Paul Perini, Belco Community Credit Union, on the Business of Security Leadership
- The qualities an information security leader needs to possess in order to be a successful business leader;
- How to avoid getting sucked into the IT weeds;
- The skills one needs to develop in a business-focused security organization;
- How to groom an IT or security team to be more strategic.
TOM FIELD: Hi this is Tom Field with Information Security Media Group. Today we are going to discuss a topic I call the "Business of Security Leadership," and we are talking about this with Paul Perini, Vice President of Information Services at Belco Community Credit Union in Harrisburg, Pennsylvania. Paul, thanks so much for joining me today.
PAUL PERINI: Oh, you are quite welcome, Tom. My pleasure.
FIELD: Now, we've talked about this a little bit in the past, and what I would like to get from you is the sense of what are the qualities that an information security leader needs to possess in order to be a successful business leader?
PERINI: That's a very good question, Tom. I mean, off the top of my head, I would say there are three to four essential qualities that a leader needs. The ability to see the bigger picture is the first one that comes to mind. Most times information being protected -- if we are talking specifically about info security -- information that is being protected is not related specifically to security. It is related to some non-technical industry. For example, at the credit union as a senior leader, I work obviously in the financial services industry. It is my responsibility to look at the idea of protecting information, whether it is password, pin numbers, credit card numbers, etc. and understand that it relates to financial services -- not necessarily IT as it is usually defined. What I must do then as the leader is to help determine how information security fits within the industry for which I work. I need to answer certain questions. Can info security give my organization a competitive edge? Does it protect the organization from regulatory scrutiny? Does it allow us to focus our efforts on other things that complement our industry? What are the consequences of security problems? Will it or can it lose the credit union member? Will it or can it cost the credit union huge dollars if we don't focus on information securities? So it is, whether it's information security or it's just IS in general, it is really determining how that piece of the industry fits within the industry. That goes hand in hand with the ability to work towards an end goal. A lot of times, people whether they are leaders or report to a leader, they forget about the end goal. They get lost in the technology of information security, and they forget the purpose that their industry is here. In my case, we are here to provide service to our members/customers both internal and external. That is my end goal. So that is where I need to step out of the technical piece and say again, how does information security impacts the service that I provide to my members? A couple other qualities a leader needs are qualities that all leaders need. Trust, the ability to delegate -- and those kind of go hand in hand. If I don't trust my employees to do what needs to be done, it is very difficult for me to delegate to them. I am a very firm believer that there is a difference between delegation and passing the buck. Delegation in its truest form means allowing the employees that report to you to accomplish things. I guide the process, the employees and technical experts complete task projects and then processes.
And lastly, if I had to pick another one it would probably be judgment. A leader again, whether it's information security or any other leader, needs to have the ability to weigh all the available options and choose a course of action that is most appropriate. Security decisions have long-reaching effects on an organization, as well as on our credit union members. So, I need to answer certain questions like, say, 'How much are members are willing to go through for increase in security?' I have to weigh the hoops and the hurdles versus the necessary steps. Again, it's stepping out of the technical mind set and looking at it for the end result, which is the service to the members and trying to bring it all together to make business decisions that are best for us and for our customers or members.
FIELD: Paul, that is a good thoughtful answer. Let me ask you, how about your own leadership experience. What were your key challenges coming up through the ranks and becoming a leader?
PERINI: My challenges were probably somewhat unique, as my experience was. I came into the IT environment with little technical background. I have a Mathematics degree from Milledgeville University here in Lancaster, Penn., and so my background was not in IT. It was in the management aspect of financial services. It actually was coming here that background has let me see the bigger picture. While seeing the bigger picture, it also means I don't have the technical background or expertise of the employees that I am leading. Right away that may seem a negative, for me it's been more of a positive. So it is not necessarily a challenge, it's just the way that I have to deal with things here. I am not the person that has the ability to do the things to get the solutions. I need to facilitate getting the solutions. However, even though I am not the one providing the deliverables, every position has what we would call "deliverables". Those are the things that are expected of you from the organizations. So, the challenge that I have, or that most leaders are going to have, is to understand what your variables are and to be comfortable with what you are expected to deliver. So, as a leader it's my responsibility to deliver quality products, and in this case it is the products that protect the organization's infrastructure, everything it contains so it goes back right to information security.
The solution for me is to commit to my deliverables and ensure that my efforts are in line with what is expected of me. It allows me to oversee tangible deliverables, but also understand that overseeing that and constantly facilitating those deliverables is what is expected of me. So, in essence that is what I am expected to do. That is my deliverable to the organization.
Another challenge is constantly developing my employees. A leader, in my opinion, is only as good as the employees that he or she leads. So, I need to constantly develop my employees, not only as future leaders of the organization, but also as it relates to information security, I have to continuously develop the employees as part of the security program. It is the greatest and most difficult deliverable that a leader can provide because the rewards, while greater than tangible rewards that come from content deliverables or daily deliverables as products and applications, delivering (if that is the right word) an employee who is more developed because of your interaction has greater rewards. However, that comes fewer and farther in between than it does with applications and software deliverables.
FIELD: So, day to day, Paul, how do you avoid getting sucked into the IT weeds? Is it as simple as that you don't have sort of the capabilities to get sucked into the IT weeds? You have people to do that for you??
PERINI: I would certainly hope that in the six years that I've been here that I'm not still where I was when I came. But the ability exists on a daily basis for me to get sucked in to the weeds. And the reason for that is while I didn't have the background; my mindset is still with the math interest and major. It's the analytical mindset that a lot of the people that report to me have. So, when you fall back into that mindset as I often do, and it's one of my challenges I didn't mention, but it's easy to fall back and try to find deliverables that are easier to accomplish and have that, you kind of use that as your statement of why you are here and what you do. Like for example, I enjoy new applications just like the people that report to me, and I learn them. Well, the problem with that is then I like to get sucked back into the weeds and do those things, whether it's creating a report, working with secret databases that sort of thing and saying, "Oh look here it is. This is what I produced for you." That is very easy to do, but that is not what I'm expected to do. So to answer your question about how do I avoid getting sucked into the weeds, first and foremost it's creating an environment where everyone understands and accepts their roles. Once everyone understands their roles, you empower them to do their job. So for example, my employees know that they are, what their roles are, what is expected of them much like I know what is expected of me, and then they are now empowered. I delegate to them. I trust that they will do what is expected of them, so they are empowered to do their jobs. What that gives me is, while it is easy for me to get pulled into the weeds, I don't get too many occurrences for it to happen, because the employees that report to me are kind of my safety net to make sure that doesn't happen. They know what to bring me and what not to bring me. If it is assistance or being a resource to them for more technical application, then that is fine. But a lot of the assignments that would pull me back into the weeds don't come to me in the first place because the employees understand that it is their responsibility to take those.
As a second piece, what I tend to is I continually question what I'm doing and what is being asked of me. Like every other employee in our organization, I have a position description that clearly outlines what is expected of me. I am evaluated on it. It's constantly changing, but it still stays at the leadership level. So, the position description is developed in such a way that I spend the bulk of my time on bigger issues and not on the day to day functions of the IS area. It is also created where it outlines how my position is to benefit the organization. So, again it is at the higher level, it's overseeing the tactical and the technical pieces that are done by department. The position description for me drives what I should be doing on a daily basis. The words that I've been using like to delegate, empower, trust are in the position description. It is responsible for oversight of words such as that. So , again it's very easy to forget that and do what is asked of you because when you work, unless you work by yourself and don't have access to any public people at all, you get asked to do certain things that you know are not your responsibility that someone else should be doing. So, to take that to be able to ask yourself, 'Is this the best use of my time based on what I know is expected of me from the organization?'
And then lastly, a leader has to create a team that responds well to both opportunities and emergencies, because it is easier to stay out of the weeds and do what is expected of you when things are going well. But you have to constantly work with the team to develop them to the point where whether it's good times, bad times or chaos, they are going to react in the same manner at the same levels and get the things done that need to be done. That goes back to preparation, testing, working with employees, one on one meetings. The ease with which your team handles emergency is decided long before the emergency strikes. It's creating a well-prepared team. It's letting them determine what they need to do in these situations prior to the situations arising, and then in turn it means them and you fulfilling the same roles in your organization, whether it's during emergency or during the normal business day.
FIELD: So Paul, we've talked a lot about sort of staff development. What are the sort of skills that you need in your staff to support you in your work?
PERINI: As I mentioned, obviously I need technical skills in my staff. And again they need the technical skills in order to meet the requirements of their job. So, that's necessarily a skill that I need for them to support me, but I do need it for them to provide the support to the organization that we are looking for. It does however help me with the trust and delegation piece. I can, it's easier to trust that they can get through the things they need to do if they have the specific technical skills to get it done. And as we all know with technology constantly evolving, it's a responsibility of mine to make sure that my staff is constantly developing those skills. So it is not necessarily having the people that know how to do it now, but it is either getting them the knowledge to do it or making sure that you have people that know where to find the knowledge. I'll go back to my first comment and that is, we fulfill an information services need and a financial services industry, so I don't necessarily feel like I have to people that know every single answer to ever IS related question. What I do need is those that if they don't know the answer they're going to have the ability and the trust in themselves and the drive to find the answer or at least get us in the right direction to find the answer. And that goes to the second skill that I really need from my staff, and that is the deduction and reasoning.
I need my staff to have the ability to make decisions based on partial information. They know what the desired result is. They know what is expected of them. They gather information to get us closer to the result. They need to make the decisions to get it there, so it's not constantly coming back to me as the leader to say, 'Should I do this or shouldn't do this. What is next? What is the next step?' That is for them to determine, and use me as kind of the bouncing board for the organization to say, from an organization view that makes sense or this doesn't make sense, what about this, could you think about this. Again being a resource to them.
And lastly, for my area and I think for most IT leaders a skill that is definitely needed is enhanced interpersonal skills. In our day and age, we are getting past the IT stereotype, but it still exists to some extent. If other people don't fully understand what IT does and how it fits into the industry, then you get the stereotypes of being introverted or you get the Tech Geek stereotype. Again, our purpose is to handle the technical aspects of the financial services industry, so I need my people to have interpersonal skills to go above and beyond that IT focus. The ability to communicate with other employees regardless of what level they are at, and the ability to communicate across the entire organization, whether it is dealing with security other facets of IT to something as simple as PC's and how they help financial services, it's regardless of the topic the IT staff needs to be able to explain [PH] very technical information to mostly non-technical people who are here for our end goal which again is to serve our members of customers.
FIELD: Nice, to keep the eye on the prize. Paul, you talked about the skill sets that you need, and you have also talked about how easy it is to sort of get sucked into the needs of the moment. How do your groom an IT or a security team to ensure that they are more strategic in their That's a very good question and it is something that most organizations are going actions rather than sort of being tactical and in the moment?
PERINI: We are, as I mentioned earlier, it's very easy to get back to the tactical piece and forget keeping your eye on the end prize or the strategic. A lot of times strategic to people means pie in the sky, meaning you are just thinking outside the box but you know, the results come from the tactical. Well you know, for us it's more of helping everyone understand how they fit together. My approach is that I constantly share the direction of the organization with my staff. Our goals are brought down through our senior leadership team to a strategic implementation team and then down into the different areas of the credit union. So, it's our job to take this direction of the organization, the strategic goals, and then set the department and individual goals that align with those goals. So, I constantly push our team to work together to help determine their role in achieving the goals set for the organization.
An example of that is the financial services industry is that if growth is an issue. We want to grow our assets by "x" percentage over the next two or three years. Everyone needs to understand that all areas within the organization can contribute to the goals set for the organization. I challenge my team to be creative in how we can contribute to the goals set by the organization. So, in the financial services if our goal is growth of "x" percent, an IS specific focus team and a tactical team is going to say, "We provide support to those people who talk to our members or customers, that is how we support the goal of growth." That's well and good. What I have challenged my team and where my team has responded is what else can we do? How can we be creative? If we were to think outside the box and say nothing is impossible, brainstorm, how else can we affect assets? How else can we contribute to growth? Our department has no member contact on a daily basis, yet each of our staff or each of our key members has specific sales goals for the year. So, what we've tried to do is help our team understand that the daily responsibility indirectly impacts the goals of the organization, but that it can also directly impact the goals of the organization. And what it tends to do is it helps them to see the bigger picture, understand what is important to the organization, how they contribute to that, and then it also kind of sets a standard -- at least we feel it does, and we are proud of the fact that we think it sets the standards for some of the other back office or support departments here at the credit union to see what is generally looked at as the most introverted or geeky department in the organization setting goals for themselves or saying "we're going to go outside our comfort level and help develop business at every opportunity we can so we can directly impact the goals of the credit union." That sends a very clear and strong message to the other areas that we firmly understand the goals, the strategies set by the organization and we understand where we fit in helping to reach those goals.
FIELD: So Paul, if you had to boil it down and give one piece of advice to someone in IT or security trying to be more of a business leader, what would that advice be?
PERINI: As you probably guessed by now, Tom, one piece of advice doesn't usually come from me. I tend to be a little long-winded and give numerous descriptions of possibly the same thing, but I would pretty much narrow it down and say, the advice I give to someone would be to challenge yourself, take on more responsibility, work on your judgment and work on your employee development. Constantly challenge yourself whether it's continuous learning, leading a difficult project or putting yourself in an uncomfortable situation, do it. Take the chance. It's especially going to go back and affect your leadership ability when you are put in those kinds of situations, and you need to understand your role as a leader, but also as a resource to those people that you lead, and then also, gaining the respect of the person that you report to. Make no mistake about it, a leader still has resources above them that not only critique how they lead, but also are there to support them and be a resource for them. Take on more responsibility. Good leaders find opportunities around them and they tackle them. It's not sitting back and waiting for things to be assigned to you. It's creating your own work load; create your own focuses within the context of your goals and strategies set by the organization. The judgment piece is huge. So, many times in industries people become leaders, or in leadership positions, by doing something better than others. My background before I came to the credit union was in financial services and more financial sales. So to go from a true salesman, so if I was doing loans, to go from that to a branch manager, it was by setting a name for myself by doing the most loans. Well, the mistake there is that because you sell well the perception is that you would lead salesman well. Well, the judgment piece is more important at the leadership level than it is at a sales level, so it's to constantly look and say, this is the decision that I made. How could I have done it better? If I used standard decision making process, put my decision and everything into that and say what would be the normal outcome? Did I agree that is the decision I made or was I way off base here. Evaluate your decisions before, during, and after they are made. Make sure you are constantly developing your judgment skills, looking at all the information, looking at the bigger picture, understanding the end result.
And finally the employee development. As I've said before, this is what drives me to be not only a leader in IT, but hopefully a leader in our credit union industry going forward is the focus to employ development. You're only as good as your employees. If you demonstrate the ability to develop your current employees, good organizations are going to look to you to develop and lead other employees. Opportunities are going to open up. It may not be in the IT field or the IT area of your organization, but those people that set them apartment as good leaders, it doesn't matter what they are leading. If they are leading IT right now, and they take the characteristics and the skills that they've learned to branch sales or a finance department or a marketing department, they still are going to be a good leader. There is obviously a learning curve, but if you focus on developing your employees, it doesn't matter what the subject matter is. That is where your focus as a leader and that is where you will excel.
FIELD: Excellent. Paul, well said. I appreciate your time and your insight today.
PERINI: Well, thank you, Tom.
FIELD: We have been talking with Paul Perini from Belco Community Credit Union. The topic has been the business of security leadership. From Information Security Media Group, I'm Tom Field. Thank you very much. BankInfoSecurity.com Paul Berini