I have to admit that I was already a fan of Collins’ quantitative style blended with clever insight, but this was the first time that I had seen him in person, and he was just spectacular. He has a vivid, animated way of telling a story, and had a great sense of humor. This combination of presentation skill was put to immediate use with his first statement drawing a hearty laugh from the audience full of entrepreneurs.

“How many of you in the room are constitutionally unemployable?”

Much of his remaining presentation provided interesting stories and insight from the research that he has done to understand the make-up of exceptional companies.

As Jim said, he has spent years studying the contrast between average companies and exceptional companies. They faced the same set of variables… similar economic conditions, similar competition for top human resources, and a similar set of huge unknowns.

What is the single biggest element of difference?

Not a function of the cards you are dealt, or circumstance… it is conscious choice and discipline.

Jim’s key principles & disciplines that have come from the studies we have worked on:

1. Building greatness is a cumulative never ending process! The idea that no matter how exceptional, you are always only relatively as good as to what you can do next.
2. Most overnight successes are 20 years in the making…. Wal-mart  took 13 years to get to 125 stores. Starbucks required 17 years to get to 38 stores.

“If you start to break Packard’s law, and there are very few laws of business, it is like breaking a law of physics for building great companies.” - David Packard (Co-founder of HP)

If you allow growth to exceed your ability to get enough of the right people to fill the key seats to execute on the growth brilliantly, you will fall as surely as a stone dropped from your hand. This is one of those timeless truths that extends beyond technology and economics.

The number one constraint on growth and sustained success…

An ability to get enough of the right people in the key seats to achieve that sustained growth.

The discipline that WHO comes before WHAT. Collins always kept coming back to the “who” thing over and over again. He said, “The more turbulent the world, (given the great current economic uncertainty of our financial system) the more important this issue is.”

A question from the audience came near the end of his session… How do you figure out who are the right people to put in key seats on the bus?

Collins responded with “Given that I stand here amidst a room full of unmotivated people… the right people are self motivated, self disciplined, self managed, The task is not to motivate unmotivated people, the task is not to have to manage people… self motivated, figured it out from there… self motivated people don’t need tons of management … when you have to start managing, you know that you have the wrong person at the task.”

Final thoughts:

Greatness is not a function of circumstance. Greatness is a function of conscious choice and discipline. It is not a matter of circumstance, it is one of choices.

I believe that every one of the Inc. 500 companies that I met at this conference achieved the list because they did not embrace the status quo. Incredible passion, an unwillingness to accept failure and an excessive and compulsive willingness to solve customer’s problems were key ingredients in the business building formula for the entrepreneurs that were at the conference.

I digress. What inevitably happened once I started walking around with this button proudly displayed was that I would get one of two reactions. The first group — mostly current and former co-workers and acquaintances — understood the humor and got a good chuckle out of it. The second group would ponder for a bit and then ask, with some confusion, why I’d intentionally point out the fact that I’m not a CISSP. I’d give a brief answer and get back to talking about Veracode (we booth babes have responsibilities, you know).

So, why indeed? The long answer is that like many security certifications, it’s an ineffective measure of a security professional’s practical abilities. Employers and customers often assume the guy with the five magic letters on his resume is technically superior to the guy without. In my experience, it’s exactly the opposite, particularly in situations where you have to sit down at a keyboard and actually DO something as opposed to talking about it. Certainly, I’ve encountered some very notable exceptions to this observation, but we’re playing by the 80/20 rule here.

There’s a good reason for this. The trend in information security is toward specialization. Security has become such a broad umbrella of varying disciplines that it’s quite difficult to be a generalist. A security career is a balance between breadth and depth, and these days, the skilled pen tester, reverse engineer, or vulnerability researcher is more marketable than the guy who knows a little bit about dozens of different disciplines but can’t apply that knowledge in a practical situation. The CISSP subject matter illustrates this perfectly — you have cryptographic algorithms, site location principles, network security, and civil law on the same exam. I won’t even get into the complaints I’ve heard about the poorly-worded, overly simplistic exam questions or the ones that simply test one’s ability to memorize obscure facts.

I’m not claiming that there’s no value to holding the CISSP certification. It can’t hurt to have some exposure to business continuity planning, for example. The problem, as I stated in the beginning, is that the CISSP title is often interpreted as an indicator of practical abilities rather than a book-level understanding of security basics. These misaligned expectations can ultimately lead to bad hiring or staffing decisions.

Career advice, take it or leave it: If an employer or prospective employer demands that you get your CISSP in order to be hired or to progress in your career, run fast in the opposite direction and find a place where you will be valued for your cumulative experience rather than a piece of paper. Learn by doing, don’t “learn the test,” so to speak.

And that, in a nutshell, is why I love my “Not a CISSP” button.

By the way, here was my other favorite from RSA, thanks to WhiteHat. This one and “Samy is my hero” were the best out of a pretty clever selection… even though they forgot the semicolon after the single quote. <grin>