The Cyber Threat No One Talks About — the Absence of a Cybersecurity Culture

Cybersecurity Culture - Christian EspinosaIn the conversation regarding cyber threats, the perspective is typically on defeating cybercriminals. The threat lens is from the outside, which is very true. Hackers are motivated and persistent in their pursuit of stealing data, deploying ransomware, and causing havoc.

However, the cyber threat that’s as potent is what’s happening within an organization. A lack of a cybersecurity culture can increase risk exponentially. While the concept of a cybersecurity culture isn’t new, it’s still a challenge for most technical teams. When not present, cyber professionals work in siloes, avoid accountability, communicate ineffectively, and erode collaboration.

If these characteristics seem too familiar, it’s time to address, reimagine, or build a culture that values communication, collaboration, curiosity, awareness, and cooperation. Failure to pivot and adopt such a framework could be the reason that you become a cyber statistic.

What’s the Ideal Cybersecurity Culture?

For the purpose of this discussion, I’m referring to cybersecurity culture as the principles and values of the cyber team, not the enterprise. There is a difference. In the latter, cybersecurity culture describes all stakeholders and employees to understand the threat landscape and work toward adopting best practices to avoid things like phishing attacks.

In terms of your team, cybersecurity culture is the environment in which your technical folks work to prevent attacks, analyze risks, deploy new strategies, and keep the organization as secure as possible.

The ideal culture to aim for includes these ingredients:

  • Consistent and clear communication
  • Awareness around someone’s actions and the perspectives of others
  • A foundation of trust and respect
  • Collaborative interactions that support the organization
  • Championing a growth mindset where individuals can adapt and evolve
  • Empathy and understanding other’s feelings and perceptions

You may find this list overwhelming, but they are the tenets of any effective culture. Each of these elements is necessary to drive progress on the individual and team levels. So, what happens when culture is nonexistent? And what’s the impact of risk?

A Lack of Cybersecurity Culture Compounds Risk

As a cyber professional, your entire view of your actions is measured in risk. Even those businesses with robust cyber controls still have exposure to risk. It’s unavoidable in the modern age. Except that the threat isn’t always outside. Cybercriminals are rightly painted as the enemy, but the absence of a cybersecurity culture makes you more vulnerable. Here’s why.

Shared Responsibility and Accountability Failures

Your cyber team must be one that shares responsibility and takes accountability. There is no leeway on this one. It would seem to be a given that your people must work together in every component of security. Unfortunately, this isn’t happening in most organizations.

The reasons are complex, but ultimately, it comes down to the fact that technical folks have deficiencies in people skills. They are defensive and aggressive with communication and singularly focus on what they believe are the proper practices. Instead of forming a team to defeat the hackers, they often in-fight with one another, each trying to take the title of the smartest person in the room. As with any situation like this, internal animosity gives cybercriminals the edge.

Communication Stalls, Heightening Risk Incrementally

When your people are acting as teams of one, communication is toxic and ineffective. It comes out as snide remarks with an air of condensation in every word. How can a team protect your organization when they can’t even communicate?

You likely recognize the attributes of dysfunctional communication within your team. Although, you might not see it for the risk it truly is. Without a set of rules around discussion and conversation as part of your culture, you will experience greater risk in every area of cybersecurity.

Acknowledgment Gaps Grow Seeds of Disengagement

Another key part of a cybersecurity culture is acknowledgment. All too often, the only acknowledgment teams receive is about what went wrong. You can’t avoid mistakes and errors, but as the cyber leader, you need to make room for acknowledgment of progress and what’s going right.

Your cybersecurity culture has to be a safe place for this to occur so that feedback can be more positive and specific. You can still correct behavior and guide people toward best practices. If this never happens, employees will become disengaged and resentful. They’ll see you or the organization as the enemy, not the hackers.

These challenges are inherent in cybersecurity but not without a solution. Transforming technical professionals into excellent communicators and collaborators is the core of building your culture.

How to Build a Sustainable Cybersecurity Culture

No matter how mature or large your cyber department is, you can construct and foster a sustainable culture that decreases risk. As someone who has years of experience building resilient and adaptable technical teams, it is evident that culture was a people problem.

As a result, I developed strategies and initiatives to correct it in the Secure Methodology™. It’s a seven-step process that helps cyber leaders develop soft skills in their staff with the outcome of a cohesive team ready to protect an organization. Here’s how it applies to culture development.

Employees Need to Know Their Contributions

The seven-step guide touches on how employees see themselves in terms of the enterprise and its impacts. The problems with this are twofold. First, they often believe themselves to be individual contributors because they ascribe to a lot of black-and-white thinking. They want to remain solely in their lane, which causes siloes and fractures in collaboration and communication.

The second part is that they don’t feel valued or appreciated for what they do. As a result, they don’t know that what they do matters, which makes them complacent, elevating risk.

To address this, you need to work on acknowledgment, provide a clear vision of the role cyber teams play in company objectives, and champion constant communication.

A Shift to a Growth Mindset Is Imperative

You can either have a fixed or growth mindset, and cybersecurity culture only flourishes under the latter. When your technical employees are set in how they see cybersecurity and the world, they can’t grow. It’s not about learning new technical skills; they feel comfortable with this. Rather, it’s about changing perspective, which requires hard work.

If you can construct a culture that encourages growth and change, your people may be less afraid to do so. They have the potential to do this. It simply requires commitment.

Communication Is Everything

Communication includes the words we use, how we interact, and our listening ability. A lot of communication is actually nonverbal, and I can’t emphasize enough how crucial it is to understand that.

Typical technical communication is acronyms, jargon, and overcomplicating the simplest explanation. Cyber professionals have been indoctrinated in many ways to communicate in this way. It’s time for you to help them break these bad habits because they’re hurting all parties.

You’ll need to dedicate a lot of soft skill development to communication with exercises and resources. You also must lead by example, ensuring that your message is consistent and instructive. It becomes the bedrock of your cybersecurity culture, enabling your team to work as one.

Communication skills are also always in need of improvement and work. With any change to culture or new risk on the horizon, your team must continue using what they learn. That’s how it becomes culture — through daily use!

Focus and Distractions in a Dynamic Environment

Another component of building a cybersecurity culture is that the environment is so dynamic. As a result, focus can become disrupted, and distractions are plentiful. The best way I know to tackle this is by monotasking.

Monotasking requires concentrated work. It’s not a term that’s celebrated in the business world because it’s the opposition to multitasking. We’re brainwashed to multitask constantly; when we do, our attention strays. In cybersecurity, this becomes a threat.

The demands on cybersecurity never ease and require immediate responses. This paradigm won’t change. However, if your culture encourages monotasking, so that focus on specific tasks is distraction-free, your people will likely be more productive and effective.

Connecting with Others Means Shedding Self-Centered Thinking

A healthy cybersecurity culture focuses on cognitive empathy. It’s the notion of understanding the feelings of others and their perceptions. Empathy is the choice to connect with someone and accept their perspective. When present, it delivers many advantages in how you manage cyber risk because it fuels the belief that change and adaptation are good.

Again, empathy starts with you as a leader. If you demonstrate it regularly, it begins to weave its way into your culture. Making it a priority to educate your people on empathy and how to make it part of their skill set is critical to their remembering who the real enemy is — the hackers.

A Strong Cybersecurity Culture Thwarts Internal Threats

Cultivating a strong cybersecurity culture is something you have control over, which is rare in the field. If you promote one that values communication, collaboration, trust, acknowledgment, and empathy, you have an advantage over external threats. You can learn more about applying the Secure Methodology to culture by reading my book, The Smartest Person in the Room.

Improving Cybersecurity Communication Skills: Why It’s More Than Just Being Articulate

Cybersecurity Communication skillsCommunication is a skill vital to every role in an organization. Without it, we make assumptions, and breakdowns occur in processes and workflows. It’s often the leading reason for dysfunction in a group. It has equal importance in cybersecurity. However, cybersecurity communication skills are often poor or nonexistent.

When communication fails, your cybersecurity provisions and safety nets can, too. It raises risk and creates distrust in the group. It’s also the most vital soft skill that organizations seek in hiring, according to a recent industry survey.

So, there’s no argument from the field that cybersecurity communication skills are critical. The problem is that most companies aren’t doing anything to develop it in their people. If they are, the training may be obsolete or ineffective, such as online learning classes. Can you really hone your communication skills by watching a video? The answer is likely no. It requires interactive exercises and a strategic approach.

Further, companies often put communication skills in a box that doesn’t apply to all facets. For example, being a great communicator isn’t simply about being articulate. Many technical people are. Yet, communication failures still occur. Communication is a multi-faceted skill that includes being aware of others and their perspectives, understanding nonverbal cues, being active listeners, and communicating to be inclusive (versus lots of jargon and tech-speak).

Communication is step four of the Secure Methodology, which is a seven-step guide I documented in my book, The Smartest Person in the Room. Its purpose is to help cybersecurity leaders transform their people with soft skills to work together more effectively to combat cyberattacks.

In this post, I’ll break down each element of communication and offer tips to develop those in your people.

Cybersecurity Communication Skills: The Four Facets

There are four components of becoming a great communicator as a technical professional. Consider all these when crafting a program that lifts soft skills.

Inclusive Language

Technical people have a reputation for talking in jargon that only “insiders” understand. They do this for several reasons. First, it makes them feel more confident and that they have control of the conversation. They feel comfortable with the geek speak as a nod to their superiority over all things cyber-related.

Using this language also means that others are less likely to call them out, which they secretly fear. If other people understood what they were saying about risks, threats, and solutions, they might receive more questions and requests for explanations. They would see this as losing “control” of the interaction.

Ultimately, this type of communication helps no one. Your technical people don’t get better at defining threats and solutions, so you don’t improve in that area. Also, they won’t be able to convey critical information to leadership, which could impact funding and resources. As a result, the entire organization suffers from greater risk exposure. These patterns are the hardest to break but pivotal because shared language leads to success.

Understanding Nonverbal Cues

A big part of communication is the things we don’t say. Body language presents context around what people say. Often, words don’t match these cues. According to Mehrabian’s 7-38-55 theory, most comprehension is via body language (55%). So, what does that mean exactly?

Focusing only on the spoken words can be an opportunity to miss the message. Ignoring body language as a part of communication causes communication breakdowns. When interacting with others, we need to pay attention to body language because it conveys more than words.

Body language can change suddenly in a conversation, and catching those clues is critical. When a technical person speaks to someone who isn’t, they often use a lot of jargon and acronyms. As the other party takes in this information, they may say little. The body language, however, may say more. They may become guarded or disinterested. This matters because your cyber professionals are talking to their clients (whether internal or external). If they shut down because they don’t understand what the person is saying, it’s not good for anyone. It causes silos between groups, and no one knows the biggest priorities.

There can often be inconsistencies between spoken words and body language. Facial expressions that seem opposite to what words are said or failure to make eye contact indicate the person isn’t comprehending the message. That’s not a good place to be with cybersecurity. This can happen between co-workers and with cybersecurity professionals and leadership.

Tone of Voice

Another aspect of Mehrabian’s 7-38-55 theory is tone, which is 38% of the communication bubble. Tone is the way you speak, which adds context to the words. There is a variety of different tones that people use. Here are some examples

  • Assertive: This tone represents a declarative approach where the person speaking is not amiable to moving their position. It’s often considered rude and curt and is usually counterproductive.
  • Respectful: The person speaking is careful with their words and does not let frustration or bias impact what they say. It can motivate others in the conversation to feel they are free to voice opinions or concerns.
  • Accommodating: This tone promotes collaboration and cooperation. It’s like respectful but even more non-threatening.
  • Dismissive tone: This tone of voice is harmful in that the person speaking is flippant about the situation and anyone else’s position on it. In this category, technical folks are posturing, often speaking quickly, believing no one else could understand.

We can all relate to sentences having different meanings depending on the tone. For example, the simple response of “I don’t know” could have many connotations. An assertive tone could communicate anger. If said dismissively, it could come off as sarcastic. On the other hand, if said with a respectful or accommodating tone, it could be a starting point to go deeper and find the answer together.

Tone interpretation can lead to assumptions, resentment, and disillusionment when negative. If positive, it can change how people respond and interact. It clarifies and conveys meaning.

Active Listening

The last component of cybersecurity communication skills is the ability to be a good listener. In many cases, people listen to prepare their response, either as agreement or dissension. That’s the first obstacle to overcome. Active listening is making a conscious effort to hear the words spoken and the tone to receive the message.

Becoming an active listener takes practice, and several techniques are valuable:

  • Pay attention to the speaker by giving them eye contact and removing distractions from the environment.
  • Illustrate you’re listening with body language gestures, such as nodding, smiling, having an open posture, and encouraging the speaker to continue with comments like “uh huh.”
  • Reflect on what’s being said by paraphrasing back to the speaker (“I’m hearing you say…), asking questions for clarity, and summarizing what you hear.
  • Allow the speaker to finish their points before you interrupt, as that only frustrates the person and creates a negative experience.
  • Be honest and open with responses, opinions, and other information in a respectful manner, even if you have differing perspectives.

Remember that your people will only improve if they take the need to change seriously and practice it consistently. Every conversation they have should include active listening!

Cybersecurity Communication Skills: More Tips and Tricks

Within each realm of communication, you now have a view of what impacts communication. Each aspect requires practice and work. Making this part of your organization’s foundation is crucial for your team to be cohesive. Here are some more tips to consider:

Encourage Transparency in Communication

Do you think your people are afraid to say things? Some avoid transparency to keep the upper hand, but others may be apprehensive because they’re concerned about questioning things. You want people to question stuff and look outside typical approaches. Thus, you’ll need to create a space to “question.” Show your employees that you appreciate and expect honesty. It can improve communication and trust levels.

Lead by Example

How are your communication skills? Do you need to practice what you preach? You have to be the ultimate example to your staff. As they see you leading as a strong communicator, they’ll realize that you are taking this seriously, and it can immediately begin to improve rapport in the group.

Ask Them to Consider Perspective

When technical people communicate with others outside the field, they should keep in mind their perspective. They should think about what this person’s role is in cybersecurity. Is it to support the team? Provide funding? Manage risk? Have visibility into the threat landscape. From perspective, your employees can better manage tone in conversations. What they say will mean different things to different people, and making these adjustments drives better communication.

Communication Is the Most Vital Skill to Develop

Throughout my book, I harp on communication. The emphasis on it is deliberate because it’s where most things go off the rails. In the book, you’ll find exercises, tips, and techniques to develop your staff into effective communicators. Read it today to get started.

The Secure Methodology™ Step Four: Communication

cybersecurity communicationCommunication is the core of any organization, department, or process. It’s a topic I talk about extensively in the world of cybersecurity. That’s why it’s step four of the Secure Methodology and why it’s a critical aspect of every effort.

In this post, we’ll go in-depth on step four. You can read up on the first three: awarenessmindset, and acknowledgment. We’ll start with a recap of the Secure Methodology.

The Secure Methodology: Turning Technical People Into Solid Communicators and Collaborators

Before we jump into communication, here’s a recap on the Secure Methodology. It’s a seven-step process I developed as part of my book, The Smartest Person in the Room. I designed it as a guide for cybersecurity leaders to help improve interpersonal and people skills so that they can work together to combat cybercrime. It’s not about technical aptitude but rather empowering cyber professionals to look beyond the ones and zeroes by being honest communicators. It’s a reframing of cybersecurity culture to be collective and collaborative in solving challenges.

So, let’s dive into step four.

Technical Staff Aren’t the Best Communicators

It’s a total stereotype that logical thinkers are bad communicators. Except, in this case, it’s mostly true. I’m not making a blank assertion, but I’ve been in the business for a long time and witnessed this to be accurate time and time again.

When I talk about poor communication, it’s not that someone isn’t articulate or functions with a limited vocabulary. It also has nothing to do with intelligence. The problem is that there’s a communication gap between technical people and company leadership. It’s so bad that they might as well be speaking another language, and they kind of are with geek speak and jargon.

Why do they do this? Well, it helps them validate to themselves that only they know about the technical world. Those who are outside of it couldn’t dare understand what they do. It keeps them in a place of feeling superior. They’re in this club, and no outsiders are allowed. Except those outsiders are running the company and hold all the budget dollars. When technical workers fail to communicate effectively, they alienate their internal or external customers.

Keeping Geek Speak Alive Assuages Insecurity

At the core of geek speak is insecurity. Most technical people believe they hold the title of the smartest person in the room. If they have this “coded” language, few can make sense of it, so there’s less chance that someone will push back. Speaking in normal terms could expose the fact that they aren’t sure, which would be the worst thing for these people. They never want to admit that they don’t know.

Different stakeholders may request that they simplify the message around cybersecurity because it impacts more than just IT. Cyber attacks are considered a primary risk for any business, so their management and impact are enterprise-wide. All tech people will take away from this is that they need to dumb it down.

Another issue is that cybersecurity training and certification reinforce this by providing pages and pages of acronyms to memorize. Every industry has its shorthand, but this is taking it to a new level that’s not consequential to their ability to be equipped cybersecurity professionals.

Communication also has much to do with listening, just as much as talking. Most technical people don’t score well here, either.

Poor Communicators Are Poor Listeners

Being an effective communicator isn’t just about what you say and how you say it. It’s also about listening! In a fast-paced, dynamic world, attention is fleeting, and the consequence is people who don’t pay attention. It can be hard to stay present and observant.

In addition, many people only listen for agreement or rebuttal. They aren’t taking in what someone is expressing and are simply waiting to give their response either in agreeance or to dispute and argue.

Without active listening in cybersecurity, we can’t fully understand the problem. That creates massive challenges in the field.

Dysfunctional Communication Has a Major Impact on Cybersecurity

As I’ve said, we (the good guys) are losing the cybersecurity war. The defeat isn’t because technical skills, innovation, or tools are subpar. I’d argue it has more to do with the fact that communication is in a state of brokenness. It goes back to the gap referenced above.

If technical people aren’t more inclusive with language to decision-makers, they aren’t likely to get the responses they expect or need. The excuse of “they just don’t get it” isn’t helping matters. They have to get it. If they don’t, then risk increases and resources decrease. That’s the crux of the communication gap between technical people and company leaders — they need to speak about cybersecurity in terms of risk to the business.

Leaders want to protect data and networks. They realize the threat landscape is widening with cyber-attacks in the daily headlines. This group knows that if it happens to them, it will cost them a lot of money and harm their reputation. They are hungry for the facts but not in sentences that don’t sound human. It’s the responsibility of technical teams to express risk and threats in a way that makes sense to anyone and what steps need to be taken to mitigate them.

That becomes the hardest part — getting technical people to first realize their communication is ineffective and then get them on board to make changes.

Why Technical Employees Struggle to Evolve Communication Styles

As noted, the jargon and tech speak are a place of comfort for cyber professionals. They act as a veil over uncertainty. They are also logical creatures that see their work as black and white, so they immediately think they don’t need to improve communication or people skills. They know what’s best, and all the non-technical folks can’t grasp the fundamentals.

Continued thinking in this way will only lead to failures and mistakes. To be a great communicator, you have to be flexible, which seems foreign or negative to them. It’s very uncomfortable for them to be vulnerable in their communication because it might reveal that they don’t know everything. Of course, they don’t because no one does, but change is even more challenging if people can’t see this as a possibility.

So, what can you do in a leadership position to incite people to embrace transforming their communication styles?

How to Support Technical People on a Journey to Being Better Communicators

If your technical team improves its communication skills, it can be the best weapon you have in the cybersecurity war. It’s more potent than new technology or the highest technical aptitude. Here are some key things that can make a difference.

Remember Awareness

Awareness is the first step of the Secure Methodology and is something to revisit. Communication isn’t effective without listening. But you can’t do that until you have a level of awareness, which requires putting yourself in the shoes of others. So, encourage them to practice awareness with communication.

Reframe Objectives

Communication is effective based on the result. The point of communicating something is to receive a response. When you reframe the concept for technical people in this way, they can have an “aha moment” as they understand the results and objectives.

Simplify the Message

There is always a way to simplify the point. Technical people don’t need the comfort of their acronyms to emphasize what matters. Instead, urge them to consider who they are discussing subjects with and how to express things in a way that translates to the non-technical people of the world. They need to refrain from going into cyber talk because they aren’t going to get the result they need or expect.

Bring it back to the purpose and the idea of building rapport with others. Remind that listening for insight helps everybody. The bad guys aren’t sitting in the room with them — the people who can help them are.

Foster a Culture That Appreciates Communication and Sharing

Another part of improving communication is ensuring you create a culture that welcomes it. Your people need to know that if they are trying to share information effectively, you will support them. They’ll certainly make mistakes and revert to old habits, so you’ll want to remember acknowledgment factors — praise them when they communicate well. When they don’t, speak to them privately.

If you create a team that is certain you welcome change, they may be more apt to try harder. Remember, these people don’t like to fail and crave certainty. Of course, change disrupts these patterns, but they’ll do much better if they feel you have their backs.

Moving Forward: Communication Is the Center Point for Cyber Success

Communication is really part of every step of the Secure Methodology. It’s that essential, and it will come up again and again. By focusing on it, your technical people can make great strides in their journey to be better at their jobs and life. You can find more strategies along with exercises to build communication skills in my book, The Smartest Person in the Room, available now, or in my People Skills for Smart People course.

Why Communication Aptitude Is the Number One Soft Skill Cybersecurity Professionals Must Possess

communication skillsHaving effective communication skills is an asset in any career, even cybersecurity. It’s a soft skill that nicely complements technical ones. Having communication aptitude is a must for cybersecurity professionals. Without this cybersecurity soft skill, a lot can go wrong.

Poor communication and interpersonal skills are often the roots of cybersecurity incidents. That’s a theme in my book, The Smartest Person in the Room. Unfortunately, some organizations may not see the value in developing communication because they believe cybersecurity is black and white. It’s not. It’s many shades of gray filled with assumptions and a lack of understanding. These things breed when communication isn’t consistent and clear.

The question becomes how to improve communication and make it a priority. In this post, I’ll explain why technical people struggle with people skills, why they need them, and how to develop them in your team.

Why Cybersecurity Professionals Struggle with Communication

My perspective on the struggle comes from years of being a cybersecurity leader as well as research. The points I make in no way are a denunciation of the field. I’m just here to help organizations improve with employees with well-rounded skillsets.

Here are the key reasons cybersecurity teams have a hard time being excellent communicators.

They Are Afraid to Look Vulnerable or Incompetent

One thing that’s necessary for healthy communication is asking questions. Cybersecurity professionals rarely do this for fear they’ll look like they don’t know everything. They’ll make assumptions and fall back to standard ways of resolving issues. That’s not effective in a dynamic and ever-changing landscape with new threats always on the horizon. Fear keeps these people from discovering what they don’t know, which increases risk.

Technical Folks Never Want to Be Wrong

Instead of facing the fact that everybody is wrong at some point, cybersecurity professionals cling to certainty. Except certainty is impossible in the field. This, combined with never wanting to be wrong, prevents healthy communication.

Misconceptions That Technical People Don’t Need to Be Great Communicators

There’s a deep fallacy that exists in technical jobs. The prevailing misconception is that technical people don’t need to be great communicators. They’ll let their technical skills do the talking. But they really need to engage in conversation to improve their technical aptitude and do their job effectively.

Lack of communication sinks cybersecurity. It doesn’t just apply to the technical person’s inability to have productive conversations. They also don’t actively listen when others share their insights, opinions, or other information. They only listen to respond in a defensive posture, so they don’t hear what the other person is conveying. They are only planning their rebuttal.

We’ve touched on the need for cybersecurity communication skills. Next, we’ll dive further into why they are so critical.

Why Do Cybersecurity Professionals Need to Be Effective Communicators?

At a foundational level, cybersecurity professionals need to be effective in their communications because they are part of the problem without it. Data breaches, ransomware attacks, and other cybersecurity failures are often directly tied to poor communication. It’s not that you didn’t have the best technology or strategy. It’s that your people didn’t talk to each other or anyone else!

Here are the other reasons why technical roles need these soft skills:

  • It improves transparency in operations, which typically leads to a greater understanding of the threat landscape and greater trust among teams.
  • Healthy, consistent communication supports problem-solving. That’s a big part of a technical person’s job, and teams can’t excel at this without proper discussions.
  • Good communication builds trust and respect among teams, and that’s essential for their ability to solve cybersecurity problems.
  • Soft skills allow people to be more adaptable to change, and cybersecurity is full of that. New people and threats come into the ecosystem routinely. Without flexible communication skills, adaptability remains low.

Current Communication Styles Are Often Off-Putting

Some of your cybersecurity employees may be talkers. Again, that doesn’t make them great communicators. The style they use is often off-putting and aggressive. They like to use a lot of jargon, which doesn’t mean anything to people outside their technical bubble.

They approach communication in this way because it makes them seem superior. It also covers up their lack of comprehension. The strategy is to make communication so technical and abstract that non-technical people will simply defer to them and end the conversation.

This type of speak can also impact how technical people work together. Because cybersecurity is so broad, there are many roles, and they all have their own “language.” As a result, communication failures happen here, too.

When they learn these soft skills, it can change the dynamic completely. However, communication isn’t just about what you say. It also includes body language and nonverbal cues. Those are just as critical as words.

The 7-38-55 Theory of Communications

Mehrabian’s 7-38-55 Theory of Communication highlights that it’s more than just words. The principle states that communication is 7% word choice, 38% tone of voice, and 55% body language.

This is an important concept to share when helping people evolve their communication styles and how they interact in conversations. It can also make them more aware of their tone and body language, which may be causing a barrier. Awareness is the place to start when you begin to navigate communication skills.

Such a theory also taps into technical minds. Communication isn’t just some soft skill. They can recognize its power in influencing how they work and why it could mitigate risk.

Once you have more awareness, you can begin implementing plans to improve communication. The process will take time and commitment. What you get in return is well worth the work.

How to Improve Cybersecurity Soft Skills

We’ve looked at the why and how of communication failure. Now it’s time to talk about how to fix the problem. That’s not an easy road because you’re up against a resistance to change. That resistance often consists of your people being unaware of the communication issues.

Thus, they have to become aware before they can work toward adapting behavior.

Encourage Self-Awareness

Technical people have to get out of their own way, so to speak. They need to be self-aware of how they communicate and why it’s an issue. This requires introspection and a new perspective.

In The Secure Methodology, the framework from my book, Awareness is the first step. In that chapter, I offer multiple ways to help your people through this transition.

Demonstrate the Importance of Communication

If you want your team to be better communicators, you need to make it a priority and lead by example. If there are specific examples you can point to that were communication breakdowns and the consequences, it’s no longer this intangible thing. Now it’s in front of them, and that’s impactful to those that are more logic-based in their thinking.

Champion Active Listening

Technical people who master active listening perform much better than those that don’t. In every conversation we have, we may hear the words but not really absorb and comprehend them. It goes back to the earlier notion of people just listening to prepare their response.

Providing guidance on how to listen actively and exercises can make a difference. As with any change, your team has to be willing and able to adapt.

Make Perspective Key to Communicating

Perspective is another challenge in communication. Often people have no way to see anything other than from their own eyes. That impacts how people collaborate and solve problems.

If you can guide people to open up their perspectives, better communication is more likely. In my book, I spend a bit of time talking about perspective and the best ways to approach it.

Tap into Their Motivation

Everyone has different things that motivate them to change (or not). If you can understand their motivation and make it part of their awareness, communication will improve. It can also help people think with their hearts and minds. Motivation doesn’t have to be altruistic for this to work.

Coach People to Be Flexible

Being flexible and adaptable is critical to becoming a successful communicator. Technical folks are usually either of these. However, that doesn’t mean they can’t be, and it will serve them well in a dynamic landscape like cybersecurity. You can coach your people to be more agile with the right strategy. You’ll find tips and exercises to do this in my book.

Through exercises and the development of soft skills, your team can embrace flexibility. When they do, it can be a turning point in their success and performance.

Help Your Team Master Cybersecurity Soft Skills

Setting your cybersecurity team up for success depends a lot on their communication soft skills. If they hone and develop these, they’ll be better at their job and more engaged. It’s also a skill that can have a profound impact beyond their career.

There will be challenges in evolving people. The exercises, tips, and strategies presented in my book, The Smartest Person in the Room, can help. Get your copy today to start the journey.

Check Out The Smartest Person in The Room

The Secure Methodology™ and Cybersecurity Leadership

7 Step Secure Methodology - Christian EspinosaThe advent of technology makes it easier for us to communicate with our staff and improve our business processes. However, it can also be a major risk to our organization: Hackers are lurking in every corner, waiting for the right time to steal information from us.

We need to strengthen the skills of our technical staff by utilizing The Secure Methodology. Through The Secure Methodology, we can help our staff improve their communication skills and encourage them to lead with their hearts and intuition, rather than just their logical minds.

Generally speaking, The Secure Methodology is a step-by-step guide designed to help us improve interpersonal skills so we can easily practice honest and effective communication. The Secure Methodology also promotes more in-depth understanding, allowing every person in the organization to be on the same page and work together towards a common goal, such as stopping cybercrime.

Benefits of the Secure Methodology

Cybercrimes are common worldwide, which is why it’s important for organizations to take preventive measures. The common strategies used by organizations today aren’t flawless as the number of cybercrimes continues to increase worldwide.

The Secure Methodology is different from other existing strategies because it leads us to better results, that do not require more investments in technologies or cybersecurity frameworks. Here are a few of the benefits:

  • Better security: By practicing the seven steps of The Secure Methodology, we’ll have peace of mind knowing that our organization and all our trade secrets are less vulnerable to cybercrimes. The Secure Methodology provides for a better understanding and mitigation of risks to protect our organization from hackers worldwide.
  • Cost reduction: Losing vital information will cost money from our pocket. How can we continue producing products if our trade secrets were stolen? How can customers trust us if their information is at the hands of hackers? When we practice The Secure Methodology in our organization, we reduce costs associated with cybercrimes. Instead of spending money to minimize the effects of cybercrime on our organization, we can use it for other areas that can help our business improve and grow.
  • Develop total intelligence: One of the biggest benefits of The Secure Methodology is helping leaders in the organization develop and lead with total intelligence. Through The Secure Methodology, we can learn to lead using our people skills, as well as our hearts, logic, and intuition. Being able to use different types of intelligence will make us better leaders and more equipped to combat cybercrimes.

The Secure Methodology isn’t just about helping our technical team prevent cybercrimes; it also teaches us different strategies to help improve ourselves and our organization in the long run.

Why the Secure Methodology Was Written

The Secure Methodology was written as an attempt to improve teamwork and cybersecurity in an organization. Yes, there are countless techniques that are meant to help organizations fight against cybercrimes, but not all of these are effective. In fact, looking at the cybersecurity status quo, we see that cybercrimes continue to affect organizations regardless of the size and nature of their business.

The Secure Methodology reinvents how organizations improve and also protect themselves from cybercrimes. Instead of merely using logic and intelligence in combating cybercrimes, the Secure Methodology aims to beat cyber criminals by developing the holistic skills of the staff and by using logic, emotion, and instinct equally.

Moreover, the Secure Methodology helps leaders get their technical people to strengthen their people skills and encourage them to lead with their hearts and instincts. Once we can accomplish these goals, we can quickly improve communication skills, making it easier for the organization to discuss issues and fix them as soon as possible.

The Secure Methodology allows leaders to know where their people are coming from and what kind of help their staff needs when issues arise. When we know what the world looks like from their perspective, we can provide solutions that address the root cause of the problem.

Overview of The Secure Methodology 7 Steps

1.    Awareness

Awareness has two aspects: self-awareness and the awareness of others. As the name suggests, self-awareness is about understanding our behavior or the behavior we can control. Even as a single human being, we should keep in mind that we impact the world around us, which is why we should be mindful of how we interact within it. For example, how, when, and where we frown or smile can significantly impact someone, and we should be aware of it.

Technical individuals and humans in general struggle with self-awareness because we often fill our lives with stimuli, namely social media and games. This removes the time needed to reflect on our actions. Leaders like us also face the same dilemma: we might show up in a meeting in a negative mood, not thinking how this demeanor can impact our staff and their progress during the day.

Being aware of others is also an important part of the Secure Methodology. When we’re only aware of our own actions, we’re not only being self-centered; we are also not helping solve problems in the organization.

For example, if we see a staff member crying at her desk, it’s best to ask her how she’s feeling instead of making an assumption. Making assumptions and being unaware of others’ emotions will likely make us angry and confrontational, making the situation worse.

2.    Mindset

There are also two types of mindset often exhibited by staff in an organization: growth and fixed. Individuals with a fixed mindset believe things are the way they are, and they’re no longer capable of changing. For example, technical staff with a fixed mindset in an organization may often claim, “I’m not very good with people.”

Conversely, someone with a growth mindset will say, “I understand I have challenges working with people, but I’m confident that I can get better.” With a growth mindset, a person understands what they’re struggling with and is open to learn and make changes.

3.    Acknowledgment

Acknowledgment in The Secure Methodology covers a lot of items. For starters, we should encourage our technical staff to focus on self-acknowledgment. Instead of letting them think that they’re not good enough, we should encourage them to acknowledge that their skills are vital to the organization.

Acknowledgment is also important for leaders like us. When we want our technical team to improve their behavior at work, we should acknowledge everything that they have accomplished in the past and let them see what they can do if they gain more skills. This will prevent them from shutting down and motivate them to change.

4.    Communication

Communication is about how we interact with our staff and the type of language we use. In short, communication isn’t just about the words we use; it’s also about our body language and tone. We also need to keep in mind that the meaning of communication is the response you get.

It’s common for technical staff to miss out on body language or tone and only focus on the words being communicated to them. This is problematic and often leads to issues when communicating within the organization. As leaders, we should help our technical staff understand different communication patterns and body language displayed by the speaker. We also need to train our team to listen better, rather than just waiting for a gap in the conversation to speak.

5.    Monotasking

Technical staff in an organization have to accomplish different tasks regularly, but this doesn’t mean they should do everything in one sitting. Multitasking has been hyped for so long, yet following this concept at work doesn’t guarantee better or more outcomes. In some cases, attempting to take on several tasks at one time will only result in anxiety and many unfinished projects.

As part of The Secure Methodology, we should highlight to our technical staff the importance of working with one task at a time. When technical staff practice monotasking, they can easily produce quality work because their focus is poured into one task only.

Monotasking also helps with communication, because if you are monotasking during a conversation, you are present and listening better.

6.    Empathy

It’s common for technical people to think that they’re the only individuals in the organization with problems, and everyone else has it easy. However, this kind of mindset is self-centered and somewhat narcissistic, which can only lead to bigger problems when left untreated.

When our technical staff is self-absorbed, they’re at greater risks of developing depression. Their lack of connection to other people will also make it very challenging for them to collaborate in problem-solving.

For The Secure Methodology to work in our organization, there should be empathy across all levels. Our technical staff shouldn’t jump to conclusions immediately. Sure, their role in the organization is challenging, but this doesn’t automatically mean that the other staff has easier roles to play.

As leaders, we should teach our technical staff the importance of empathy by helping them understand that other people also have different challenges and that they shouldn’t quickly judge others because they have different situations.

7.    Kaizen

Kaizen is a term that means “change for the better,” which is the ultimate goal of The Secure Methodology. If we want to improve our organization’s cybersecurity, we should establish a new process and examine it continuously. Constant and never-ending improvement (CANI) are essential ingredients in achieving goals, no matter how big or small.

Key Takeaway for Each Step

  1. Awareness means we should be conscious of other people’s behaviors and why they behave in a certain way, just like how we want other people to be conscious of how we are.
  2. Without the right mindset, it’s challenging for any of our staff to change and grow. As a leader, we should believe that every single person in our organization has the capability to change. It is also our responsibility as leaders to remain committed to change. Change doesn’t happen overnight; we must also have the right mindset to commit to change.
  3. We should acknowledge our technical team every time they make the slightest progress in their behavior at work. This will encourage them to permanently adapt to positive behavior and grow more in their field of expertise.
  4. Communication plays a vital role in the relationship of every staff member in an organization, which is why we should ensure everyone regularly practices open and honest communication. Aside from making sure that everyone is provided with various communication channels, we should also teach the importance of tone and body language and how this can help us understand the speaker better.
  5. Most technical staff don’t know how to monotask, and it is up to us as leaders to change that behavior. When our technical staff focuses on one task at a time, they can produce more and better output during the day. Knowing how to monotask is also an excellent way for our technical staff to look after their mental health as they can keep anxiety and stress at bay.
  6. Every individual in the organization deals with some type of challenge. Instead of judging others based on their behavior, we should put ourselves in their shoes and understand where that person is coming from. When everyone in the organization knows how to empathize, the team generates better results.
  7. When our organization tries something new, say improving our cybersecurity, we can’t expect to succeed during the first, second, or even third try. Kaizen is the understanding of this process and the encouragement to continue trying. To get desirable results from our efforts, we need to practice regularly and not just dabble.

Short Activity for Each Step

  1. One activity to broaden the awareness of our technical staff is to let them reflect on what happened to them on the previous day and instruct them to imagine themselves as if that were their last day on earth. When they know they have limited time to live, they would likely treat others the way they want to be treated.
  2. Keeping a journal is a great way to develop a growth mindset within our team. We can encourage our team to journal every day for a month about the things they’re grateful for and the things they’ve learned. After 30 days, we can meet as a group and then discuss how everyone has grown in a month.
  3. One simple way to acknowledge the progress made by the team is to keep a cookie jar filled with notes about their accomplishments at work. When anyone in the team feels discouraged or hopeless, they can easily get notes from the cookie jar to remind them of what they’ve accomplished in the past and what they can do if they continue to strive.
  4. To improve communication within the team, teach them the fun NLP eye pattern trick. The eyes are the closest organs to the brain, and where a person “looks” (whether to the right or left) when they’re trying to access information can determine if they’re lying. Check out this diagram.
  5. Dividing our team’s day into time blocks will allow everyone to work on things that matter the most. We can simply let them list down the tasks they have during the day and arrange them on time blocks so they’ll know what to work on during a specific timeframe within the day.
  6. One activity to teach our technical team empathy is to have them pair up and have each person make assumptions of the other and then have them discuss their similarities. This activity will help our technical team stop making assumptions about others and encourage them to look for similarities. This will eventually help them develop their empathy.
  7. Kaizen focuses on reflection and never-ending growth, so we can have our technical team keep a workday reflection journal to write down their challenge or win during the day for a week. Then, we can schedule one-on-one meetings with them to discuss what they wrote in their journals and discuss how we can improve their weaknesses or challenges.

For anyone who is interested to learn more about the Secure Methodology, you can get the book or enroll under its program.

Check Out The Smartest Person in The Roomv