Threat intelligence offers a unique approach to cybersecurity in the 21st century. It provides visibility and helps eliminate blind spots across the threat landscape. Cyber professionals still have to wear their “detective” hats to pull together insights, but they now have a better map to use.

You’ll be able to observe cybercriminals and understand their attack strategies with this clear understanding of their capabilities. That’s the opportunity, but you may not be getting the full value of threat intelligence in your organization. Its outcomes range, with some businesses heralding it while others feel overwhelmed by it.

In this post, we’ll review what threat intelligence is, its current impact, and what it all means to your cyber team.

What Is Threat Intelligence?

Threat intelligence describes the activities of collecting, processing, and analyzing data to understand a cyber criminal’s motives, targets, and attack behaviors. It should empower an organization to make quicker, more informed, data-driven security decisions. It can also help change your position to be more proactive than reactive.

There are three areas of threat intelligence:

• Tactical: This segment focuses on malware analysis and enrichment and examines threat indicators around your cyber defenses.
• Operational: This category covers understanding the capabilities, infrastructure, and techniques of threat actors and leveraging them to conduct more targeted cyber operations.
• Strategic: This classification involves a high-level understanding of trends and motives and then using it to improve your strategy and decision-making.

Why Does Threat Intelligence Matter?

Cyberattacks are constant and unrelenting. They are always in a state of growth and flux, with new attack methods springing up every day. Your good guys are constantly at war with hackers, and threat intelligence gives you an edge.

It can play an essential role in cybersecurity, including:

• Offering information on the unknown, which much of the cyber landscape is, to support better decisions
• Empowering cyber stakeholders to uncover the motives of threat actors and the tactics, techniques, and procedures they use
• Ensuring cyber professionals are aware of the perspective and motivations behind hacker decision-making
• Providing essential information to the business side of a company, so they invest in cybersecurity and mitigate risk

When you use threat intelligence, you can tailor your defenses, which builds cyber resilience. While many see its value, it’s not as easy to realize it. Most cyber teams are still at the basic level, such as integrating data feeds related to threats into existing networks, firewalls, IPS (intrusion prevention systems), and SIEM (security information and event management).

What do those using it actually experience?

How Are Organizations Using Threat Intelligence?

In a recent cyber risk survey, professionals had differing views of threat intelligence. Many stated it’s a significant support for cyber resilience, enabling them to be more proactive. Its other positive reviews include its ability to deliver insights and visibility. It allows greater awareness of the mind of a hacker, enabling cyber professionals to know what to look for in the threat landscape.

This sentiment wasn’t echoed by everyone. Other companies said it overwhelmed their team with all the alerts. Some also indicated that it produced failures in managing third-party risk.

Overall, a thread throughout respondents was that adapting is key to outmaneuvering threat actors. This approach requires several things, including:

• Automating some parts of threat detection
• Collecting more data about threats for human analysis
• Investing in tools and technology to support threat intelligence and integrating them into the enterprise
• Improving the soft skills of cyber professionals so they can effectively communicate the intelligence and act on it

These varied viewpoints put into focus where the opportunities and challenges are.

The Opportunities and Challenges of Threat Intelligence

In evaluating the current use cases and value of threat intelligence, you have to account for the possibilities and the problems. Let’s look at those:

How You Use Data Determines Its Value

Most threat intelligence data comes from internal network traffic, not external sources like the dark web. As a result, its value often aligns with two areas of cybersecurity — improving incident response and internal awareness.

Those are critical areas of your strategy and demonstrate the ability to be proactive. Enhancing your plans for reacting to threats fits in this category. The actual response is not, so the benefit is being more prepared.

With internal awareness, you are using the data to predict where threat actors will attack. How your technical folks use it could be the problem. In general terms, those in the field lack awareness of themselves and others. They have narrow perspectives and think in ones and zeros. The most technically adept cyber professional can still falter here because they aren’t adapting their mindset to align with what hackers are doing right now. Thus, you have to help them develop awareness for this intelligence to be actionable.

Automating Threat Intelligence Reduces Manual Work, But Human Analysis Is Still Necessary

There are lots of great systems that can automate threat detection and respond to it. It’s an early warning tool that puts less strain on your team, which may already be short-staffed. These tools are helpful and practical, but you still need human intelligence for analysis and improvement of strategies.

This is going to require communication and collaboration inside your team and with other parties. For the analysis to be valuable, people have to think critically and creatively about the threat landscape. It’s not just a technical assessment of the information.

Threat Intelligence Offers a Better Way to Update Your Playbook

The policies, protocols, and strategies of cybersecurity reside in your playbook. It’s a fluid document that evolves as threats and risks do. What you learn from threat intelligence has a big impact on this playbook.

When your playbook goes through these updates, you also have to change the behavior of your people in relation to them. Change is hard for anyone or any organization. It may be even more difficult for technical folks. They like to keep things the same because it’s comfortable and gives them a better sense of control. Mindsets like these don’t help you manage risks and threats, so more development needs to happen in your people to align with what you get from threat intelligence.

In reviewing these components, you can see that threat intelligence is more than data, monitoring, and analysis. The human element is critical for it to really move your cyber operations forward. Developing specific attributes and abilities in the realm of people skills is just as necessary as implementing tools and technology.

As a result of this complex ecosystem, you can improve on the people part with the Secure Methodology. It’s a seven-step program I developed to help cyber leaders do just that.

Threat Intelligence and the Secure Methodology

Having more data and information in cybersecurity doesn’t automatically mean it’s usable, practical, or seen as valuable. Technical people don’t deny data and its insights, but they can overlook them based on their own biases and fears. The Secure Methodology offers a way to overcome those. Here’s a quick introduction to the seven steps, which are the central theme in my book, The Smartest Person in the Room:

• Awareness: I mentioned awareness earlier and its importance in threat intelligence. It’s where the Secure Methodology begins, with the objective of opening people up to new perspectives, including those of cybercriminals. You can do this by coaching your people in a personalized way by understanding their motivations.
• Mindset: Next is mindset, which is also very critical. You want to assist people in expanding their mindset from one that’s fixed to one that’s growing. Your people have to break outside of the black-and-white thinking that doesn’t allow for new ideas. The Secure Methodology offers exercises on reflection and accountability to foster this shift.
• Acknowledgment: In this phase, you must rethink how you acknowledge the work of your team (or start if you don’t do it at all). When you do this outwardly in response to how someone took intelligence and made a difference, it demonstrates to everyone that this is a means to an end. It also builds rapport and trust.
• Communication: Transforming technical people into better communicators isn’t easy, but it is always necessary. Open and transparent communication regarding threat intelligence is essential for it to be usable to deter hackers and thwart attacks.
• Monotasking: We are an industry of multitasking, but it’s not always a great way to be productive. Instead, encourage team members that while they are assessing threat intelligence, they should do only that and not be distracted, which triggers more critical thinking.
• Empathy: Step six refers to others being able to put themselves in the place of others. It aligns with all the stages before it and is crucial in deciphering and acting on threat intelligence. Your people have to think like hackers.
• Kaizen: The final stage is a Japanese term that translates to “continuous improvement.” It’s a step that never ends because cybersecurity will always need to evolve, and threat intelligence is a key driver for continuous adaptation.

By applying the Secure Methodology, your organization can derive more value from threat intelligence, leading to better defenses. Get started today by reading my book and exploring the Secure Methodology course.

The post What Is Threat Intelligence, and Why Is It Important in Supporting Your Cyber Team? appeared first on Christian Espinosa.

The cybersecurity workforce landscape is at a serious threat level. Millions of jobs are unfilled, and most companies state they can’t find qualified cybersecurity job candidates. If we continue on this trajectory, risks will rise and jeopardize the data and networks of thousands of businesses.

As an industry, we must change how we hire, recruit, and develop cybersecurity talent. Expanding how you consider someone qualified is a necessary step. Seeing the potential in someone who doesn’t necessarily check all the boxes is one way to address the shortage. For this to work long-term, upskilling must be a part of your employee development strategy.

This upskilling includes hard and soft skills because cyber job candidates need both to thrive. Let’s review the current cybersecurity workforce challenges, the facts about the skills gap, and how to upskill new hires.

Cybersecurity Workforce Challenges

Cybersecurity job growth is a bright spot in the tech industry, with many opportunities for someone to have a career that pays a good wage and is in demand. However, the field is currently experiencing significant shortages.

According to the (ISC)2 2022 Cybersecurity Workforce Study, the global cybersecurity workforce grew to over 4.6 million, which is an 11.1% year-over-year increase. Unfortunately, 3.4 million jobs remain empty. As a result, many companies and cyber firms are operating without enough people, which can directly impact risk.

So, why is the industry struggling with recruitment and retention? It’s a complicated ecosystem, so there’s no easy answer. The cybersecurity workforce shortage is the result of several trends and occurrences, including:

• The cyber threat landscape is rapidly expanding, driving the demand for cyber professionals in all industries and businesses. In part, this is a supply and demand issue.
• People leave the industry due to burnout. It’s a common problem in a high-stress environment, and most organizations aren’t doing enough to mitigate this. Without proper staffing, people have to do more work, which increases the feeling of burnout.
• Younger generations aren’t choosing cybersecurity as a career. Only 12% of the cybersecurity workforce is 34 or younger. The industry needs to find ways to connect with students to attract new people into the field.
• Many organizations place too much emphasis on degrees and certifications, which often don’t correlate to having the right abilities, aptitudes, and attitudes. As a result, companies reject those who could be a better fit but need some upskilling.

If the industry remains on this path, the shortages will only worsen. Intervention is necessary for the entire community. What you can do to ensure your data and networks remain under protection is to focus back on skills-based hiring.

The Cybersecurity Skills Gap

We can’t talk about the labor shortage without addressing the cybersecurity skills gap. It would be great if every cybersecurity job candidate had years of experience and an array of skills. However, cyber leaders agree that a skills gap exists. According to the same workforce study cited above, 55% of hiring managers say applicants don’t meet the criteria of being qualified. The deficit here includes:

• Hands-on training and experience
• Credentials
• Degrees
• Recommendations

These things don’t always indicate that the person can do the job. The same study also looked at specific skills with gaps, which are the ones that matter in terms of upskilling. The skills in demand and often lacking are:

• Soft skills (e.g., communication, leadership, adaptability)
• Cloud computing
• Security controls (e.g., network, application, endpoint, implementation)
• Coding skills
• Software development-related topics (e.g., machine code, testing, languages, deployment)
• Data-related topics (e.g., characteristics, collection, classification, processing, structure)
• Network-related topics (e.g., architecture, networking components)
• Pattern analysis
• System hardening
• Computing devices (e.g., software, hardware, file systems)

It’s a mix of soft and hard skills, but the latter was at the top of the list. It’s possible to develop both of these in an individual who has the desire to learn and evolve. Those abilities aren’t always apparent in technical folks. However, if they are willing and have a good foundation to start from, upskilling can be the key to keeping great people long-term and continuously improving.

So, what’s the upskilling plan?

Building an Upskilling Plan for Cybersecurity Job Candidates

The first part of the plan should start with a clean slate of qualifications. Define what is imperative and what someone can learn over time. Get to the root of what makes someone a good cyber professional and what attributes they should possess.

In upskilling, you’ll have two paths — technical and soft skill development.

Addressing Technical Upskilling

In looking back at the list of skills above, those in the technical category are pretty standard. That’s a good starting point, but you should also consider the future and add training around AI tools and use cases. The curriculum will evolve as the threat landscape does.

How will they learn these skills? You need to create a learning environment for employees. This can include hands-on training internally, certification classes that you determine as high-quality, and other resources. Making continuing skill development part of your recruitment and retention strategy can attract people to your company and ensure you keep high-performers.

The other part of this is soft skills, and the plan to develop these in technical folks can be more demanding and challenging.

Improving Soft Skills in Cybersecurity

Soft skill development is a path that requires commitment and consistency. It’s about behavior change, and there can be many growing pains. First and foremost, you want to find cybersecurity job candidates who are open to this. Sometimes that might not be obvious until you have a few conversations and try to understand what motivates them and if they can handle flexibility.

Transforming anyone into a better communicator and collaborator isn’t easy. With technical folks, it can be harder, as they often have fixed mindsets, see things as black-and-white, and believe they know all the answers. These people could have impressive technical prowess, but these attitudes won’t fit into a healthy culture where everyone is open and transparent. Are they lost causes? No, but again, they must want to change.

You can drive this change with guidance from the Secure Methodology. It’s a seven-step process that I developed because of the soft skill deficiency and recognizing its value in creating and maintaining a strong cybersecurity posture.

The Secure Methodology: The Framework for Soft Upskilling

Here’s a preview of each step and how you can leverage it to improve the soft skills of technical people:

Awareness

The guide starts with awareness, with the objective of being mindful of the self and others. When this is missing, people don’t see or understand how their behavior affects others. If this is rampant in a culture, conflict and resentment build. With exercises on reflection and perspective, people can get to a state of awareness that improves how they interact with others.

Mindset

Mindset is crucial in soft skills, and every person on your team needs an open one. A person cannot change without it. Key to this is defining someone’s motivations and why they respond as they do. In this step, the 7 Levels Deep Exercise is a good foundation.

Acknowledgment

The third step is acknowledgment. There are several layers to this step. First, it encompasses feedback and its value to cyber professionals. Your staff wants to hear from you about accomplishments and how they are helping the organization. Not all feedback will be positive, and accountability matters, but you should do this in one-on-one conversations. Ensuring that your team feels appreciated and valued will prompt them to adapt with less friction.

Second is acknowledging that cybersecurity is difficult and filled with uncertainty. You set the tone of the culture, and if you do this well, your team will follow, enhancing their people skills.

Communication

Communication is the fourth step and the most essential soft skill for anyone. It’s never a bad investment to develop someone’s communication skills. Just be clear on what this means. Being a good communicator and articulate aren’t the same thing. Yes, what we say matters, but most communication isn’t verbal.

An excellent communicator is clear, concise, and transparent. They also recognize the needs of the audience and listen to them fully. Assessing candidates based on communication skills can involve prompting them to share real-life stories about how they used it to overcome challenges.

Listen for their use of geek speak or overly technical terms. This could be a red flag if they aren’t willing to drop the posturing.

Monotasking

Next is monotasking; it’s a soft skill you don’t hear much about. Most technical people have been doing the opposite — multitasking. Many believe this is a valuable trait. It is important to be able to juggle priorities, but blocking off specific time to concentrate on one task can make people more productive and eliminate feelings of being in fight-or-flight mode all the time. They will need to act quickly at times and move around priorities, but encouraging monotasking lets people think more critically and problem-solve more effectively.

Empathy

In the Secure Methodology, cognitive empathy is the sixth step. This type of empathy is the ability to understand another’s feelings and perspectives. It’s crucial to a person’s ability to be a great communicator and collaborator. Much of this relates to stripping down egos and dynamics of “me vs. them.” You can’t have a successful cybersecurity strategy and team without empathy.

Human connection is vital in cybersecurity, and in this phase, you support people to become more empathetic.

Kaizen

The last step is kaizen. It’s a Japanese term meaning “continuous improvement.” It’s the step that never ends and focuses on adaptability and flexibility. When you reach this phase, your staff should be in a state where they want to continue to develop their soft skills and transfer them to others.

Upskill Cybersecurity Job Candidates with the Secure Methodology

The Secure Methodology provides a framework and tools to transform candidates lacking skills. It’s a proven way to change behavior, with benefits for the person and the organization.

Get more insights on each step by reading my book, The Smartest Person in the Room. You can also explore how to apply it in the Secure Methodology course.

The post How to Upskill Cybersecurity Job Candidates to Transform Them Into High-Performers and Excellent Communicators appeared first on Christian Espinosa.

Building a cybersecurity team comes with many challenges. So many factors are impacting the ability to do this effectively and efficiently. The cybersecurity workforce shortage means more competition for talent, but you can’t be confident all those vying for positions have the hard and soft skills to succeed and thrive. On top of all this, the threat landscape keeps expanding as cybercriminals develop new tools and strategies to exploit weaknesses.

So, what can you do as a cybersecurity leader? As someone who’s been in the position, I have some insights to share on how to accomplish this. Keep reading for strategies, tips, and info about the Secure Methodology as a framework for constructing a cybersecurity team.

Steps to Take to Build a Sustainable Cybersecurity Team

Where should you start on this journey? Should you jump right into recruiting and hiring? I would urge you to first develop a strategy, define the tools you need, and create some principles for the culture you hope to cultivate.

To do this, follow these steps:

Acknowledge that cybersecurity is a people problem and let that guide your strategy.

It’s easy to blame the breaches and attacks in the cyber world on technology. Without it, there wouldn’t be an issue, but categorizing it only this way is a fallacy. Behind every attack is a person. Every defense also has human intelligence executing it, and most causes of cyber incidents relate to errors, mistakes, or intentions of someone.

It’s very much a people problem, and that fundamental principle should guide your team-building strategy. Yes, there are lots of great cyber tools out there that are leveraging AI and enabling automation. You need those, but the people charged with managing them need knowledge and skills to do so. Those skills must include soft ones, as the human issue in cybersecurity won’t find a resolution without staff that cannot communicate or collaborate.

There is a current soft skills gap in every industry, including cybersecurity. The people who are a good fit for your roles may not possess these. If they are curious to learn and motivated to evolve, they can be great additions to your team.

Ensure the bad guys are cybercriminals, not internal.

Another element of creating a cybersecurity team is to eliminate the “us vs. them” mentality that often happens between technical and business folks. You’re all on the same side, but much of that can get lost in translation. The business side may not take cybersecurity as seriously as they should, frustrating cyber professionals. There’s animosity on your side, too, as your team may resent others, especially when they have questions and challenges.

It’s critical to put the target back on the real enemy’s head. There must be balance and cooperation between business and technical groups. You don’t want to bring someone on who fails to understand the perspective of others. Employees like this will degrade the trust and credibility of your team and do anything to avoid being wrong. You can spot this in how they respond to queries about collaborating and if they do a lot of posturing.

Look for a wide range of skills.

You have to define the requirements you want in your team, which should include various abilities and aptitudes. In doing so, you have to shift your definition of qualified. The majority of cyber leaders believe applicants don’t have the right qualifications, according to the State of Cybersecurity 2022 report. What they say people lack includes hands-on experience and training along with credentials and degrees.

The hands-on part makes sense because you want people to have real-world interactions. One cannot get this without opportunity. It’s especially true for younger generations, who we need to join the field. These people could be bright and eager to learn, making them excellent hires.

Credentials and degrees can demonstrate skill sets but not always. Often, people look great on paper because of these achievements but lack the knowledge to apply what they learned in classes. The learning may also be insufficient, especially for courses that validate aptitude based on multiple-choice tests. You can only be confident in one thing for those passing these — they can memorize answers. Beware of these “paper tigers.”

Instead, use skills-based hiring models. This approach focuses on a candidate with specific competencies that directly relate to the work. It involves soft and hard skills.

Develop your recruitment strategy on skills-based hiring.

Building a strong, multi-dimensional team requires a mix of people. Not everyone has to be strong in everything. You can create a staff who can learn from each other and you.

With skills-based hiring, you can:

• Identify people with abundant soft skills and a desire to improve their technical skills.
• Find candidates who have familiarity in all areas of cybersecurity but don’t have real-world experience yet and develop them.
• Attract people newly entering the workforce and those starting over, which can help you build that right mix.
• Assess people holistically instead of only looking at their technical aptitude.
• Reduce barriers for people getting a shot at a cyber career who didn’t attend college.

Putting together a team of cyber professionals in this manner can lead to a strong and healthy culture. It can also decrease risk and ensure that cybersecurity has a seat at the table to influence business decisions. You simply won’t be able to do that if you hire with bias found in the old ideals of “qualified.”

All these ideas and opportunities align directly with the Secure Methodology, which is a seven-step process of transforming people with purely technical and closed mindsets into great communicators and partners.

The Secure Methodology and Building Your Cybersecurity Team

The Secure Methodology is the foundation for creating and maintaining a team that thrives and is adaptable. I based it on my own experiences and observations of what was going wrong in cybersecurity, which is a people problem.

Here’s a glimpse of each step and how it can support your hiring strategy:

Awareness

The process kicks off with awareness. It pertains to both self and others. Without it, people don’t understand the impact of their behavior on relationships and communication. It’s about opening up people’s blind spots.

Will every candidate already have awareness? And how do you evaluate this? Most people lack awareness to some extent, so it often requires development. You can assess someone’s state of awareness or willingness to get there by asking them to reflect and tell you about a challenging time and how they handled their interactions with others.

Mindset

Mindset is critical for anyone’s ability to grow and evolve. Those with a fixed mindset will resist any type of change. It’s a problem for technical people because they desire absolutes, but cybersecurity is a dynamic and volatile field! It’s kind of a paradox, so be observant of how people communicate about themselves and their experiences. This can give you a good idea of how open their mindset is and if they’ll be a good fit for your team.

Acknowledgment

Next is acknowledgment, which you’ll want to make a pillar of your culture. Technical employees crave feedback and understanding of their place in the business. Of course, they must also be receptive to it because it won’t always be positive. You also want to know if someone can acknowledge the work and contributions of others within the group or outside of it.

Communication

The fourth step is communication, and it’s the most important concept when creating a team. We can’t do anything well without honest, transparent, and consistent communication.

Being a good communicator doesn’t just mean being articulate. In the world of cybersecurity, your team must be clear about what they need, the challenges they face, and what’s really happening in the threat landscape. They also have to be active listeners to be good collaborators.

You can likely assess someone’s communication skills within the context of your conversations. Look for those who can clearly express big ideas and don’t use geek speak. If they show signs of this and seem to be listening to you, it’s a good sign, and you can continue to help them master this skill.

Monotasking

Monotasking is the fifth step, and it means concentrating on one task or project at a time without disruptions. It’s hard to find anyone who monotasks much in the workforce, where we seem always to be doing five things at once.

You can talk about monotasking in interviews to see someone’s reaction to it. Do they think it’s bad for productivity or impossible? Emphasize that you believe it to be a critical component of the workday because it enables critical thinking and problem solving, which are two huge assets in cybersecurity.

Empathy

Empathy is the sixth step, and in this connotation, it means the ability to understand someone’s perspective and feelings. It’s one of the hardest things for anyone to build, and yes, we must learn it. We are not innately empathetic. Achieving this can help with stress, burnout, and frustration toward others.

In speaking with prospective hires, ask them about a time when empathy would have been a good response to a problem. The answers they give can reveal a lot about their inner workings.

Kaizen

The last step is Kaizen. It’s a Japanese term that means “change for the better.” It never ends because continuous improvement is forever. When hiring, you want to put people on your team who believes in this approach to work.

Ready to learn more about the Secure Methodology? Start by reading The Smartest Person in the Room and explore the Secure Methodology course.

The post How to Build a Cybersecurity Team from Scratch Using the Secure Methodology™ appeared first on Christian Espinosa.

Silos are a common theme in many businesses. It can occur in any industry, department, or team. The reasons this is all too prevalent are many, from cultural issues to not sharing data to a lack of communication. Silos undermine an organization’s ability to be proactive and agile, weakening its cybersecurity posture.

So, how did cybersecurity become so siloed? And what can you do to break silos down?

Why Silos Exist in Cybersecurity

Cybersecurity often sits in a walled garden, with little interaction with the business side of an organization. There have been some shifts to bring it into the fold, with CISOs (chief information security officers) now having a seat at the table with the C-suite.

This demonstrates the process, but the silos have stood for a long time, so they are very much a current problem. There are several reasons why they exist, including:

• Businesses believing cybersecurity impedes innovation and growth and intentionally wanting to keep it separate
• The increased number of attacks and threats cybersecurity teams must defend against, which keeps them in a reactive mode instead of a proactive one
• Failures in communication that leave cybersecurity and other parts of the company unaware of the landscape and its evolution
• No shared accountability for cybersecurity throughout the organization, which leaves cybersecurity on an island when it comes to security and resilience
• Company leadership not treating cybersecurity as a business enabler, which can impact budgets, staff numbers, and resource allocation
• No initiatives to build partnerships across the organization between cybersecurity and other teams

All these reasons have a foundation in disconnection. When cybersecurity isn’t a critical part of an organization, it’s easy for silos to stay in place.

Those silos can exist within teams as well.

Cybersecurity Silos Are Present Within Technical Teams

It’s not just the enterprise-wide silos you have to worry about. Chances are they are also creating walls within your people. These may be even harder to conquer because of the nature of the job and the characteristics of individuals.

Silos within cybersecurity occur primarily because cyber professionals never want to be wrong. They concentrate on always being the smartest person in the room. When others question their stance, internally or externally, they find solace in silos where they have all the control.

If this sounds familiar, you’re not alone. It’s all too common in the cybersecurity workforce to have people operating independently without much awareness of what others are doing. Furthermore, many don’t care. They have surety in their capabilities and don’t want to share or collaborate because it could lead to them being wrong.

The silo mentality leads to the things that are threatening the cybersecurity workforce — unhealthy cultures, burnout, and an uneven work-life balance. These were all reasons that cyber professionals left jobs, according to the (ISC)2 Cybersecurity Workforce Study.

Dissatisfaction in a cyber job has more to do with organizational issues than the work. Silos are a threat to your team and cybersecurity posture. They breed resentment and disengagement. It’s bad for everyone, but it’s difficult to transform mindsets and perspectives from a silo perspective to a collaborative one. For this shift to occur, you have to focus more on soft skills than technical ones.

Silos Keep People From Adapting and Changing

As noted, silos can seem like safe places for cyber professionals who cling to certainty and believe they don’t need others to do their job well. What it actually does is keep people in a state of stagnation. They won’t grow or change because doing so would mean they have to accept that they don’t know everything. That’s too big of a pill to swallow for many without intervention.

Those who crave the safety of a silo aren’t bad people (usually). It is possible for them to get to a point where they’ll embrace the gray that cybersecurity lives in, moving away from black-and-white thinking.

Cybersecurity is a dynamic industry, indicating that evolving practices and protocols are necessary. Even if you consistently improve your strategies and ways to manage and eliminate threats, that doesn’t mean that silos aren’t still present. They show themselves in many different ways, from how your employees work with other groups, how they handle user interactions, and what happens when a threat becomes a reality.

How Silos Put Your Cybersecurity Posture At Risk

On the threat landscape, there are a million things that increase risk. As networks grow, workers remain remote, and implementations of new technology rise, there’s risk everywhere. You have to defend against phishing, malware, and ransomware, which requires a united front and effort. Silos make this harder.

When silos exist within the department or in the company, the ability of a cyber team to be proactive against these threats becomes very difficult. Being proactive requires everyone to work together from a defined strategy. It involves a lot of communication and movement across the organization to establish and maintain your “protective shield” against attacks.

Attempting to reduce or eliminate risk is a journey that never ends or stays the same. Doing this well really means working as a team. Even if you have lots of protocols and tools in place, a silo doesn’t crack so easily. And often, people can do just enough to collaborate but true transparency is still missing.

As a result, errors and mistakes occur. Assumptions about who’s doing what and when are usually wrong, and gaps in your cybersecurity posture widen. It gives hackers an opportunity to exploit these weaknesses, so having silos is a helping hand to cybercriminals. If you want to prepare your organization to be cyber-resilient, you have to focus on growing your team’s people skills.

Development of People Skills Is a Silo Breaker

When individuals improve their people skills, they see the value in working together. They understand that silos are holding them back and want to work in a culture that thrives in teamwork.

It would be great if people could come to this realization on their own. Some never will, but many are willing to commit to developing their soft skills, especially when they realize it can decrease risk. Ultimately, most cyber professionals got into this field because they are passionate about security. If they know that their behaviors and actions have impacted their cybersecurity posture, they may be even more eager to change and adapt.

So, how does this happen in the real world? It won’t occur without a framework and strategy. You can’t start this journey without a map, and you’ll find one in the Secure Methodology.

The Secure Methodology Transforms Silos

The Secure Methodology is a seven-step guide to transforming technical people into excellent communicators and collaborators. Each step seeks to resolve the major problems that exist in the cybersecurity workforce, supporting people as they pursue a new mindset and perspective. Here’s how each step can knock down those silos for good:

Awareness

The Secure Methodology starts with awareness of self and others. When awareness is lacking, silos flourish because there’s no connection. Technical folks will remain on their own island, causing friction and antipathy.

You can use coaching methods within this step to drive people to open their eyes and realize the detriment of silos. You can also learn about their motivations, which will be vital in changing behavior.

Mindset

Next is mindset, and it’s a key contributor to silos. When people have a fixed mindset, they have tunnel vision and no desire to change. This step is about helping them open it, which can occur with reflection, asking questions, and working as a team in decision-making.

Acknowledgment

Acknowledgment is the third step, and the lack of it is another cause of silos. Acknowledgment means recognizing people for their efforts regularly. They want and need praise to feel part of something, which is critical to breaking down silos. Part of this is also acknowledging that no one can know everything about cybersecurity but that collectively, we all have a better shot at defending against threats.

Communication

Communication is the fourth step but crucial in all the others too. Communication is the single biggest tool you have to remove silos. Consistent, transparent, and clear communication within your team and outside of it ensures that silos don’t form or stay.

Working on communication isn’t easy. It takes a lot of practice and learning new ways to share information and listen.

Monotasking

Next is monotasking, which means workers focus only on one task. It’s the opposite of multitasking, which often leads to sloppy work. Yet, people receive praise for multitasking, but it’s a problem in cybersecurity.

In terms of silos, if you encourage people to block time to work on specific things without distraction, they can use critical thinking skills and balance their workload. Gaining these things supports a collaborative workforce where there’s even distribution of work and team support.

Empathy

Empathy is an essential soft skill that we have to learn and develop. Silos can’t function in an empathetic culture because people can see the perspective of others. When they do, there’s no longer a “me vs. them” mentality. This step includes exercises to help people foster this skill.

Kaizen

The last step is kaizen, which is a Japanese term meaning “continuous improvement.” It’s a stage that never ends with an emphasis on root cause analysis. If your team can embody this, silos won’t have fertile ground.

Using the Secure Methodology is a proven path for transformation and removing silos. You can learn more about it in my book, The Smartest Person in the Room, and in the course.

The post Silos Weaken Your Cybersecurity Posture, Collaboration Makes It Stronger appeared first on Christian Espinosa.

Building your cybersecurity team isn’t easy. Recruiting, hiring, and retaining staff is a significant challenge in today’s environment. However, that doesn’t mean you should keep people who aren’t performing well, create toxicity, and collaborate poorly. There are many red flags you should pay attention to concerning your cybersecurity staff. This doesn’t automatically mean you should let them go. If they are willing to grow, change, and adapt, they still have potential.

As you assess the makeup of your team, you have to be aware of their behavior and its impact on risk, culture, and success. In this post, we’ll review the red flags to be on alert for and how to handle them.

5 Red Flags That Signal Trouble in Your Cybersecurity Staff

Before going into this list, there are a few things to discuss. Technical folks often have a bad reputation for being antagonistic and lacking soft skills. In some ways, this is a stereotype that doesn’t always play out in the real world. However, there is some truth in this, as many in the field struggle with communication, collaboration, and change. They crave certainty, but cybersecurity is dynamic and very uncertain much of the time. The nature of the job is also high-stress, and burnout is a pervasive issue.

The reason to acknowledge these things is to give context to the list of red flags. Many of these aren’t necessarily conscious decisions by technical people to be difficult. They are creatures of habit and will tend to keep these patterns unless they become aware of them and see a path to grow and learn. The real problem comes when individuals resist any development of soft skills and can’t take criticism or coaching. Keep these things in mind as we discuss the topic further.

They Mask Insecurity with Posturing

No one wants to admit they feel insecure about anything, least of all cyber professionals regarding their work. They believe that not knowing everything is a weakness, and they need to hide this from everyone. The reality is that no one can know everything about anything. It’s especially true in cybersecurity, where new threats emerge every day, and hackers are hard at work trying to breach your networks.

When posed questions about a risk, threat, or concern, they will posture instead of admitting they aren’t sure what the answer is. It turns into a tirade of geek speak that doesn’t make much sense to those on the business side. When you see these reactions play out, it’s a big red flag. All that posturing and blustering doesn’t help your team or company. It actually creates more risk and continues the stereotype of technical folks being defensive and rude.

As a cyber leader, you have to call this out immediately. You don’t want to be antagonistic in your response, as that’s unlikely to remedy the situation. What you should do is talk about the insecurity they’re obviously feeling and get to the why.

Helping them become aware of their behavior and its impact can drive change if they are willing to be accountable. Encourage them to ask for help, investigate the issue, and communicate with transparency. Give them chances to rework how they approach a problem they don’t know the answer to. They will either appreciate your advice and start working on themselves or revert to what feels comfortable. If they do the latter, they may not be the best fit for your culture.

They Are Black and White Thinkers, and It Hinders Communication and Collaboration

Technical folks are logical, rational thinkers most of the time. It comes in handy in such a high-pressure industry. However, it can make them more prone to only see things as black and white. Cybersecurity is anything but black and white! Most of it lives in the gray because hackers are always trying new approaches to steal your data. They are creative and curious. Your cybersecurity staff should be, too.

A black-and-white thinker has a fixed mindset with only one correct answer. This may sometimes be true in the technical aspect of cybersecurity, but in the big picture, it’s not. What creates the red flag here is when they take this perspective into communication and collaboration. They won’t actively listen or participate in trying to solve the problem other than to give you the one answer they believe to be true.

Addressing this means working on communication and collaboration. Again, they must become aware of their behavior and how it hurts the team. The key is to open their mindset toward change and accept that there are many possible solutions. Finding what will work will require a group effort, so they have to be willing to be part of the effort.

Improving communication skills is hard for anyone. Technical people often have an even harder time, but it’s not impossible. Transforming them into healthy communicators is a critical step in the Secure Methodology. It’s a seven-step guide for cyber leaders to build teams that focuses on developing soft skills for their teams. Many ways to handle red flags tie back to the Secure Methodology.

They Have Little Regard for Their Clients

As a cyber team, you are either serving the company you work for internally or externally. Either way, they are your clients, and caring about what they care about matters. The key things that cyber professionals should focus on are—what are we trying to protect, and what are the threats to it? It’s a simplification of the cyber world, but it does come down to these things.

If your cyber staff never asks these questions and goes through the motions of cyber defenses, vulnerabilities are exploitable. You’ll never improve the risk posture if they don’t have some degree of consideration for the job they are doing.

Working on this aligns with the awareness step in the Secure Methodology. It’s the first step, and the goal is for the person to become more aware of themselves and others. They have to be willing to see other perspectives from the business side. When they don’t, constant friction and animosity impede any progress you hope to make.

This concern is also associated with empathy, the sixth step of the Secure Methodology. Humans have to learn empathy; it’s not innate. In the business sense, we’re talking about cognitive empathy. It’s the ability to understand another’s feelings and perceptions. It’s not about sympathizing with a person but connecting and accepting their perspective. Helping your team cultivate this skill will go a long way in constructing healthy relationships among the team and with your clients.

They Don’t Want to Learn from Their Mistakes

Every cyber professional will err—sometimes, many times a day or week. It’s not an exact science, and the threat landscape keeps changing. Making mistakes isn’t a red flag; not wanting to learn from them is.

Mistakes can be teachable moments for cybersecurity staff. Huge blunders that happen due to negligence are another category, but most errors are part of the job. When these things happen, you need to acknowledge it privately and see what response you get. If the person is immediately defensive and not accountable, that’s bad news. If they are willing to take responsibility and learn from it, that’s someone you want on your team.

You also have to create a culture where an error isn’t an automatic pink slip. You don’t want people so scared to make one that they do nothing. It comes from being transparent in communication and giving feedback to the group and individuals consistently.

Ultimately, learning is about embracing continuous improvement or “Kaizen,” which is the final step in the Secure Methodology. It’s the never-ending step that guides your cybersecurity staff to welcome change and not fear it.

They Thrive on Negativity

Cyber professionals are often pragmatic and realistic, which aren’t red flags alone. It becomes a problem when they only want to argue and spread negativity. They never have a positive thing to say or offer to the conversation. It’s disruptive and creates resentment. If someone is rude to everyone they engage with at work, it’s not good for your culture, team, or risk.

Their predisposition to be negative can be part of insecurity and posturing. Other times it may be an intentional way to sew chaos. You can try to push them toward working on themselves, but they have to be committed to it and realize the damage they are doing. The step of mindset is the first strategy to try with these folks. Shifting mindset is about being reflective and understanding motivation. Exercises in the book offer a way to navigate this journey for those brave enough to take it.

Tackle Red Flags with the Secure Methodology

These red flags don’t mean that someone isn’t smart or talented. It usually correlates with the other emotions we’ve discussed—insecurity, uncertainty, and fear. There’s no way to banish all these, but you can support your cybersecurity staff in their growth with the Secure Methodology. Explore more about the steps in my book, The Smartest Person in the Room, and in the Secure Methodology course.

The post The Red Flags to Pay Attention to in Your Cybersecurity Staff and How to Handle Them appeared first on Christian Espinosa.

The cyber workforce shortage has been the talk of the industry for the past few years. Many jobs remain unfilled, and experts predict that will only grow. The reason for this gap is the result of many different factors. At the heart of the problem are root causes. The field can attract and retain workers by identifying these and working to overcome them.

In this post, we’ll look at the data, diagnose the root causes, and define how to close the gap.

The Data on the Cyber Workforce Shortage

There is a lot of data on the cybersecurity workforce landscape. It’s a pervasive issue, so developing reports and surveys is in high demand to uncover the why. We’ll look at the ISC 2022 Cybersecurity Workforce Study and the ISACA State of Cybersecurity 2022 Report.

The workforce study detailed that the global cybersecurity workforce grew to over 4.6 million, which was an 11% year-over-year increase. Even with this increase, there are still 3.4 million jobs that are vacant. It’s something that’s keeping cyber leaders up at night. Survey respondents had this to say:

• Organizations with a significant staff shortage had more concerns about risk, with 74% stating it was extreme or moderate.
• 60% of organizations said they are struggling to keep up with turnover.
• 70% of companies have challenges with retention.
• It takes, on average, three to six months to fill an empty role.
• There is a correlation between cyber professionals not feeling their input is welcome and valued and low employee experience ratings.
• Younger generations have new expectations in work, with this group more concerned about emotional health, Diversity, Equity, and Inclusion (DEI), and having a voice.

What Conclusions About the Workforce Gap Can We Make Based on the Data?

So, why does this gap exist? It’s complicated, and many things driving it are outside your control. We can draw some conclusions from the data that diagnose what’s happening.

More Threats Drive Demand for Cyber Professionals

First, the demand for more cyber professionals would, of course, increase as cyber threats do. Cybersecurity is about identifying and mitigating risk, so it doesn’t exist without the threat landscape. It keeps us all gainfully employed but consider how much it has evolved in the past few years.

Ransomware is more prevalent than ever. The means to carry these out have become much more sophisticated. It’s a favorite tactic for hackers, mainly involving financial gain as the desired outcome. Cybercriminals are using old and new weaknesses to attempt to seize control of applications, data, and systems.

Cybercrime-as-a-service enables a new group of criminals to hire hackers on the dark web to do their bidding. You can now choose from a “menu” of attacks, from phishing to ransomware to AI-enabled cybercrimes. No one has to be a cyber genius to launch these attacks. Hacking is now more accessible—a commodity even. As a result, the threat landscape broadens.

Hacktivism is another emerging trend that’s increasing risk. For the first half of 2022, DDoS (distributed denial of service) attacks increased by 203% over 2021, with many of these fitting the hacktivism label. It’s a different motivation for these cyber criminals and impacts businesses even if they don’t have social or political ties.

Then you have all the advancements that AI brings to the hacker toolbox. It enables them to improve phishing campaigns and send them out more quickly. It can help them gather data for attacks, create deepfakes, hide malware, and break passwords and CAPTCHAs.

These are just some highlights, but they represent all the risks and threats that cyber professionals must defend against every day. For organizations, it’s a driving need to hire more people and keep them.

Retention Is a Concern, and Burnout Plays a Role

The job of a cyber professional can have moments of high pressure and stress. Without a healthy culture to balance this and consistent communication, this can lead to burnout. If you don’t have enough people, then those you do have to end up with more and more on their plate. Many technical folks further disconnect from the job, considering it their biggest stressor. Being overwhelmed in this manner often ends in attrition.

Without focusing on evening workload, communication, collaboration, and a healthy culture, burnout will grow and play out repeatedly.

Burnout isn’t the only cause of poor retention. It’s also the environment. If it’s toxic, more people will leave. They have options with so many jobs available. Other things that contribute to this are compensation that’s not competitive, lack of promotion opportunities, no management support, and inflexible work policies. Regarding financial incentives, only 31% of organizations said they pay a competitive wage.

In short, you can’t attract or keep good employees if you don’t address burnout and retention.

Cyber Professionals Need More Acknowledgement and Connectedness

Your current and future employees have a lot of knowledge and expertise. Failure to acknowledge this or ask for their contributions to a challenge creates low morale. It isolates people who are often introverts worried about saying the wrong thing. If they keep this close to the vest, you also can’t understand their motivations and what they need to succeed.

The Workforce Study found that lack of support from leadership contributed to a lower employee experience. Improving this is something within your control. When workers feel valued for their input and part of something bigger, they are more engaged and open to learning and growing. Creating such a culture ensures that you can attract and retain great workers.

Younger Generations Have Apprehension About the Industry

Cybersecurity has a branding problem, as younger generations have new expectations about work and for whom they work. Currently, only 12% of the cyber workforce is 34 or younger. It’s one of the most consequential drivers for the cybersecurity workforce shortage.

Cybersecurity needs a rebrand to attract these people. It should include things like improving culture, eliminating gatekeeping and blustering, being more communicative, embracing diversity, valuing the employee voice, and helping them grow professionally and personally.

One of the best ways to do this is with the Secure Methodology. It’s a seven-step guide to transforming technical folks into excellent communicators and collaborators. It can be a key way to address many of the challenges related to the workforce gap.

Using the Secure Methodology to Improve the Cybersecurity Workforce Shortage

Here’s a preview of each step of the Secure Methodology, which I defined and designed in my book, The Smartest Person in the Room. The title refers to how many cybersecurity professionals see themselves and how that can be a downfall.

Awareness

In this first step, people become aware of themselves and others. Through the exercises in the book, technical people can begin to understand their behavior and its effect on others. It can be a struggle for anyone, especially cyber professionals. Once they achieve awareness, they can let go of fears about uncertainty and their place in the organization, which can counter burnout and improve the employee experience.

Mindset

Individuals have a growth or fixed mindset. When it’s fixed, they do not change. They accept their perspective and won’t work to evolve it. It’s a problem that will hamper recruitment, retention, and job satisfaction. If your culture presents a place to grow and adapt through a broader mindset, you can attract and keep people on staff.

Acknowledgment

We talked about acknowledgment earlier and how it feeds into the employee experience. By practicing acknowledgment, your team understands their importance and gets the feedback they crave. Involving your people in big decisions is another form of acknowledgment, and it can go a long way in positioning your company as a great place to work and thrive.

Communication

The fourth step is communication, and it’s really the core of the Secure Methodology. We cannot fix the workforce shortage issue without clear, consistent, and meaningful communication. Communication starts in the recruitment phase with being transparent and open about cybersecurity. It also has to be a central part of everything you do with employees.

When it’s part of your culture, you’re building a collaborative and cooperative team. They’ll be able to engage better with each other and the business side. As a result, everyone can be on the same page and reduce the ambiguity that drives dissatisfaction and churn.

Monotasking

Monotasking is essential to supporting the overworked, which cyber professionals tend to be. It’s even more so with so many companies short-staffed. It’s the principle of concentrating on one task without any disruptions. It gives them time to focus and use critical thinking and problem-solving skills. The result of this could include improving stress levels and people being more comfortable in asking for help.

Empathy

Empathy within your cybersecurity culture means the ability to understand another’s perspectives and feelings. Developing this skill in technical people can encourage them to feel less frustrated with their customers (users). With attention toward empathy, people can learn to let go of blame and resentment, which often festers and creates burnout and attrition.

Kaizen

The last step is Kaizen, which means “change for the better.” It’s the ultimate objective of the Secure Methodology. It’s all about continuous improvement. A culture that embraces this will attract excellent candidates and keep them. There is no perfect in Kaizen, which the smartest people in the room are attempting to achieve. There is only the motto of constant improvement.

You can learn more about each step and how to use it to transform your organization and solve the workforce shortage problem by reading my book. Check out the Secure Methodology course, too.

The post Diagnosing the Root Causes of the Cyber Workforce Shortage appeared first on Christian Espinosa.

It’s no secret that the cybersecurity field has a talent shortage. Experts project that over 3.4 million jobs in the industry remain unfilled. The reasons behind this are numerous—burnout is churning people out, younger generations aren’t entering cybersecurity, and qualified candidates aren’t plentiful. The last one is worthy of discussion. As the industry evolves, so should the idea of “qualified.” To do this, organizations need to shift to cybersecurity skills-based hiring.

The Current Consensus on ‘Qualified’

So, what does being qualified mean to those hiring cyber professionals? In the State of Cybersecurity 2022 Report from ISACA, 55% of cyber leaders said applicants aren’t well qualified. They find people lacking in key areas, including prior hands-on experience, credentials, hands-on training, employer recommendations, degrees, and association memberships.

So, the question is—do these things demonstrate that someone will excel and thrive in cybersecurity? If you look further at the data from the study, the importance of what hiring managers seek doesn’t necessarily align with the skills they believe are most valuable. The most sought-after skills include hard and soft ones:

• Soft skills of communication, flexibility, and leadership
• Cloud computing
• Security controls regarding endpoints, networks, applications, and implementations
• Coding skills
• Software development-related topics, such as languages, machine code, testing, and deployment
• Data-related topics
• Network-related topics
• Pattern analysis
• System hardening
• Computing devices, including hardware, software, and file systems

Soft skills were at the top of the skills gap list. Technical aptitude is also vital, but just because someone has a degree or credential doesn’t mean they know how to apply them. Narrow-mindedness on this can actually lead to hiring “paper tigers,” who look great on paper but don’t have the aptitudes or abilities to be successful.

In an environment where hiring is competitive and challenging, it’s time to readjust your definition of qualified with skills-based hiring in cybersecurity.

What Is Skills-Based Hiring?

Skills-based hiring is an approach to recruitment that focuses on someone having specific competencies and aptitudes. It’s a new method that shifts the emphasis from traditional screening using education, credentials, and previous experience.

It seeks to look at someone holistically, considering their abilities, attitudes, and adaptability. Hiring based on skills makes a lot of sense for cybersecurity. A good example of this would be that an individual has proficiency in programming languages but doesn’t have a degree in computer science. Another example would be that a person has immense knowledge of cloud computing but not a certification.

Skills-based hiring also looks at potential candidates beyond their technical prowess. Since it looks at someone’s complete profile, you can also evaluate their soft skills, which are desperately needed!

Experts Are Adamant About Skills-Based Hiring in Cybersecurity

The push to hire based on skills is something that experts are recommending and urging. At a recent House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection hearing, many were there to discuss the workforce shortages. Their advice—stop requiring college degrees. The group said that to strengthen the cyber pipeline, the Federal government needs to take the lead in skills-based cybersecurity hiring.

Companies that are sounding the alarm on cybersecurity deficits can take on this new way of hiring. They could even fund skill development when they see someone with potential. Those people could come from many different places—military veterans, people seeking to change careers, new high school graduates, and even internal folks interested in the field. If there’s passion, curiosity, and appeal, you can nurture that to develop the person.

Why Is Skills-Based Hiring the Future of Cybersecurity?

The future of cybersecurity looks a little stark for the good guys. If you don’t have enough skilled employees, you’re automatically more at risk. While you can close some gaps with automation, human-in-the-loop will always be a strong component of all cyber operations. If the field makes this needed progression toward skills-based hiring, the future looks more manageable and optimistic.

Skills-based hiring finds those you may overlook or discount. It also has much to do with cultural fit and someone’s ability to be agile and flexible. A college degree, experience, or credentials don’t necessarily demonstrate any of these things. Further, if you hire based on skills—hard and soft—you are more likely to retain that person long-term.

By using cybersecurity skills-based hiring, you can:

• Discover people with talent and a growth mindset: When you focus on what someone can do and their range of attributes, you’re likely to find great candidates. They don’t fit the familiar mold, but that can be a good thing. If they have technical knowledge and possess a growth mindset, they could become superstars with some skill development and coaching.
• Attract younger generations: Currently, only 12% of the cyber workforce is 34 or younger. It’s not sustainable, so the urgency to get Gen Z to give cybersecurity a chance is huge. This generation and those even younger have different expectations about work and may avoid cybersecurity because they believe it to be rigid, stale, stuffy, and unchanged. Skills-based hiring allows you to change this false narrative by emphasizing the importance of soft and hard skills. If you’re creating a culture around skills, it should also be one of transparent communication, collaboration, and continuous improvement. Gen Z will find this much more attractive.
• Create equity in hiring practices: If you’re following the skills when you recruit, you’ll be able to streamline the process and ensure that candidates get the same treatment regardless of their resumes. It makes it more equitable as well. The cyber field has not always been accessible or friendly to all demographics. For example, women represent a small number of cyber professionals. If you reimagine how you hire based on specific skills, you may see more female candidates.
• Develop people over time: Skills-based hiring is also an investment in your people. You make them part of your team with expectations and requirements. This could include technical courses, hands-on training, and soft skill development. With this approach, you are making it clear that you want the person to be accessible, and you will give them the resources they need to do so. Such a strategy improves employee satisfaction and retention.

With all this to gain, the next step is implementing skills-based hiring.

How Do You Shift to Skills-Based Hiring in Cybersecurity?

If you want to go in this direction, you’ll need to work on a few areas so you can recruit and hire smarter. It’s not a massive change if you’ve already been assessing skills over diplomas and certifications. It will, however, require you to eliminate old ways of thinking about cybersecurity.

It’s a cultural shift where you want to banish all the stereotypes associated with technical folks—they’re bad communicators and collaborators who only see the world of ones and zeros. Yes, people in technical fields tend to be more pragmatic and logical, but they often don’t deserve the other labels. Your job is finding people outside the box who want to evolve cybersecurity with you.

Here are some tips:

• Redefine your job descriptions and requirements: Start by eliminating the need for a four-year degree and specific certifications. Instead, focus on core competencies, soft skills, personality, communication capabilities, and drive. If there are specific things the person needs to be proficient in, emphasize those, but don’t limit this expertise to having a degree or certification.
• Look for internal talent: Internally posting new jobs is a typical step, but if you do, add some context about whom you’re looking for beyond technical skills. There could be some smart and capable people that want to move into cybersecurity but don’t know how to start. Create relationships with those folks and work out a plan to upskill and reskill them.
• Use assessments to evaluate technical and personal skills: You need people to demonstrate they have the abilities you desire. You can assess them with different tests to understand how they’ll perform. Don’t limit this to only technical skills. You also want to know about their ability to communicate, lead, problem-solve, and think critically.
• Get to know people during the interview process: This part of hiring can be challenging for you and candidates. They’re nervous, and you’re cautious. I urge you to get to know the person and their philosophy on cybersecurity and why they want to be in the industry. You can learn so much from someone when you ask their opinion and perspective. You’ll be able to recognize genuine interest and desire from these discussions.

Skills-Based Hiring in Cybersecurity: Keep Developing Your People

Hiring based on skills fits the field of cybersecurity well. After all, you want employees to be able to deal with a dynamic environment. When you hire this way, you’re likely to find people with the right mix of abilities who want to be there for all the right reasons. Once they are on staff, keep developing them with an emphasis on soft skills. It’s not an easy journey, but you can find lots of advice on how to do this in my book, The Smartest Person in the Room, which features the Secure Methodology. It’s a seven-step framework for improving and building these capabilities in technical folks. Check it out by getting your copy today.

The post Cybersecurity Skills-Based Hiring: Why Tech Leaders Need to Shift Their Idea of ‘Qualified’ appeared first on Christian Espinosa.

In the cybersecurity landscape, it’s easy to label those in leadership positions as technical folks. Technical aptitude and expertise do matter in the field. However, cyber leadership in today’s climate has evolved to become a multifaceted role that requires communication, collaboration, and creativity.

As a result of the many factors impacting cybersecurity, from talent shortages to an increasingly sophisticated hacker network, organizations must rethink what cybersecurity leadership means. It’s pertinent to today and what will come tomorrow.

In this post, we’ll cover the maturity and changes present in cybersecurity leadership, areas in need of attention, and how those leading these efforts can create a healthy and thriving culture.

Is Cybersecurity Leadership Getting the Standing It Should?

It’s a fair question with many answers. Often, enterprises treat cybersecurity as a back-office part of a company. They don’t want to call too much attention to it internally or externally. The C-suite wants to quell any concerns about being cyber secure, but they don’t want to know the details.

This is a key problem, and it leads to greater risk. Cybersecurity deserves a seat at the leadership table. Without this visibility, risk seems abstract. Cyber leaders have to convey the threat landscape as something real and imminent.

These will only grow as the business does. Many areas of emphasis related to business objectives must have security in mind. Digital transformation initiatives, for instance, focus on modernization, agility, and automation. They all have a cybersecurity component. Additionally, the amount of data companies generate, collect, use, and store is massive. It’s the new fuel for companies to innovate and be more data-driven in decision-making. Unfortunately, it’s also very appealing to cybercriminals.

So, the first part of rethinking cyber leadership is ensuring they have a voice. Involving cybersecurity early and often in strategic plans is a must. For an organization to succeed here, it can’t be an afterthought.

Once they have a seat, maintaining attention means escaping the stereotype that cyber leaders only have technical aptitudes.

Cyber Leaders Must Have an Array of Skills to Shift Organizations into Cyber Resilience

Historically, many organizations have treated cyber leaders like CISOs (Chief Information Security Officers) as technical resources. They’ve never expected more, but they should. Those in these positions need a hard skill foundation, but there’s much more to winning the cybersecurity war than these abilities.

CISOs have the responsibility of securing a business. It’s a tall order that can’t be met with such technical proficiency. They must make strategic decisions about business models, digitization, resources (human and technology), accessibility, network infrastructure, compliance, and more. These determinations don’t occur in a vacuum. Many stakeholders need to provide insights and recommendations. Gathering this intel, working through challenges, and creating value come from mastering soft skills.

Having these attributes isn’t always easy for cyber leaders. It’s a continuous journey of developing these skills. An open, flexible mindset is imperative. When those at this level have a well-rounded skill set, an organization can operate more intently and proactively regarding cyber threats.

Here are some ways that cyber leaders can use their entire range of skills to keep their organization secure:

• Develop a cybersecurity strategy that’s more than technical. The foundation for cybersecurity is a good strategy. However, it can’t be solely technical in nature. It needs to align with business objectives and account for every kind of risk. The business context will typically drive what to prioritize. You may deal with competing ones from different lines of business. Thus, you’ll need to be an active listener in hearing from these folks and then use transparent communication to convey your best course.
• Ensure cybersecurity always has influence. Anything dealing with data, network, and application security needs your expertise. Your effect should be across the enterprise to ensure a security-first approach. Some groups may see your role as one that inhibits innovation. It’s another misconception you’ll need to correct. The real issue is when no one invites cybersecurity to the discussion until much later.
• Be a storyteller. When interacting with other leaders in a company, cybersecurity heads have to evolve from technical presenters. It’s not just “Here are the facts, and this is why we’re right.” That doesn’t go very far in getting consensus and buy-in. When you get the opportunity to inject your expertise, talk to people on a human level rather than a technical one. Adjusting how you communicate will help people connect the dots on the business side. They won’t see you as someone here to spoil all their plans but as a partner invested in their success.
• Use conflict management skills to fight friction and tension. Cybersecurity is a serious business. Suffering a breach or attack has monetary and reputational consequences. Business leaders get that but rarely agree on how much money and resources should be allocated. There will also be disagreements about how to weave cybersecurity into the company’s digital footprint. Thus, there will be lots of negotiations, and they may be hostile at times. Cyber leaders must become good at conflict management and diplomacy to get everyone on the same page.
• Build a team that will follow your lead in honing people skills. Another area of responsibility is the staff you manage and develop. As noted, cybersecurity has a significant talent gap, with many open positions available and growing. Recruiting the right people and keeping them is critical for your role as a leader. You need a team that will be able to communicate and collaborate. When you assemble this group that encompasses hard and soft skills, you’ll be able to do much more to influence and cultivate a healthy cyber culture.

So, how can you improve your own soft skills and those of your team to help you navigate cybersecurity’s future? The Secure Methodology can help.

The Secure Methodology Supports and Empowers Cyber Leaders

The Secure Methodology is a seven-step framework that transforms technical folks into communicators and collaborators. I developed it as a way for companies to develop their people in a way that would drive growth for individuals, teams, and businesses. It can be an excellent guide for empowerment and support. Here’s a quick preview of its pillars:

• Awareness. Cyber professionals often lack understanding of themselves and others, and that causes conflict and obstacles to progress. Helping them move toward awareness widens their perspectives, which is crucial for organizations as they improve cybersecurity processes, policies, and strategies.
• Mindset. Enabling people to grow from a fixed to a growth mindset ensures they consider the future and how to tackle emerging threats. This is so key for cyber leaders and teams to grasp. There’s no communication, collaboration, or innovation when the mindset is closed. Instead, cybersecurity operates in a silo, never changing or adapting. It creates much frustration on the business side and accelerates risk. Shifting mindset isn’t easy. With a commitment to it and by following the exercises, you can begin to see real change here.
• Acknowledgment. As a cyber leader, you have ultimate control over this. It starts with how you treat your employees when they do something right and something wrong. Appreciation for when they perform well and win over cybercriminals should be consistent and often. When they receive this positive response, they feel they are part of something, and the need to adapt their perspectives seems less scary. Accountability for bad performance or mistakes is important, too, but this should happen in private. It should involve going through the issue and determining what went wrong so there isn’t a repeat of this.
• Communication. Being a great communicator and encouraging this in your staff is the number one people skill to have. When communication is transparent, honest, and free of jargon, there’s no ambiguity. Speaking inclusively within the team and outside of it sets you up to be a strong leader for the enterprise. Practice this every day with your team.
• Monotasking. In monotasking, a worker focuses on one task, and it’s something rarely used in any role. Most think we should all be multitasking, but that misconception leads to errors and mistakes. Concentration matters, and this is something to champion for yourself, your team, and the entire enterprise.
• Empathy. Cognitive empathy means you understand another’s feelings and perspective. While it seems pretty basic, it’s not as prevalent as we would like. When your cyber team does act with this in mind, it supports awareness, mindset, and communication. Encouraging an empathetic culture will be crucial to growth and evolution.
• Kaizen. This Japanese term means “continuous improvement,” and any cyber leader will flourish with this perspective. Making it part of your philosophy will ensure the continued progression of cyber leadership as a key to a company’s future success.

The Secure Methodology is an agent of change. Change is the hardest part of any job, but it’s necessary in cybersecurity because of the dynamic nature of the field. By applying it to your cybersecurity culture, you can impact how the enterprise views you and the influence you have. You can learn more about it by reading my book, The Smartest Person in the Room.

The post Why Organizations Should Rethink What Cyber Leadership Means appeared first on Christian Espinosa.

One of the biggest risks you face in cybersecurity has little to do with cybercriminals and the myriad of ways they attack your organization. A threat that looms within many cyber teams is that many technical people see the landscape as black and white, meaning they have a narrow view of cybersecurity and don’t want to welcome new ideas or approaches. Such thinking puts cyber leaders and their staff in a perilous position.

The reality is that cybersecurity lives mostly in the gray. There’s uncertainty in the gray, and cyber professionals often feel very uncomfortable in such a space. Getting down to the why behind this is important for your risk posture and ability to beat the hackers. Let’s talk about the dangers of black-and-white thinking and how you transition your team to embrace the gray with the Secure Methodology.

Why Black-and-White Thinking Increases Risk

Black-and-white thinking isn’t sustainable for any job. It becomes even more of a problem when working in a dynamic ecosystem like cybersecurity. There are so many factors and components that impact it, so it’s critical for those working on it to be flexible and adaptable. However, that’s a tall order for many technical people. Here’s why.

Black-and-White Perspectives Hinder Communication and Collaboration

Communication and collaboration are key people skills that technical folks need to thrive in cybersecurity. It’s rather hard to create this kind of culture when people think in a binary manner. It’s difficult for communication and collaboration to be transparent and open when those participating are stuck in a fixed mindset.

They’ve been applying this perspective well in the technical aspects of cybersecurity. Sometimes there are right and wrong answers. So, there’s no discussion necessary because it’s math and science, and these disciplines can be black and white.

Cybersecurity is much more than the math and science elements. It’s evolving and constantly changing. So, people have to ask questions and use people skills like problem-solving and critical thinking. It seems simple, but black-and-white thinkers will find it difficult because they have to challenge their own conclusions. Often, they lack the ability to be curious and will resort to what they know and stay in that lane. As a result, hackers can get the upper hand because they are more agile in their strategies.

The damage that a lack of communication does can be immense. Communication is the foundation for every successful cyber team. Without it, there are only assumptions and misconceptions. There’s no transparency, which affects every area of cybersecurity. You’ll have an internal group that’s working in silos, and their interactions with other departments will be disastrous, earning your team a bad reputation.

Black-and-White Thinking Covers Up Insecurities

Most cyber professionals seem to be very secure in their knowledge and ability to understand the threat landscape. Sometimes that’s just a facade for their insecurities. They desire everything to be certain; when it’s not, their response is not to communicate and collaborate. Rather, they will posture and use geek speak to cover up the fact that they don’t know all the answers. They’ll figure it out on their own or not at all. Insecurities are another weakness that has nothing to do with your cyber framework.

Black-and-White Thinking Leads to Burnout and Attrition

There are other hidden dangers of black-and-white thinking that impact those in this mindset and others working with them. If someone is so rigid in how they view the cyber landscape and the protection of networks and data, they may keep losing battles with hackers. They then put more pressure on themselves to be more aggressive without understanding or discussing the root causes. As a result, people end up feeling burnout. It’s a pervasive problem for cyber professionals. This unsustainable level of stress is why nearly half of all security leaders will change jobs by 2025.

Burnout can lead to attrition, but many black-and-white thinkers will stay on their path and won’t succumb to burnout. Doing so will only make things worse and can be a catalyst for more errors and weaknesses.

Solving burnout is something cyber leaders deal with, and it’s not an easy task. It’s not just the black-and-white thinkers that feel the effects. Their colleagues become frustrated with their inability to be insightful and reflective. This creates a cybersecurity culture that’s unhealthy and toxic, so those high performers will leave you as well.

Recruitment is something you’re struggling with, and this only makes it worse. Before you rebuild the team, you need to work on the culture and expectations and move people to the gray. There are many approaches you can take to this significant problem. Most of those are traditional options, but they don’t work much of the time. There are opportunities beyond this, and that’s why I developed the Secure Methodology.

Changing Black-and-White Thinkers with the Secure Methodology

The Secure Methodology is a seven-step guide for cyber professionals to embrace people skills and develop them. When someone goes through the process, they’ll have the tools and perspectives that welcome the gray parts of cybersecurity. Here’s a preview of those seven steps and how they can impact black-and-white thinking.

Awareness

The Secure Methodology begins with helping people be aware of themselves and others. When awareness is absent, it creates blind spots and causes friction between staff. When people aren’t aware, they live in a black-and-white box and can’t communicate effectively.

A mind has to be open to new perspectives to achieve awareness. You can use coaching methods to work on communication and gain insight into their motivations. The exercises in this step open up eyes to the gray.

Mindset

Next is mindset, and when it’s fixed, there’s no room for the gray. Shifting mindset to be one of growth requires accountability. People have to realize that a fixed mindset is really a trap. You can help open it with reflection, asking questions, and urging them to be faster in decision-making.

Acknowledgment

Acknowledgment is a problem for many organizations and departments. When it’s not present, employees can disengage and become resentful. If the only acknowledgment people receive is negative, it feeds into black-and-white thinking.

Another aspect of a lack of acknowledgment is that you aren’t demonstrating that cybersecurity is complicated and that no one could possibly know all the answers. In black-and-white minds, the complexity grows, and they lose their ability to have simple conversations. To rectify this situation, you’ll need to recognize your folks in a positive way. In turn, that builds trust and rapport.

Communication

Communication is step four, but it’s critical to every stage. We looked at why technical folks have such trouble with communication. If they have to be open and inclusive communicators, it breaks down their black-and-white layers, which feels uncomfortable.

Transforming these people into effective communicators requires a lot of work from them and you. There are exercises that can be helpful, and you should continue to introduce these to your team. Ensure that the geek speak fades, replaced by inclusive language that involves active listening.

Monotasking

Is monotasking really a good thing? After all, most people praise the ability to multitask. However, multitasking often leads to errors and mistakes. Black-and-white minds can multitask just fine because they operate within a specific set of parameters. But these behaviors feed into burnout and anxiety.

Encouraging your team to monotask can help them be more reflective in the decisions they make because there are no distractions. They’ll also be more productive in the long term. Advise your staff to block off certain parts of the day to monotask and concentrate on one specific objective. It can give them a better sense of balance as well.

Empathy

Black-and-white mindsets have little room for empathy, but it’s critical to any culture. The type of empathy you need to cultivate is enabling people to see the perspectives of others. It can also help reduce feelings of us vs. them in your organization.

Empathy is a vital soft skill, but it’s something we have to learn and develop. Walking people through this phase can make them better cyber professionals and people. There are activities in this step to foster this transition.

Kaizen

The last step is a Japanese term meaning “continuous improvement.” As a stage in the Secure Methodology, the focus is root cause analysis. This requires critical thinking and the ability to see the gray. When you practice root cause analysis, you have visibility into the challenges and how to address them. This stage never ends, as people must continue to change and adapt.

Start Your Journey to Embracing the Gray with the Secure Methodology

The path toward having gray thinkers will have detours and barriers. The Secure Methodology has a journey with those bumps in mind. It can be a valuable tool in developing your people and keeping your organization more secure.

Learn more about it by checking out the Secure Methodology course.

The post Cybersecurity Isn’t Black and White: Why Cyber Leaders and Their Teams Must Embrace the Gray appeared first on Christian Espinosa.

In the conversation revolving around cybersecurity and the shortage of workers, one thing that gets tossed around a lot is the cybersecurity skills gap. Many cybersecurity leaders are feeling the pinch to recruit and retain workers that have the right abilities, but is this fact or fiction?

The answer is that it depends on the skills desired for the position and involves technical and people skills. So, where are the biggest gaps, and how can you develop these in your people?

In this post, we’ll dive into some data related to the cybersecurity skills gaps. Then, we’ll look at solutions to bridge it.

What Are Cybersecurity Leaders Saying About the Skills Gap?

The profession of cybersecurity is in a state of decline. The 2022 (ISC)² Cybersecurity Workforce Study reported that the industry needs 410,695 people to meet demand in the U.S. This shortage of workers is a cause of great concern for many reasons, including that it’s putting organizations at greater risk of cyberattacks. In fact, 74% of survey respondents said the problem is at least a moderate risk. The leading reason for the gap, according to the report, is a lack of qualified talent. As a result, 62% of organizations are investing in recruiting and hiring, and another 64% are doing the same for training.

What Do People Need to Be Qualified?

So, what skills are these people without that defines them as not qualified? If you look at education, 88% of cyber professionals responding to the workforce study had at least a bachelor’s degree, with 48% having a master’s or higher. This would indicate proficiency and deep knowledge of hard skills. When asked about the qualifications that are the most important, hiring managers ranked these the highest:

• Strong problem-solving skills
• Relevant IT or cybersecurity experience
• Knowledge of basic and advanced cybersecurity concepts
• Strategic thinking skills

Cybersecurity certifications trended down as a must-have for employment, as did educational requirements. What we can gather from this data is that attractive qualifications have shifted to focus on soft skills, experience, and fundamentals.

Another report from the ISACA revealed that 55% of cybersecurity leaders believe candidates aren’t qualified. Those respondents did emphasize experience and training but also prioritized education and certifications. These responses are somewhat in conflict, specifically prioritizing credentials and education. These will always be things that can demonstrate a person’s technical aptitude. It depends on the degree and the certification, as often these people can be paper tigers—they look great on paper but don’t have the practical knowledge to be effective and high performing.

Qualified ultimately comes down to the skills someone possesses. These can be the result of earning a degree or certification. Others we learn through life and work experience. So, where is the real skills gap?

The Cybersecurity Skills Gap Reality: It’s More About the People Skills

A cyber professional can be the literal smartest person in the room when it comes to understanding all the technical aspects. They may be up-to-date on the attacks hackers are launching, the latest cybersecurity automation tools, and have superior knowledge about the cloud or controls. From the ISACA report, cyber managers listed these as the most significant skills gaps:

• Interpersonal skills, including critical thinking, problem-solving, collaboration, and attention to detail
• Cloud computing
• Security controls knowledge related to endpoints, networks, applications, and implementation
• Coding abilities
• Software development capabilities such as languages, machine code, testing, and deployment
• Data-focused areas such as classification, collection, processing, and structure
• Network aptitudes regarding architecture and network components
• Pattern analysis
• System hardening
• Hardware, software, and file system devices

This list has soft and technical skills but soft was at the top for cyber leaders. Looking more specifically at the interpersonal skills they favor, it aligns with qualifications.

They need people to apply their cybersecurity knowledge with better people skills to ensure teams can work together to solve problems and not let things fall through the cracks. To do this, technical folks must be great communicators and collaborators, which is often tricky. Are these even skill sets someone can develop?

When assessing the cybersecurity skills gap, soft skills are the biggest challenge. So, how do you bridge the gap? There are many strategies to take that require a shift in perspective regarding talent acquisition and improving the abilities of your current staff.

Bridging the Cybersecurity Skills Gap Strategies

There are two concepts at play. First, you need a recruitment strategy to find and develop people with hard and soft skills who demonstrate great potential. Second, you need a plan to help current employees grow their people skills, so they can thrive and be successful.

Reframing Your Recruitment Strategy

If you want to improve your talent acquisition pipeline, you’ll need to adjust your parameters. A focus on skills-based hiring is the first step. In this framework, you’re putting less importance on a degree and more on the person’s ability to do the work based on their attributes.

To do this, you have to look at more than their resume. Not every person is going to have every qualification, especially hands-on experience. They can’t get it if no one gives them a shot. You can use some different assessments to understand someone’s potential.

Once you begin interviewing, you’ll have the opportunity to evaluate their communication and problem-solving skills by asking questions about these two things, such as:

• How did you communicate with stakeholders regarding a challenge in a project?
• In what ways do you use critical thinking when faced with a problem?

They could be a great performer in your organization if you see something in them. If they don’t have every credential you expect, you can help them obtain it while they learn on the job.

Remember that new people may be entering cybersecurity as their second act. They may have a lot of great experience in other fields that are transferrable soft skills. These are people likely worth adding to your team. If they have the motivation and desire, they will continue to hone their technical skills.

Continuing to Develop People Skills for All Your Technical Folks

Whether someone started yesterday or 10 years ago, they must continue a journey to improve their soft skills. A lack of focus on this can have detrimental consequences. You may have enough people that know cyber in theory, but their inability to connect and communicate can elevate risk.

As a framework to do this, I developed the Secure Methodology. It’s a seven-step process that cyber leaders can use to transform black-and-white technical people into those that see the gray in situations by becoming better at interpersonal skills.

Here’s a preview of the steps and how they bridge the cybersecurity skills gap.

Awareness

The journey starts with Awareness, which applies to the self and others. When this isn’t present, people do not understand their behaviors or that they are causing conflict, friction, and resentment. Moving people into an awareness state helps them gain more respect for others, which is key to a high-performing team.

Mindset

Mindset is the next step; the goal is to move a person from a fixed mindset to a growth one. With this shift, people become more open and willing to see the many sides of an issue. Supporting this with the 7 Levels Deep exercise is a good foundation.

Acknowledgment

Acknowledgment is something cyber leaders must initiate. When you acknowledge people for their work, you’re creating a culture of trust and transparency. It can be a good tactic to combat burnout, or the persistent thinking cyber professionals have that they must know everything and can do anything. If people admit they don’t know, they can be open to learning and growing.

Communication

Communication is the most vital soft skill and is part of every exchange we have in life. Technical folks that rely on geek speak and non-inclusive language aren’t good communicators. In fact, most people will feel they are being condescending and rude. That’s not the communication skills you want to see in your people! In this stage, you apply activities and exercises that focus on listening as much as talking. If you prioritize communication, it becomes part of your culture and is in continuous development.

Monotasking

You may not think that Monotasking is a preferred skill. After all, most people are multitasking all day long, but it can lead to more stress and errors. Introducing the concept to your team may be met with resistance. Explain why working without distractions is important, as it builds the attention to detail skill set that matters considerably in cybersecurity.

Empathy

In the Secure Methodology, cognitive empathy is the focus. It describes when you can understand another’s feelings and points of view. This capability is crucial in communication and collaboration. Seeking this out in new hires and working to help people improve it are a big win in the skills gap.

Kaizen

Kaizen is a Japanese term meaning “continuous improvement.” It’s a step that’s never over, as you want your staff to continue to improve their hard and soft skills. To align with this, they must be comfortable with adaptability and flexibility.

The Cybersecurity Soft Skills Gap Is Fact; Close It With the Secure Methodology

Closing the skills gap takes time and commitment. With the Secure Methodology, you have a framework to support your efforts. Get more details on how it helps by learning about the Secure Methodology course.

The post Is the Cybersecurity Skills Gap Fact or Fiction? It Depends on the Skills appeared first on Christian Espinosa.