Archives for March 24, 2021

Adapting in Cybersecurity: Why Agility Matters

adaptibleAdaptability and agility were the themes of 2020. Businesses had to make quick decisions to be flexible in a world of uncertainty. Both of these ideas apply to cybersecurity, but they are the result of the pandemic. Adapting in cybersecurity and being agile have long been hallmarks of the field. After all, there’s always a new threat or risk, so the industry is certainly not static.

In this post, I’ll offer some insight on cybersecurity adaptability and agility that I express in my book, The Smartest Person in the Room. Consider it a primer for reading it in its entirety. Hopefully, you’ll take away from it some ideas and strategies for being adaptable and agile in cybersecurity.

Nothing Is Certain, But Uncertainty

There is a lot of uncertainty in cybersecurity, but that doesn’t mean you can’t adapt. Uncertainty, however, is sometimes challenging for technical folks. They always long to know the answer, but that’s not the reality of cybersecurity. Being fearful of uncertainty is a fixed mindset feeling. Whereas embracing it is how a growth mindset interprets it.

Embracing uncertainty doesn’t mean leaving things to chance or being carefree about it. Life is full of uncertainty; it’s the only thing we can be certain of and rely on. What it sets up is a perspective to be flexible and adaptable to change.

Since we can only be certain of uncertainty, this can cause fear, denial, and more for cybersecurity professionals. But the ability to adapt isn’t just good to have. It’s imperative. There’s a reason why adaptations occur in the biological world—it’s adapt or die. And that holds true in the world of cybersecurity. Either your team can be nimble and evolve, or it will be impossible to keep data and networks secure.

People Are Conditioned to Believe Certainty Is Attainable

From a young age, we are conditioned to think that certainty is the standard and that we should only follow specific paths. Thankfully, many people take the other courses, fueling innovation and proving that adaptability is a crucial trait to have as a person and a professional.

Each of us only has the present. What happens tomorrow is sometimes out of our hands, no matter how long we prepare. The same is true in cybersecurity. You can have a team of talented people with experience and education, but that doesn’t mean they’ll know the newest threat a cybercriminal attempts.

Cyber attacks happen constantly. Those who deploy them are relentless. They are adaptable and agile in the face of cybersecurity protection. Thus, your internal team has to mimic those same characteristics, realizing that uncertainty is actually the norm. It takes a long time to implement this change and earn improvements. We must all let go of the fallacy that if we don’t achieve on the first try, it’s simply not achievable or worth further effort.

Uncertainty Is Part of Improvement

To become proficient at a skill, you have to hit improvements along the way. You won’t hit mastery without incremental improvements, and those are full of uncertainty. Failures are opportunities to grow and learn. If your team is too fearful of failure to innovate its cybersecurity framework, they’ll never improve. They will remain in that valley, and cybercriminals will keep getting better and smarter.

It goes back to embracing a growth mindset of persistence and perseverance. Very few life-changing inventions went right the first time or the hundredth time. You often must get worse before you get better at something, but technical folks who struggle with always wanting to know everything aren’t going to get over the humps. They’ll stop and convert to old ways. That’s harmful to their professional and personal growth. It also puts your data and networks at risk.

Why You Need to Adapt People, Processes, and Strategies

Let’s get honest about adaptability in cybersecurity, looking at people, processes, and strategies. People are the hardest to adapt. Those people set the processes and strategies. So, you must work on the people first, and technical people are often some of the hardest cases.

It requires altering behavior. The idea of behavioral flexibility, which I cover in my book, is that people can alter behaviors to match a situation. Cybersecurity is dynamic and ever-changing, so change can be at a rapid pace. So how can you adapt people?

  • Communicate differently: Leaders should embody empathy in communication regarding the struggles of black-and-white, ones and zeroes professionals. A good tip is to avoid the word why and to lead with what and how.
  • Develop employee’s soft skills: People skills are imperative to adaptability. Focusing on developing and fostering these will be beneficial.
  • Value reflection: You and your team can learn a lot from reflecting on a specific issue and incident. On the one hand, you can forensically break it down to the facts. Additionally, there are the more abstract aspects like feelings and motivations.
  • Encourage flexibility in thinking: Achieving a robust cybersecurity position doesn’t occur with rigid thinking. New problems arise all the time that don’t fit the mold. If you urge for flexibility in cracking them, you’re likely to come up with better solutions.
  • Keep learning alive: Your technical team may have cybersecurity certifications and college degrees. Those don’t, however, mean a lot in the real-world. That material can quickly become obsolete, so creating a culture of knowledge and learning is good for all. If you have people resisting this, that’s likely a red flag. You can address that with them individually and make the decision together if they can commit to adaptability.

If your people can grow and change, realizing the advantages of adaptability, they’ll then be able to work on processes and strategies. These should always be flexible because what works today may be obsolete tomorrow.

Why Agility Matters in Cybersecurity

Adaptability and agility aren’t the same things, but they have the same roots. Agility is more about being nimble with your cybersecurity operations. It’s something you can’t do without the assurance that you are adaptable.

Agility means you can pivot when things change. Everyone shifted a lot in the last year, as more pressure was put on digital channels and assets. That demand also meant a rise in cybersecurity attacks. When the industry turns, so do the criminals that want to steal data and cause havoc.

The key is to be able to make that turn as well. One of the most critical areas to do this is your cybersecurity framework. If it’s overly complex, agility is going to be hard to master. It’s certainly an area ripe for reform, and it’s the core of processes and strategies. If you can simplify and demystify the cybersecurity framework. Doing so can set you squarely on the path to embracing uncertainty.

How Can You and Your Cybersecurity Team Embrace Uncertainty?

We’ll never win the cybersecurity war without embracing uncertainty. Staying in familiar and comfortable mindsets and positions gets you bested every day by cybercriminals. Technical folks often struggle with people skills, which is very integral to the uncertainty conversation. If they avoid it in their personal life, why do they get into a field where it’s abundant?

The uncertainty they encounter is technical, so to them, there’s a logical answer. In the world of technology, computers are consistent. They respond the same way nine times out of 10. People, however, are inconsistent. Cybersecurity brings technology and people together. That’s a balance that errs on the side of uncertainty.

What people do with technology is the real crux of uncertainty in cybersecurity. You and your team will never have full visibility or awareness of every move of cybercriminals. The point is to evolve as they evolve.

One of the best ways to do this is to practice kaizen, the last tenet of my Secure Methodology. By following kaizen, you and your team can learn to embrace uncertainty to make improvements. In this way, you use it for moving forward, not standing still. You can learn more about kaizen and the other steps of the Secure Methodology in my book.

Adapting in Cybersecurity: Uncertainty Isn’t the Enemy

You don’t know what you don’t know, right? That can create a cloud of uncertainty, which can either overshadow or illuminate your cybersecurity operations. You’ll be in a much better position if it’s the latter. Getting there will take work and commitment, but it’s possible. Explore adapting in cybersecurity in The Smartest Person in the Room.

The Value of Empathetic Leadership in Technical Roles

empathetic leadershipThere’s a misconception that leaders, especially in technical fields, should do so with only their brains. They should be logical and data-driven. Those skill sets are important, but leading from the heart is just as important. Empathetic leadership is about compassion for employees and customers. And it fits nicely in cybersecurity, an area that requires trust, communication, and collaboration for success.

Empathy is good for culture and customer loyalty — it’s also good for your bottom line. Many studies have supported this, including one that found that companies that express empathy outperform their competitors. And there’s more to reinforce this idea:

Thus, it would seem that leading with empathy is a win for all if it were only that simple. There are many challenges to building an empathetic business and leadership.

What Is Empathetic Leadership?

What exactly is empathetic leadership? Is it listening? Communicating? Caring? It’s all those things, but specifically, it’s having the ability to understand others’ needs. It’s about being aware of those outside yourself. It’s stepping into the shoes of others. Those are hard to master, and empathy isn’t all innate.

Being empathetic aligns with having emotional intelligence. There are some factors of it that are genetic traits. Women also tend to be able to show it more, but it’s still a skill. Yes, empathy is a skill, one that you can hone and develop if you commit to personal and professional growth. You have to be willing, vulnerable, and open-minded. That, of course, isn’t always how people or leaders think. It requires a fundamental change to become really good at empathy. While change is hard and scary, it’s often the best thing that can happen.

How Can You Apply Empathetic Leadership to Cybersecurity?

Cybersecurity is about protection. It would seem a natural parallel with empathy. Yet, most would agree there is a gap here. There’s a lot of focus on technology and tools to fight the cybersecurity war, but there have to be people behind.

In many cases, cybersecurity failures are human-related, not technology-focused. If that’s the case, then we can’t cure it with more systems and products. Instead, we need to focus on the people. And those people need to have an empathetic leader.

Empathy Is a People Skill

There are stereotypes that technical folks are devoid of people skills. That’s not true; they aren’t robots! Often, they get caught up in logic and forget the emotion. It is possible to improve people skills for technical professionals. I write about how to do this in seven steps in my book, The Smartest Person in the Room.

You can develop people skills the same way you do technical ones. Through practice and learning, it’s possible to become more empathetic. To achieve this on a cultural level within a company or firm, it has to start at the top. If leadership doesn’t demonstrate it, it’s hard to expect others to follow.

Empathy Is Hard for Everyone When We Focus on Differences

We can all collectively say the world right now needs more empathy. Compassion and care often get lost, as societal and cultural pressures tell us to look out for number one and focus on our differences. There’s a lot of “us vs. them” mentality in every aspect of life. It’s not hard to find that every time you scroll through social media or turn on the TV.

Why a Differences Mindset Handicaps Cybersecurity

Focusing only on differences creates divides. Those can then manifest as bad behavior within the team and toward other people in a company or even customers. The usual suspects are bullying, posturing, and egotism. Acting in these ways is often rooted in insecurity, as they want to be the smartest person in the room always. Being trapped in your head and only seeing differences leaves little room for empathy.

Lacking Empathy with Clients Can Be a Disaster

Clients, whether internal or external, expect cybersecurity professionals to protect what matters to them. To really understand this, empathy is imperative. Lack of it leads to not looking at specific needs and, instead, offering up a complicated cybersecurity framework. Complex doesn’t mean effective, and many professionals will miss the point.

If leaders don’t practice empathy and expect it in others, security will be much less effective, leaving clients unsatisfied and untrusting.

Colleagues Should Have Reciprocal Empathy

Empathy among the team is just as essential as having it with clients. Leaders model this (or don’t), as well. If a leader never acts with empathy toward their staff, why would they exhibit it with one another?

When there’s a void of empathy in these situations, communication, honesty, and transparency all suffer. It becomes a dysfunction instead of a collaborative working environment. It’s hard to be successful in this setting, no matter how technically astute you are.

The Tangible Value of Empathetic Leadership in Cybersecurity

I’ve shown you some data, studies, and leadership that illustrate the correlation between success and empathy. But how can it support cybersecurity?

  • It supports human connection: More technology and more budgets won’t cure cybersecurity shortcomings. Having sincere human relationships will, and a leader that exhibits this will have an impact.
  • It helps understand the needs of the client: An empathetic leader will dive into the challenges and pain points of the client and have clarity on these points. That’s the ideal foundation to develop a plan that works.
  • It removes the ego: This is a problem in the field. But if a leader’s behavior is egoless and focuses more on listening to others and making careful decisions, this helps all aspects of the company.
  • It improves communication and collaboration: Imagine a leader that never wants to hear anyone else’s thoughts or ideas. Well, we don’t have to imagine it because many leaders like this exist, and they fail over and over. An empathetic leader wants to hear from the team and practices active listening.
  • It helps ensure the right people are on the team: A leader that possesses empathy will use that in hiring and recruiting decisions. They’ll look for these traits in others, realizing soft skills are just as valuable as hard ones. Those smart hiring choices will lead to longer retention as well.

How You Can Cultivate Empathy in Others

If leadership commits to empathy — and they should for the value it delivers — the next step is fostering it in the entire team. Intelligence, knowledge, and experience will only get you so far in cybersecurity. They aren’t nearly as powerful without the missing piece of empathy.

Empathy is Step 6 in my Secure Methodology, and the following are some insights from that practice that can bridge the empathy gap:

  • Realign to emphasize similarities, not differences: Each of us is unique in our own way, but we have more similarities in the long run. That’s the first step for building the skill of empathy. This realignment can help cybersecurity teams immensely. You’re all in this together, and the “enemy” is cybercriminals, not each other.
  • Understand the motivation of others: Motivation and empathy have synergies. If you know someone’s “why,” then it can serve as a way to get them in touch with compassion.
  • Acknowledge wins: If you want technical employees to express empathy, you have to acknowledge their accomplishments. When you do, they feel appreciated for their work and more connected to you.
  • Adapt communication: Technical people often struggle with admitting they don’t know something. As a leader, you need to remember that when you communicate. I recommend not using “why” statements and instead leading with “what” and “how.”

These are a few highlights that demonstrate basics steps to take. There are also exercises to try and other specifics, which you can find in my book. Cultivating empathy is an ongoing process, so there’s really no finish line.

Is Empathy Part of Your Organization?

Right now, if you had to say, as a leader, if empathy is part of your organization, what would the answer be? Few can probably adamantly say yes, and that’s okay. It’s a complex attribute to introduce, cultivate, and maintain.

However, it is possible and provides so many benefits to companies. No matter where you are in the journey, I want to help. You can start by reading my book, The Smartest Person in the Room.