One of the key points in the book, and one that I am using, is what Sinek calls the Golden Circle.
The basic premise of the book is that organizations who are in touch with their purpose are better able to inspire staff and keep customers. But most organizations focus more on What they do, such as create a product or enhance shareholder value. They aspire for success rather than trying to inspire.
From the publisher's summary:
In studying the leaders who’ve had the greatest influence in the world, Simon Sinek discovered that they all think, act, and communicate in the exact same way—and it’s the complete opposite of what everyone else does. Sinek calls this powerful idea The Golden Circle, and it provides a framework upon which organizations can be built, movements can be led, and people can be inspired. And it all starts with WHY.But I also think that the lessons in the book can help us build and strengthen the security practice within our own organization and inspire our own teams. Again, we start with Why. The Why equates to high-level mission and vision. Does the company, or business area, have a mission and vision statement? (these are different things... here's a good article on that subject) That mission or vision will help you understand Why they do What they do. When you are talking to executives or business leaders about security, you must tie it to their Why.
The What of security is the tools and techniques you use. Reducing vulnerabilities or meeting audit requirements are Whats. Using risk management techniques, where we adapt the What to that which makes sense for the organization gets us to How. But when we show that the benefits of the security program directly support the mission and vision of the organization... now we're talking Why!
Right now I'm just using this conceptually. I'm trying to keep this in mind when I talk with business leaders or trying to influence more broadly. But I also want to apply these ideas to things like metrics and risk presentations, i.e. using the Why/How/What hierarchy to tailor the message to the audience.
I do have one criticism of the book. His examples get pretty repetitive. This is particularly true with Apple being used, again and again, as the prototype inspiration-led organization. While there is plenty we can learn from Apple and Jobs, they are not without their faults. Apple fanboy-dom aside, I think this is a good read.
Have you read this book? Are there other business books that you are applying to promoting or aligning your security practice?