Interview with Michael Santarcangelo

InfoSec Career Podcast – Episode 10

Michael Santarcangelo comes back in this episode of the podcast.  Michael and I have had a number of conversations since he first came on the show and we wanted to share some of the things we have been discussing.  In this episode we are discussing the struggles of being in security management and how to overcome them.

Google Play MusicListen on Google Play Music

Jason’s Notes

With all the things discussed today, Michael invites listeners to reach out to him with questions.  I can tell you from experience that what you hear in this episode is Michael.  You can reach him at:

Michael had several quotes that I liked.  
“You lead people, you mange process, and you boss nobody.”
“A good leader is elevating the people around them.”

Security is an infinite game.  You measure your success by how well you are “playing” the game.  This includes how the people you are leading and are around are getting better.

Book recommendations:
“The Infinite Game” by Simon Sinek
“Tiny Habits” by B.J. Fogg

Three struggles that security leaders face.

  • Time pressure.  We need to command our time.
  • Navigating through the organization, business, and politics.
  • Making the shift from individual contributor to being the leader of individual contributors.
    • This is something that Tom Eston and I discussed in episode 6

On training for managers:
Most people who go into management get promoted when they are about 30, but receive no coaching or training until they are 40.
Michael has head this statement made and anecdotally confirmed it.
My reaction – Yikes!

Reading and learning is great, but are we acting on it?

On command of your time:
Do we know what an hour of our time is worth?
One calculation is to take your annual income, remove the last three zeros, and then divide by two.
The result is roughly what an hour of your time is worth. Not exact, but close enough to be useful.

100,000 income -> 100/2 = $50 per hour

We give our time away very readily.  How much are we actually giving away?

“You can make more money, but you cannot make more time” 

Alan Weiss –

What makes us stay at jobs:
If you’re employed and happy, then (assuming adequate pay) chances are that three things are happing for you.

  • Growth and progress (either career or personal growth)
  • Contributing value 
  • Recognition for your work.  (Your contribution is truly appreciated and communicated to you)

If we lose command of our time, we tend not to experience growth any more.

If we are feeling overwhelmed and out of time, how are our teams feeling?

We elevate those on our teams by putting them into growth opportunities.

“Wealth is discretionary time”

Alan Weiss

Some that is a low value task for you might be a high value task for a member of your team.  It allows them to level up their value.

We need to lean to collaborate in a way that is multi-faceted and multi-disciplined.  

Part of our responsibility in security leadership is to advocate to solve the right problems.  This means we need to understand the difference between budget and funding.  

  • Budget is a plan put together that may or may not be strictly adhered to.
  • You can still get funding for a pressing need if you make a good case as to why it needs to be done and what value it brings to the organization.
  • Be prepared for some fallout from this. The funding you get is probably going to be budget taken from someone else.

Don’t put off something important or critical because you don’t have budget.  Advocate for it to get done and try to get the funding.  You may not, but there’s no reason to not pursue it if you think you have a good case for the initiative.

Be prepared to demonstrate to the board or management the value that the organization received from giving you the funding.  Not just a laundry list of what you bought.

Allocation of our time per day

  • We have about 3-4 hours of productivity per day. Maybe less. This is time spent on projects and solving real problems.
  • The rest of our time is spent on administrative tasks, outages, random requests, and other “emergencies” that come our way.  Includes most meetings and phone calls
  • Use this time allocation to plan how much we can realistically get done. Michael gives an example of the time break down here for a team.

Victim blaming and shaming needs to go away.  It may be a natural expression of our frustration, but fight the urge to lash out.  We never know when our number comes up and we experience a serious incident.

On high performance teams:

  • They understand how to be decisive and act that way
  • They tend to be diverse in backgrounds, skills, their make up, etc
  • They are fixated on a goal or outcome.  They have clarity of what they are doing and why they are doing it
  • They have trust with each other and their colleagues
  • They know how to communicate

This doesn’t just happen.  It takes work and time, but it pays dividends.

In security we tend to struggle with the concept of value.  The value of our time, the value that solving a particular problem brings to an organization, the value of communicating well and properly.

Your job as a leader is to protect and provide for your team.

Power Hour.  Spend an hour every day on personal development.  Develop this practice into your habits.  Start small, but focus some time and try to get up to this hour.  Start with 30 mins at first and work to expand it.

We are not alone in struggling with these issues.  People in other disciplines are also dealing with similar issues.  Reach out and meet with others.

We have to be skeptical of what we are hearing and learning, but don’t be dismissive.  Put it through the paces, see how it works, but don’t toss things out right away because they are new to us.  Look for the value.

Jason Wood
Latest posts by Jason Wood (see all)