Christian Espinosa

Cognitive vs Affective Empathy Leadership

Cognitive vs Affective EmpathyEmpathy is a skill that everyone will need over the course of their lives in many different settings. From the personal to the professional, how we relate to and understand one another is important to our success as social beings and people within a social hierarchy.

While empathy is a broad term meant to define the ability to understand and share the feelings of another, there are categories of empathy that are necessary to our understanding of the concept in a leadership context.

Cognitive and Affective empathy are two of the biggest categories that have effects on our lives and the people we interact with daily. Particularly in a company, empathy is a necessary tool for empathetic leaders to direct and work with their team members and employees. In any technical role, a technical leader must be able to harness empathy and emotional intelligence to understand and share the feelings of their team to better manage them.

The Two Sides

Cognitive and affective empathy both require understanding the feelings of another person, but while cognitive empathy is the ability to recognize and understand another’s mental state, affective empathy is the ability to share the feelings of others without any direct emotional stimulation to oneself.

We might think of cognitive empathy as the necessary first step to being able to feel what others are feeling while using affective empathy. Cognitive empathy is necessary for improving technical leadership.

Cognitive Empathy

Also known as ‘perspective taking’, cognitive empathy requires putting yourself into someone else’s place to see their perspective. Cognitive empathy is the logical empathy of understanding someone else’s feelings or positions.

It is a skill but not a feeling. One could have strong cognitive empathetic skills without actually feeling the emotions of the other person. Cognitive empathy only requires an understanding, not a reciprocation or sympathy.

Affective Empathy

Affective empathy is a great step in the empathetic process but can be ineffectual for leaders in a workplace. Someone who understands the feelings of others can then go on to literally feel the other person’s emotions. Affective empathy requires being affected by the other person’s emotions, just like you had ‘caught’ them. Catching unproductive emotions could be detrimental to your work and team.

This type of empathy is also important but less so for technical leaders and others in the workplace because it can often hinder your work or productivity. Someone leading a team must understand the team and how they are feeling and make deductions about what they are thinking or how they work, without letting those feelings interfere with their mission.

Affective empathy is not always necessary for a technical leader looking to understand their team because understanding their emotions is what will help them put themselves in their shoes and learn to manage them better.


The traits of cognitively empathetic people and affectively empathetic people are very different and often highlight the differences in thinking and application of empathy. Cognitively empathetic people can often use empathy as a tool to their advantage by using their knowledge and understanding of another person’s emotions to their and the team’s advantage. This is particularly useful for technical leaders hoping to get in the minds of their team members and learn how to maximize their work.

An affectively empathetic person will also feel the emotions of the other person, which can often be unproductive. Someone who is affectively empathetic may be experiencing the negative emotions of the other person, creating problems for themselves.

Cognitive empathy allows a leader to put themselves in someone else’s shoes and work to help the other person. The analytical nature of cognitive empathy is useful for leaders of all types because they are able to aid the work of their team members without being particularly affected by the emotions of others.

The Business Case

Empathy is an effective tool in business because understanding the needs and feelings of stakeholders is a valuable asset in any project or negotiation. There is a strong business case for empathy in general because empathetic leaders are often more effective and command more respect from their teams.

The distinction between cognitive and affective empathy makes it clear that every type of leader can benefit from strong empathetic skills, but cognitive empathy is the essential ingredient for a strong technical leader in the workplace.

The most effective leader has high cognitive empathy, but low affective empathy. It’s great to understand and have the capacity for affective empathy, but it is important that leaders avoid diving into their affective empathy.

Democratic Leaders

Leaders who include their team members in their decision-making process can use cognitive empathy to understand their opinions and ideas better. Interpreting the votes and ideas of others through their perspectives gives a leader a deeper understanding of where they are coming from and how to better define their positions.

Autocratic Leaders

Even leaders who make all the decisions on their own without consulting team members can harness cognitive empathy to take into consideration their team members’ opinions without asking for them. Autocratic leaders often prefer to make decisions on their own terms, and by combining this style with the ability to understand their team members, their decisions can become more effective.

Servant Leaders

A similar style to military leadership where leaders serve the interests of the people they lead, a servant leader works hard to meet the needs of their team. This particular style of leadership incorporates many of the traits of empathetic leaders but can sometimes consider others’ opinions too much. Strong cognitive empathy can help to balance the idea that everyone on the team is equal with a leader who needs to have the strength to make the final decision, especially when it is a tough call.

Empathy and the Secure Methodology

The sixth step of the Secure Methodology is empathy. By taking into final consideration the positions of others, leaders can improve their leadership style and effectiveness. Empathy is a critical part of the Secure Methodology because it is part of the cement in the final steps of the methodology. Without it, the rest is less stable.

Technical Leaders and Their Empathetic Skills

Technical people often struggle with people skills for a variety of reasons. Particularly in cybersecurity, the technical perspective one must take is quite binary. This, unfortunately, doesn’t fully click when working with people, because people are far from binary. Never wanting to be wrong and poor communication are often barriers to people skills that are essential to leading a team. Technical leaders could often benefit from improving all of them.

Binary Thinking

People are not binary and think in an array of ways. The logical thinking that works so well for solving cybersecurity issues does not work with people, and a different tool is necessary to crack that code: empathy.

Cognitive empathy for technical leaders is so powerful that it could mean the difference between success and failure on a project. Failing to see the perspective of a team member could spell disaster for the project. Improving cognitive empathy is the way to improvement for every leader.

A Need for Certainty

Cybersecurity professionals like to be right, and they love to be absolutely right. Insecurity is a common source of this feeling. It can lead to one-way thinking and posturing, which doesn’t take into account what other team members are thinking or saying.

Cognitive empathy helps with this issue by opening up an understanding of what other people are saying. A technical leader can then realize that what someone else is saying is the right way, no matter how painful it might be to admit they are wrong and vice versa.


Technical jobs, like all jobs, require communication. Conversing healthily and productively is essential to project management and leadership. Cognitive empathy boosts a leader’s ability to communicate effectively with their team and makes their message stronger.

A leader’s message is more likely to be received well if it comes from a place of understanding of the other person’s perspective and feelings. If the leader uses affective empathy, it could also be helpful in deepening their understanding of those feelings, but actually feeling them is not overly helpful for a leader.

Cybersecurity Professionals and Leadership

Cognitive and Affective empathy are both a part of being an effective leader. High cognitive empathy and low affective empathy will bring out the most effective leaders in any organization. Technical leaders who demonstrate cognitive empathy well will be able to bring out the best in themselves and their team members.

For any leader looking for more information and help with using empathy in their leadership, my book, The Smartest Person in the Room, has effective strategies for deploying the Secure Methodology in cybersecurity contexts. Your leadership is a work in progress, and it’s time to work on the empathetic tools that will make you the best leader you can be.

Why Do Technical People Struggle with People Skills? And How Can Companies Fix It?

7 Step Secure Methodology - Christian Espinosa
The Secure Methodology Improves People and Life Skills

People skills are a challenge for many individuals. It’s often a combination of personality and experiences. Technical people often get put in a category of lacking them. While this is not universal, it does account for some of the failings of cybersecurity strategies.

Without a robust soft skill set, these professionals get caught in a cycle of bad communication practices, a lack of curiosity, and posturing. It’s time to peel back the onion on why they struggle in this area and how to fix it.

Why Technical People Struggle with People Skills

This analysis comes from years of experience, research, and asking the hard questions. Again, it’s not a condemnation of those in technical fields. Many have a nice balance and are thriving. Through the years, I’ve met and worked with many highly articulate, open, and excellent cybersecurity experts. However, in general, this is the exception, not the rule.

In my book, The Smartest Person in the Room, I lay out the evidence for why this struggle is all too real.

They See the World Exclusively in 1s and 0s

It’s hard to communicate and collaborate with others when your world is solely 1s and 0s or very black and white. The reality is that the world, people, and cybersecurity are gray. That’s hard for some technical minds to grasp.

In a lot of technical disciplines, there is a right answer and a wrong answer. No discussion required. It’s probably more applicable to some areas of math and science. However, cybersecurity isn’t just math and science. It’s an ever-evolving field. New risks and threats emerge all the time.

Further, it requires asking questions and understanding business needs. That can send some technical folks into a free-fall. They don’t have a naturally curious nature in public, so they fall back on what they know and don’t try to find out what they don’t. They fear curiosity in front on others may appear as a lack of knowing or incompetence.

Insecurity Leads to Soft Skill Failure

Many cybersecurity professionals never want to be wrong — another reflection of black/white thinking. The feeling often comes because they are insecure. They cling to certainty, and interacting with other people and having meaningful conversations are too uncertain.

They let insecurity guide what they do, pushing back on the need for two-way dialogue. They’ll figure it out on their own and don’t want to entertain outside ideas. That then leads to posturing.

Poor Communication Sinks Cybersecurity

There is a misconception that technical jobs don’t require communication skills. That’s not true. Every role depends on communication, and when that’s a challenge, it’s a house of cards filled with assumptions. It’s the biggest shortfall for many technical people. It doesn’t mean they aren’t articulate or don’t have a good vocabulary. It means they can’t converse in a healthy and productive manner. Having honest and transparent communication is about listening more than talking. Unfortunately, many people aren’t good at that. These communication issues will bring down any company department.

People fail at communication for many reasons, as discussed above — insecurity, fear, a closed mind, a lack of empathy. This revelation isn’t unknown. A study on business communications found that 89 percent of respondents believe effective communication is important. Yet, 80 percent of those same people said that communication in their company was average or poor.

However, it’s not a dead end. There are ways to develop communication and other soft skills.

Fixing the People Skills Problem for Technical Professionals

Attaining better people skills was a self-journey. The consequences, however, didn’t just benefit me. They helped me create a process that any technical employee can navigate and come out the other side.

There’s no magic fix for evolving people, and they must want to change. So, that’s a barrier for sure. If you’re going to invest in helping your team, you want to know they’re open and have a growth-mindset.

What I’ve developed to counter this problem is the Secure Methodology. The following is a quick review of the framework and how it works. By employing it, people can start to see the gray in the world and be better cybersecurity professionals and experience personal growth as well.

The Secure Methodology

Step One: Awareness

The first step is about being aware of yourself and others. The lack of awareness in a professional setting causes you to miss blind spots. It also causes relationship issues at work because without awareness, communication is poor, and posturing reigns.

The mind has to open itself to new perspectives to achieve awareness. That requires coaching on communication and understanding what motivates a person. There are exercises that can strengthen the awareness “muscle” and open eyes.

Step Two: Mindset

You either have a fixed or growth mindset. Those with poor people skills are trapped in fixed. It’s not permanent. The key to a growth mindset is accountability. It’s no secret that a growth mindset is critical for cybersecurity. So, you must open those minds. The best way to approach it is to encourage reflection, ask the right questions, and urge quick decision-making.

Step Three: Acknowledgment

Acknowledgment in the workplace is a rampant issue. In cybersecurity, without positive acknowledgment, employees fall into disengagement and resentment. Many times, if there is acknowledgment, it’s negative, which feeds into further anger.

The other issue is that a cybersecurity team that receives no acknowledgment can’t concede their overly complex framework isn’t working. They lose the ability to simplify. To end this cycle, you should recognize their positives in the present before you expect them to master acknowledgment. You can improve this by building rapport and trust with exercises from the book.

Step Four: Communication

We’ve talked a lot about communication because it’s applicable in every aspect of nurturing people. We’ve identified the reasons why people are bad at it. Another critical factor is that technical folks like to speak geek as a sign of their higher intelligence. For those outside the industry, it may as well be another language, and technical professionals have to interact with non-technical folks. They build a wall with it instead of a bridge.

Shared language is inclusive and promotes active listening. Getting to this involves reframing and simplification, achievable through specific activities.

Step Five: Monotasking

The world wrongly praises multitasking, believing it epitomizes capability. In fact, humans weren’t born to multitask. It’s a real problem in the cybersecurity field, leading to errors and mistakes. It also creates a lot of anxiety — as if anyone needs more of that.

Retraining to monotask means that you can focus completely on one task. It can be much more productive than trying to do five things at once. Fostering this behavior includes blocking time for specific tasks and blocking out distractions (that means not answering a call, email, or text immediately).

Step Six: Empathy

A cybersecurity culture without empathy will not succeed, at least not long-term. You may wonder why it matters in technical roles. It matters in everything, really. The problem in the workplace is an us vs. them mentality. There’s no room for consideration and compassion in this model.

Empathy is a core people skill, but we’re not born with it. It’s something people develop. When it’s nonexistent, technical people don’t care about their clients or their data. Nor do they have concern for colleagues. If you’ve been able to make it through the first five steps, then you’re on a path to spreading empathy. There are also specific activities to do on the team level to develop it further.

Step Seven: Kaizen

The final step is a Japanese term meaning “continuous improvement.” In terms of the Secure Methodology, it’s a more tangible action of root cause analysis. Root cause analysis helps understand real problems and how to improve them. That applies to cybersecurity and people skills. Mastering it requires constant change and adaption, and you can’t get there without the former six steps.

Do Better People Skills Really Lead to Better Cybersecurity?

You may look at the Secure Methodology and think it sounds great in theory but are skeptical about its real-world implications. That’s fair. Again, there isn’t a guarantee because nothing is. What you should know is that it’s proven. I’ve witnessed it, and I can without hesitation say that better people skills lead to better cybersecurity.

If this is a path you want to send your team on because you realize the deficit of soft skills, your next step is to get the complete picture of the Secure Methodology by reading my book, The Smartest Person in the Room. In it, you’ll find activities specific to the seven steps to build the people skills they’re missing.

Risk Comprehension Is a Basic Cybersecurity Skill, Yet Most Practitioners Lack It

cybersecurity riskA foundation of cybersecurity is, where is the risk? Based on risk comprehension, professionals map out a cybersecurity framework and strategy. While risk assessment is essential to executing proactive and reactive cybersecurity plans, the gap is that a deep understanding of risk is not as widespread as you’d imagine.

The reality is that risk comprehension is a basic cybersecurity skill, yet most practitioners lack it. In this post, we’ll be breaking down:

  • What is risk comprehension?
  • Why is there a gap in professional proficiency in the area?
  • How to ensure professionals gain this expertise and know how to execute it in cybersecurity operations.

What Is Risk Comprehension?

Simply put, it’s having a full technical understanding of risk fundamentals within the cybersecurity ecosystem. Beyond just the confines of cybersecurity, life is about risk, in general. So, the inability to grasp it in cybersecurity directly relates to the bigger picture of people not comprehending risk.

Quantifying Risk

In most areas of certification or academic, risk is a formula:

Risk = Threat x Vulnerability

In unpacking this formula, you can see it’s easy for it to be confusing. How are threats and vulnerabilities quantifiable?

In my book, The Smartest Person in the Room, I describe a more palatable formula:

Risk = Probability x Impact

In other words, how likely is something to happen, and what’s the consequence if it does?

The answer to this formula will identify three kinds of risk:

  • Low risk has a low probability and impact.
  • Medium risk could have high probability and low impact or low probability and high impact.
  • High risk is highly probable and impactful.

Cybersecurity Risk Is Just Another Operational Risk

The risk of cybersecurity incidents falls into the broader category of operational risk. The types of risk include those that could involve:

  • Financials
  • Reputation
  • Operations
  • Productivity
  • Accessibility
  • Regulatory
  • Damage to equipment or hardware

With many opportunities for impact in this area of risk, hackers can seize on vulnerabilities. Further, cybercriminals will take advantage of risk indecision. Thus, it’s imperative to have risk literate cybersecurity professionals.

Why Cybersecurity Professionals Need to Grasp Risk

The concept of a cybersecurity professional is one that mitigates risk and secures data. It’s the two-second job description. Knowing, you’d think these people would be risk experts. Yet based on my experience running a cybersecurity firm and teaching cybersecurity to college students, I can tell you there’s a gap.

This lack of understanding risk is complicating the industry. It should be a simple connection that will enable cybersecurity professionals to do the best job. Instead, we’re seeing an influx of paper tigers in the industry. These are the folks with cybersecurity certifications on their resume. They look ideal on paper, but when hired, are immediately like a fish out of water. They don’t have the necessary skills to fall back on, so they begin a routine of destructive behaviors affecting your company and their ability to succeed.

You’ll find those who don’t have this risk knowledge to begin posturing to cover this deficit. Posturing is a defensive response that involves overcomplicating processes and a pursuit by the professional to always be right and the smartest person in the room.

While professionals are busy doing this, hackers are seeking out ways to find vulnerabilities and exploit them.

Shifting to a Risk-Based Approach to Cybersecurity

In talking about cyber risk, there has been a migration from maturity-based to risk-based. To successfully change to this approach, cybersecurity teams need to improve risk comprehension.

The model is dependent upon identifying and focusing on the most probable and high impact risks. Doing this requires a full understanding of the threat landscape and the ability to prioritize them.

What Is Maturity-Based?

The traditional maturity-based approach focused on a level of maturity for capabilities in the realm. The goal was to reach maturity in assessing, monitoring, and reacting to potential risks. Additionally, the model used access controls like two-factor authentication. Maturity-based isn’t completely obsolete. It can be a good jumping-off point for building a cybersecurity program.

However, most organizations are past this step. The maturity-based method has unfortunately led to unmanageable scaling. Will you monitor everything? Can you? Spending becomes out of control for this approach, as well.

The most limiting part of such a model is it can paralyze implementation efforts. However, many professionals in the field will promote and follow maturity-based methods over risk-based. Why? You don’t have to understand risk to pull it off.

What Is Risk-Based?

The key elements of being risk-based include:

  • Full comprehension of cyber risk
  • Prioritization of risks based on probability and impact
  • Measuring security controls to understand your performance against risk
  • Inclusion of all stakeholders in the cybersecurity space

The objective of risk-based is to make risk reduction an outcome. Organizations must focus on the right controls, processes, skillsets, and investment to reach these outcomes. Before you can achieve a risk-based approach, you have to excel at all the elements. Number one is risk comprehension.

Improving Risk Comprehension for Cybersecurity Professionals

The first question that comes up is why don’t professionals have this skillset? Didn’t they learn about it during training? It must have been a question on the certification?

Next, we’ll look at why risk comprehension is lacking and how to improve it.

Better Training

Educational courses obviously talk about risk, but many just teach the student to score well enough on a multiple-choice test. Thus, they simply have to memorize answers, and they pass.

Hands-on, real-world training is much more than choosing the right letter. They prepare individuals more holistically to succeed in the field. If you want your team of cybersecurity professionals to operate in a risk-based scheme, then you need to ensure they know what it is! Look for candidates with training from organizations recognized for being more than a certification mill.

If your current team lacks this knowledge, then find ways to upskill them so they can grasp the concept. If they posture and affirm they don’t need it, they might not be the best fit. They must admit they don’t know everything and change their mindset. Not all are capable of this.

Embracing a Growth Mindset

Fixed mindsets aren’t going to get your organization to a better risk posture. Those with fixed mindsets aren’t open to change or evolution, whereas a growth mindset is. Associated with this mindset are soft skills. They are much harder to learn and adopt as habits than hard skills. Professionals must have the desire to adapt, which will include working on communication and collaboration efforts.

Keep in mind that communication is more than what you say. What matters most is the tone you use and your body language. While some may be eloquent or articulate, that doesn’t mean they have great communication skills. The most important communication adjustments are asking the right questions about risk and really listening to the answers from all stakeholders. You have to think about it from a technical and business side.

Tempering Change with Acknowledgement

If you’re a technology leader and want people to improve their skillsets, it’s good to acknowledge what they are doing well. When you do this, people will be more open to the next part of the conversation.

As your team evolves to become risk-based and practices soft skills, keep acknowledging them to keep them motivated.

Rewiring for Monotasking

We think that multi-tasking illustrates great productivity and time management. In cybersecurity, multi-tasking can cause errors and distractions. Monotasking helps keep the focus on quality. It may take longer to get certain things completed, but it also means that you’re less likely to have to redo something or be open to more significant threats because of mistakes.

Cultivating Connection with Empathy

Empathy is probably the greatest attribute anyone could have in any situation. Cybersecurity professionals who possess compassion are better leaders and better at risk comprehension. They can communicate and collaborate better. They also think outside small boxes of “what is risk?”

Helping individuals become more empathetic has lots of consequences beyond being better at risk.

Building Better Cybersecurity Teams

Many of the things discussed are part of my Secure Methodology, which is part of my book, The Smartest Person in the Room. I’ve devised a seven-step process to improve cybersecurity professional skills and thus boost risk-based methodologies. It’s a unique approach that builds on fundamentals.

Learn all about it by ordering the book today!

Your Cybersecurity Framework Is Overcomplicated – Here’s Why

cybersecurity framework - christian espinosaRarely in life is complicated better than simple. However, in advanced disciplines, there’s the misconception that complexity signals thoroughness or expertise. That’s where the world of cybersecurity lives. In most organizations, they thrive on complication. They believe it demonstrates sophistication.

Let’s be frank and honest — your cybersecurity framework is overcomplicated. Many use long “checklists” to prove they are experts when, in reality, few of those things matter.

Instead, organizations should focus on the top five CIS (Center for Internet Security) Controls®. In my book, The Smartest Person in the Room, I discuss why you need to toss out the lists and master these five controls. Most importantly because they stop 85 percent of all cyber-attacks. Knowing this, doesn’t it make sense they should be the priority? Until you have these five controls in place, nothing much else matters.

Why Overcomplication of the Cybersecurity Framework Is Rampant

If you put credence into the CIS and its expertise, why would so many cybersecurity professionals go off-script? Well, it has a lot to do with the challenges covered in my book about the degradation of the industry. The truth is that cybersecurity professionals are the reason cybersecurity methods are failing. Their actions lead to unnecessary complexity and ignorance of the basic principles.

The people problem and why they cling to their massive lists comes down to a few key areas. It starts with the paper tigers, who are professionals with lots of certifications or degrees that look good on paper. However, these paper tigers don’t have the skillset to perform effectively to protect your data and networks.

These paper tigers or others that have experience but don’t continue to learn and be open often bring in these traits to your team.

  • Insecurity: They never want to be wrong. They live to be right. It’s important for them to look like the superior one on the topic, so they manipulate the cybersecurity framework to prove their worth, often at the detriment of the business.
  • Fear: These individuals are afraid to look like they don’t have all the answers. They never ask questions or invite discussion. They live in constant fear that others will discover their ineptitude.
  • Defensiveness: Fearful people are also defensive. Their listening skills devolve into what they can agree or disagree with, meaning they don’t hear much at all. They care too much about being the smartest one; they’ll react negatively to anyone questioning that.
  • Posturing: People who are insecure, afraid, and defensive use posturing like it’s their job. Their posture is to develop a complex cybersecurity framework, and then they hide behind it.
  • Poor communication: Technical folks live with the stereotype they are bad communicators. This isn’t always true, but in the scope of this discussion, paper tigers with the above traits do not excel at communication. They love jargon and buzzwords that make them sound smart.

How Did the Industry Get Here?

As noted earlier, over-certification has been a big driver. Paper tigers also continue to water down a cybersecurity team by hiring those that don’t intimate them. Entire teams or firms could be paper tigers, and they’ll hold dear to their long, complex lists. It’s their safeguard for them. And it’s junk.

What they should care about are the basics:

  • What does the company do?
  • What do they need to protect?
  • What’s important to the business?

The responses to these questions are the foundation for building a cybersecurity approach. Without this information, you can’t understand the risk or create a personalized strategy. Instead of keeping it simple, paper tigers just refer to their checklist.

Ditch the Checklist, Focus on the Five

If any organizational leader is reading this, I urge you to ditch your checklist immediately. It’s not providing value. It’s a front. Instead, it’s time to get back to the basics and truly execute consistently on the five CIS controls.

Control One: Inventory of Authorized and Unauthorized Devices

This control represents hardware inventory. You need to manage all hardware devices on your network actively. Management includes:

  • Inventorying
  • Tracking
  • Correcting

These activities are necessary to ensure that any unauthorized devices do not gain access to the network. This is an essential control because hackers are always scanning and waiting for an unprotected system to enter your network. They are eager to find devices that connect and disconnect from the network, most commonly BYOD (bring your own device).

If BYOD is prevalent on your network, your IT team may not have administration of that hardware. It could be lacking essential updates or patches, which a threat actor will exploit. BYOD is a challenge for large enterprises, but you need to get this under control.

The best approach is to use an active discovery tool to identify and update authorized devices. You also need an accurate inventory of assets, including those not connected to the network.

Control Two: Inventory of Authorized and Unauthorized Software

On the other side of the IT is software, and you need to manage it just as you do hardware. Your network needs to prevent any unauthorized software from downloading. Hackers love to get in through software failures. There are plenty of cybersecurity incidents that started with software exploitation. If unauthorized software makes it into your network, hackers can install backdoor programs easily. If you don’t know what software is on your network, how can you protect it?

Management of software requires software inventory tools for automation. Another best practice is whitelisting safe technology. This control point is also vital in planning for incident response, backup, and recovery.

Control Three: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

For all hardware and software, you need to manage the security configurations constantly. It involves a robust change control process. The default settings for most hardware and software are for ease of use, not protecting a network.

You can’t leave them at default! It’s crucial to develop a configuration strategy that reduces risk and allows people to do their job. It’s a balancing act. And that strategy can’t stay stagnant either. It requires frequent evaluation and adjusting. A Security Content Automation Protocol (SCAP) configuration is a good guide for monitoring and verifying.

Control Four: Continuous Vulnerability Assessment and Remediation

Cybersecurity is ever-changing, and hackers get smarter all the time. That’s why you must continuously assess vulnerabilities and remediate them quickly. New information is always streaming in, from software patches to security advisories. Your team needs to stay on top of this to identify vulnerabilities proactively.

Without constant scanning and assessments, your organization is in danger every day of an incident. To execute this well, use a SCAP-compliant scanner. You should also deploy automated software updates as soon as they are available.

Control Five: Controlled Use of Administrative Privileges

Who has access to your systems? Access is another component that attackers target to cause havoc. You’ll need a tool that allows you to track, control, and assign administrative privileges.

Uncontrolled administrative privileges are a hacker’s dream. They can get in with phishing tactics that get a user to click or download something that’s not safe. If that user has administrative privileges, the hacker can take over fast. They can also get in by cracking easy passwords for admin accounts. Things like this occur when lots of people have admin access with identical passwords.

The best way to protect against this is ensuring admin users have a dedicated account for these activities. It should not be used for anything other than admin functions. Additionally, set up a log entry and alerts for admin account closures or openings.

These controls are not easy to implement and manage. They are continuous activities that a team has to control. Until an organization has these in good order, everything else is meaningless. It doesn’t matter how many items are on the “list” or how professional they sound. They are just words, and when you go by such a list, there is rarely a full and competent execution. Getting back to the basics is what really matters.

Simplify Your Cybersecurity Framework

The first step to simplify your cybersecurity framework is making sure your employees grasp the five CIS Controls. Do they have this foundational knowledge? Or are they posturing paper tigers? To master these controls, you need to get your people “in shape.” I go over this in detail and more in my book, The Smartest Person in the Room. Order it today to get your cybersecurity framework back on track.

The Truth About Cybersecurity Certifications

cybersecurity certificationsAlmost every industry has certifications. Some carry more weight than others, but it’s clear there’s a trend of over-certification in cybersecurity. Most cybersecurity certifications aren’t hard to obtain and thus are not an illustration of someone’s expertise. The industry is creating many paper tigers — someone who claims to have knowledge but just passed a multiple-choice test to earn a certification.

The Certification Structure Is Failing Us

The explosion of paper tigers in the industry is setting businesses up for cybersecurity failure. The bar for earning certifications has become dangerously low. Equally concerning is that there are no specific regulations on training or hours for cybersecurity professionals. In contrast, skilled trades require a certain amount of training hours, apprenticeships, and more. That’s a problem because those that are in place to protect one of your company’s most valuable assets — your data — aren’t ready to be in that position.

Certifications Do Not Equal Quality Talent

For many years, the industry has been buzzing about the lack of talent; there weren’t enough cybersecurity professionals to feed the demand. With this alarming message, certifications in the field became like a golden ticket to employment. The industry needed an influx of talent. Unfortunately, certifications do not equal quality talent. IT leaders, however, believe that certifications bring value. They do at times, but it’s risky to put so much emphasis on a few letters.

They are merely Band-Aids placed on the problem of putting effectual people into roles. Hiring demand was high, and certifications suddenly became what every hiring manager was seeking.

The proliferation of certifications is a cause-and-effect situation. Technology innovation and advancements required more professionals in the industry. Then there was a talent gap or a lack of people in the field. In turn, organizations promoted certifications that would give anyone a prosperous career path — except most certifications don’t test for knowledge, rubber-stamping individuals to increase the number of certified professionals. More education, however, isn’t the answer either.

College Degrees Don’t Solve the Talent Gap Either

The next logical answer to the talent gap is college degrees. Because surely, those graduating from university are prepared for the world. We know that’s not the case, as many graduates walk out into the real world and find themselves lost.

If every company required a four-year college education to get a job, there would be fewer candidates. But those candidates aren’t always going to be qualified. That’s because the university model has its own shortcomings, especially in the technology realm.

Think about how fast cybersecurity is changing. Every day, there are new attacks, each one more complex than before. It’s hard to capture all this movement in a textbook. How could a professor keep pace with this, especially one that’s not in the trenches? Frankly, there are a minimal number of capable professors with real-world experience. So, it’s all theory, and that’s what they teach. Theory very seldom equals reality.

Even applied sciences universities, which aim to be more practice-oriented, don’t adequately prepare students for a real job in cybersecurity. I was a cybersecurity professor at a university and attempted to bring practicality into the lessons. I framed my classes as real scenarios, leaving the books behind. I was trying to lead with practical knowledge, except the students complained and said it was too hard.

This experience proved to me that cybersecurity students wanted an academic degree, not a practical one. They either lacked passion or had no cognition of what cybersecurity work really is. Maybe Hollywood movies about hacking influenced their field of study. And that portrayal of the industry is anything but realistic.

What I learned from this was that the university system, like the certification one, is broken. Higher learning is not preparing students for the day to day of cybersecurity careers.

Hiring Practices Need to Evolve, Too

The other part of the cybersecurity certification and degree problem is hiring practices. Certifications are given far too much gravity over having useful hard and soft skills. Industry experts are aware of the over-certification, giving little importance to those pieces of paper. However, mainstream corporate hiring managers still give credence to the fact that someone passed a test, for which they could have easily memorized the answers.

Applicants then quickly update their resume and soon land a job in cybersecurity. Cybersecurity teams then become overrun by paper tigers. These individuals don’t have the skillset or experience to face the many challenges of the cybersecurity war. They are up against a more sophisticated army of hackers with a much higher acumen than those on the front lines protecting your organization.

The cycle continues. These paper tigers then hire more unqualified people. A paper tiger isn’t going to bring on someone that knows more than they do because they need to be the smartest person in the room. So, yes, the bar’s that low.

A disruption to the cybersecurity certification system needs to occur. Companies can push back on the certification ecosystem by requiring that certifications be practical.

The Shift to Practical Cybersecurity Certifications

So, how do we turn things around and be real about certifications while also improving them? The first step is to emphasize practical certifications.

Even though I believe there is an over-certification issue in the field, and most are worthless, I’m not counting out all certifications. The industry of training and companies hiring cybersecurity professionals needs to shift to practical certifications.

Practicality is not acing a multiple-choice exam. It’s functional and puts students in real-world scenarios to respond. As someone that holds over 25 certifications, I have a good idea of which ones are actually proof of expertise, and those are few.

Some certification bodies are evolving and doing it right. I’d be remiss not to call out some of the companies helping to fix the cybersecurity talent problem.


CompTIA offers cybersecurity certifications that combine hands-on experience and performance-based and multiple-choice questions. Their curriculum stays up to date on what’s happening in the field, focusing on techniques to combat new and emerging threats.

Their PenTest+ certification includes the elements discussed above and the management skills necessary to scope and manage weaknesses, not just exploit them.


The International Council of Electronic Commerce Consultants (EC-Council) is the world’s largest cybersecurity technical certification body. They have developed several well-known and respected certifications:

  • Certified Ethical Hacker (CEH)
  • Computer Hacking Forensic Investigator (CHFI)
  • Certified Chief Information Security Officer (CCISO)
  • License Penetration Testing – Master  (LPT Master)

The National Security Agency (NSA) and the Committee on National Security Systems (CNSS) endorse their programs, and they have accreditation from the American National Standards Institute (ANSI).

The CEH program, which I think is one of the best, is an immersive class that includes 24 hacking challenges across four levels of complexity, covering 18 attack vectors. It’s a real hands-on practical learning experience. The practical part of the exam would be unpassable for paper tigers. You can’t memorize how to apply techniques to scenarios. It requires critical thinking and knowledge.

If you’re looking for a certification that translates into a cybersecurity job, the CEH should be at the top of the list.

Fixing the Hiring Practice Problem

The first thing any company should do regarding hiring is to let go of the fallacy that a certification is a mark of expertise. You need to have a broader view of what certification means. Simply put, was it a practical or a multiple-choice test?

Even if the person has a long list of certifications, this still isn’t a sign they have the skills you need. If you want to know whether the candidate has the knowledge you assume comes with these certifications, ask the right questions. If they can validate with their answers, you can feel more confident in the worth of those certifications.

The next part is to focus more on hard and soft skills. Hard skills align more with certifications and degrees. They are also testable. You can quickly discover if they have these. Soft skills are harder to gauge. You’ll learn that soft skills are often more valuable. They include being a good communicator and collaborator. Others are a willingness to change and evolve, staying curious and perceptive. In the end, they are people skills, and that may be the real skills gap in cybersecurity.

People Skills Are More Impressive than Certifications

Helping cybersecurity professionals enhance and grow their people skills could be the answer to winning the cyberwar. It’s not an easy proposition, but it’s possible to transform your employees (if they have the right mindset) and build their people skills. That’s the heart of my book, The Smartest Person in the Room. Read it today to learn more about cultivating your people.

Your Cybersecurity Methods Are Failing – Here’s Why

failing cybersecurity methods - christian espinosaAs much as every organization wants to believe they are cyber secure, the reality paints a different story. Cybersecurity methods continue to evolve with an emphasis on tactics and technology. This progression of companies and government agencies follows the cybersecurity status quo that it’s a hardware and software issue.

And that’s just a complete disregard for the real problem. If you want to know why your cybersecurity methods are failing, it’s because it’s a people issue. This is a major theme of my book, The Smartest Person in the Room. It’s a reality that most organizations don’t want to face. Not because they don’t accept this notion; it’s because they don’t even have an awareness of it!

The Cybersecurity Landscape Points to Failures

There is plenty of available data and statistics that illustrate failures. They don’t necessarily lead to the why, but they are important for context nonetheless. Cybersecurity risk is growing, and incidents are increasing.

If you’re in the industry, these numbers aren’t new to you. However, that doesn’t mean they shouldn’t be eye-opening. The numbers continue to trend up, and an organization’s go-to for this is money and defenses.

Cybersecurity Method Failures Aren’t About Spend or Defenses

Cybersecurity budgets keep increasing. Financial services, one of the most prone to cyber-attacks, spend 10% of their IT budget on cybersecurity. Tech giants like Microsoft spend even more. The company’s CEO said they would spend more than $1 billion. Government spending is up as well, with the 2019 budget for the U.S. at $15 billion.

It’s not a money problem. Dollars are essential to fighting the cyberwar, for the best technology, talent, and infrastructures. Unfortunately, many organizations believe if they spend enough, they’ll be free from attack. High budgets do allow for more technology and people, but it doesn’t always equal a successful program. Companies often learn, when something goes wrong, that money and processes do make their networks impenetrable.

All you need to do is look at the SolarWinds hack, which led to the infiltration of at least 18,000 government and private networks. It illustrates the weaknesses of supply chain security and certainly didn’t happen because they weren’t spending buckets of money. There’s no definitive answer on what the failures were for this case, but in looking at alternatives, it could turn out to be a people problem.

One possible line to draw was that the former Chairman of the Joint Chiefs of Staff said of probable cyber attackers, “If they know that we have an incredible offensive capacity, it should deter them from conducting attacks on us.”

The position was that if would-be hackers knew the prowess of the U.S.’s cyber arsenal, they’d cower. That didn’t really work out very well and points to a larger problem within the cyber community. This example in no way characterizes these experts as incompetent. Rather, it shines a light on the culture of cybersecurity.

What’s the Real Reason Cybersecurity Measures Aren’t Working?

As I said in the introduction, it’s the people entrusted with the security. It doesn’t necessarily mean they aren’t knowledgeable or don’t have training and experience. The profession is broken. Those who are practicing cybersecurity and the leadership that manages, hires, and recruits them need a reset.

Here’s why you’re failing and what you can do about it.

Cybersecurity Professionals Aren’t Passionate

Most would say that to succeed in a career, passion is necessary. If you look at those who have achieved great things in any profession, it wasn’t their intellect alone. They had the drive and were invested in their work. Most cybersecurity professionals don’t have this. They don’t take it seriously or simply want to punch a clock. They believe it’s a stable career and do the minimum.

On the other side, cybercriminals are passionate. This is their livelihood, and they treat their endeavors like Olympians chasing gold medals. When there’s this kind of imbalance in protectors versus perpetrators, the hackers are going to win.

The Prevalence of Paper Tigers

Paper tigers in cybersecurity are diluting the profession. What it means is they look good on paper — they have a certification or multiple ones as proof that they know what to do.

Unfortunately, they don’t.

They have very little real knowledge or experience. Organizations hire them, and they immediately become a risk, not a value. They don’t know what they don’t know, and that’s scary. Paper tigers also tend to have fragile egos, so they’ll never admit they don’t have the answer or understand the situation. They’ll keep backpedaling and become defensive instead of being communicative and collaborative.

The situation becomes worse as paper tigers hire paper tigers. Then you have a whole team of “professionals” that have no idea how to protect your data and infrastructure.

A Culture of Insecurity

As I just touched on, paper tigers are insecure. So are many in the profession, regardless of their skillset. Technical folks take a lot of self-worth and value in their career, and that would plummet if they suddenly admitted they weren’t the smartest person in the room. They feel they have earned their way because they have the certifications or degrees on the wall.

Insecurity means people are closed off from learning and growing. Their blind spot keeps getting bigger. In turn, they begin making cybersecurity methods more complex and complicated, believing only they know how to apply them. Such a framework doesn’t provide any guarantees that you’re free from risk. In fact, they can make you less secure. It’s like having 10 locks on your door but leaving it wide open. It’s an illusion of security.

Insecurity and Fear Lead to Posturing

Those in charge of cybersecurity also have fear mixed with insecurity. They are fearful that peers or leadership will find out that don’t have all the answers or experience. So, they counter by posturing. The posture they present is that they “know” what’s going on and how to be cyber secure. This defense mechanism results in using big words and overcomplicating the basics. In reality, there are five CIS (Center for Internet Security) Controls that will stop 85 percent of all attacks. Further, cybersecurity professionals who posture don’t even cover the basics:

  • What do you do?
  • What are you trying to protect?
  • What’s important to the business?

Paper tigers and insecure people aren’t going to ask any questions! They’ll just start laying out jargon and puffing their chests. They only want to seem like they have it under control when there’s a fire in the kitchen, and they don’t even know what baking soda is.

The Biggest People Problem? Communication

There’s a consensus among many that technical people have bad communication skills. That’s not universally true, but I would say it’s the biggest people problem in cybersecurity. They are long on jargon or buzzwords and short on substance.

They also often can’t articulate how and why they do things, and they certainly butt heads with business-focused colleagues. Poor communication skills or lack of altogether is why cybersecurity groups fail internally most of the time.

If there’s no openness in communication, there’s no collaboration or teamwork. Cybersecurity has to be a group effort, and everyone must be on the same page. That’s hard when there are communication barriers.

Moving from Failure to Succeeding in Cybersecurity

Fundamentally, if your business has been the victim of cybercrime, it was likely a people problem. If you haven’t had an incident, it’s probably a matter of if, not when. In either situation, you need to make some people changes.

My approach to solving the people problem and bolstering cybersecurity is the Secure Method. This approach focuses on soft skills and helping professionals lead with their head and heart. It’s a step-by-step guide with seven parts:

  1. Awareness of self and others
  2. Mindset moving from fixed to growth
  3. Acknowledgment of self (removing ego) and others when they make positive changes
  4. Communication (words, tone, and body language): learning how to articulate feelings and situations and listening
  5. Monotasking (concentrated work)
  6. Empathy (looking at other’s perspectives with compassion)
  7. Kaizen (change for the better by being better)

I’ve given you a very brief explanation of each step. There is a lot more, including how to make it through each step. The Secure Method is actionable, and any organization can use it to solve the people problem.

You can read all about it by ordering my bookThe Smartest Person in the Room. It will give you a unique perspective on cybersecurity and how to harness and develop talent to really be cyber secure.