Management Laboratory

Management Laboratory

Leadership Lab: Management Competencies

Other Related Articles in Leadership Lab: Management Competencies

Leadership Competency: The Power of Careful Word Choice

By Stephen Northcutt

Leadership competency - the power of careful word choice
Version 1.1

As part of the Self Study at SANS.EDU we were trying to describe the threat that weaves throughout our curriculum to prepare technical security leaders to operate in a large, mission focused organization. But what if it was an NGO? A movement such as Occupy Wall Street? A non-traditional structure, a government agency, a non-profit? We decided the best word to choose was enterprise, but what does STI mean when they use the word enterprise? And, can we support that word choice?

One of the characteristics of leaders is that they understand the importance of language. Back in 2009, I was speaking with security guru Ron Gula, the CTO of Tenable, the network security company. He said, "I don't really understand what you do with your courses, you teach the free Snort, the free Nessus and you know that people can't use those when they get back to their enterprise class organization." Since I have a great degree of respect for Ron, I gave that a lot of thought. In the end it is OK, we don't focus on teaching particular tools, we focus on teaching analysis and process, the tools simply enable us to mentor and transfer knowledge. But that comment got me thinking about who our customers are. While we have the occasional individual consultant that pays their own way, and every once and a while, a student from a small company, the majority of our students come from large organizations with large, organized, security teams. These large organizations are sometimes referred to as enterprises. But what, exactly, when we say enterprise? To be honest, the first thing that comes to mind in a difficult project such as filming the IMAX Mount Everest movie or initiative and resourcefulness. However, when we use enterprise to refer to business, there is usually enough context to know that is what is being considered.

I have a lot of experience with start ups including SANS, GIAC, Beyond Encryption and Zimperium. In addition, though Kathy and I were hands off, we were angel round investors in SourceFire an Tenable and so we were excited to watch them grow. Characteristics of start ups include people working very hard, long hours, a sense of excitement, concern that you might not be able to make payroll, and the joy that comes from a successful rollout of a new product or new version of an existing product. As they grow, they tend to form teams and somewhere around the hundred employee point you start to see organizational structure develop. A one hundred person company, organization, department or agency is not an enterprise, but an enterprise will have organizational structure.

At one point we defined companies as Small Medium Business ( SMB) and Large Enterprises. Search CIO defines Small as 0 - 99 employees and Medium as 100 - 999. Above 1,000 people, you have to order the organizational structure into hierarchies. According to DCIG you used to be able to evaluate based on the number of employees and the amount of data they processed. While they are clearly data warehouse oriented, it brings up an interesting and valid point, enterprise is more than organizational structure that has evolved into a hierarchy and 1,000 or more employees. In fact, we have enterprise architecture, enterprise data, enterprise software, enterprise organization, even E2.0. An enterprise is mature enough in the business sense to have a policy framework and an understanding of the importance of policy. Of course there is nothing magic about 1,000 people, so a more general definition would be an entity of sufficient size and focus to have differentiated itself into a structured organization consisting of multiple departments, divisions or other entities, each with discrete goals and objectives that either directly or tangentially contribute to the overall mission of the aggregate entity.

To many people the term enterprise connotes commercialism or for profit companies. However, enterprise is alive and well in government. A Google search for "government enterprise" on July 24, 2012 yielded 325,000 results and some very interesting reading. In fact, a non-profit can most certainly be an enterprise. One example is the well organized and managed LDS church.

To summarize, we can define an enterprise as an organization that is often, but not necessarily larger than 999 people, whether commercial, non-profit, or government. Enterprises have an organizational structure that is hierarchical and designed to help achieve the organization's mission and vision. From an STI perspective, they have a robust IT and IT Security function and probably have big data, understand the value of their data, and employ enterprise software such as SAP or Oracle. Finally, they are mature enough to have a policy and procedure framework.