Lean around, especially if you’re the one doing the delegating, but it’s very difficult to LEAD a team when you yourself either haven’t defined what your vision looks like, or worse, you don’t have one and you simply regurgitate things you’ve just read in a book.

Frantic energy expended on a series of action items [Agile] assigned to a few key people [Lean] is one thing, doing this with a vision of what SHOULD be is quite another.

If You Get Hacked, Blame Your CEO

According to statistics that I’ve just made up, less than [cough]% of all breaches are the result of a determined / planned attack, the remaining [mumble]% are the result of inadequate security of one sort or another.

The second sort is the overwhelming majority, but yes, I do need to start doing proper research.

My proposition is simple:

  1. CEO doesn’t care = no-one else cares.
  2. CEO ignores security = everyone else ignores security.
  3. CEO is passive-aggressive and devoid of  charisma =  he / she will surround themselves with talentless sycophants…

…you get the point.

I am always amazed that the kind of people who have the ability to either raise themselves to the top position, or start their own company, are often completely incapable of using their enormous influence to an end that has value and meaning.  Well, beyond the self-serving kind anyway.

My absolute favourite Demotivator ( is this one;



Like most humour, it’s only funny if it’s at least partially true. Sadly, this is the case for many organisation in terms of leadership in the realm of security.

As I have stated WAY too many times now;

Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities.  If the organisation fails to achieve [enter any goal here], its the CEOs fault, and no-one else’s.

I can think of one very good example in my own experience where the CEO actually takes time out of their busy schedule to RUN the PCI assessment every year.  Of course she delegates the detail to her team, but she remains the focal point for communication and issues, and gets her hands dirty every day ensuring that her entire company takes security as seriously as she does.  The result is that they achieve compliance every year with a minimum of ADDITIONAL effort beyond their business as usual processes.

Unfortunately in this case her chosen consulting company also sold her a bunch of their crappy products that cause never-ending grief, but that’s life.

Despite all of the articles I’ve written on a variety of subjects, I really only have one goal for this blog; to change the perception of what security is, and what it can do for a business.

Security started out on the wrong foot by being lumped in with IT, who were already seen almost as a necessary evil. I guess it’s kinda like Scotty in Star Trek, he has saved their skins a thousand times by “giving ‘er all she’s got” but it’s always Kirk who gets the glory.  And yes, I’m very aware I just completely stereotyped myself.

In reality, no other department in an organisation has a better idea of exactly HOW they do business.  Every server, laptop, mobile phone (pre-BYOD), database and application is maintained by IT, and all of THAT is under the purview of security whose job it is to make sure it stays available and accurate.  But that’s just the beginning, it’s what the security folks can do WITH that knowledge that brings the real benefits (see How Information Security Enables Transformational Change for one such example).

The challenge I face however, is that the benefits will only ever be achieved if the CEO supports it.  Nothing happens without them, and seeing as I’m just in security, you can imagine how many CEOs I get in front of.

Still, a goal is a goal.