How to Create a Culture of Innovation in Cybersecurity

Cybersecurity CultureCreating a cybersecurity culture isn’t a novel idea. It’s one that’s been around for some time, as the field and organizations realized that cybersecurity isn’t just about tools, protocols, and technical aptitude. Culture is much more about the people and, as a result, makes it much harder to build and sustain. People are unpredictable and don’t always have the skillsets to participate in culture. There’s an additional component of cultural manifestation, and it revolves around innovation. So, how do you develop a cybersecurity culture of innovation?

If it’s not a question you’re asking yourself as a cybersecurity leader, I would suggest you should. Innovation is the enemy of complacency. However, it requires cyber teams to look beyond their technical aptitude and leverage soft skills, which they may not have. It can seem like an uphill battle, but it’s worth considering the benefits it can bring your staff and business. Those advantages include satisfied employees, mitigation of risk, and the ability to meet continuous improvement goals.

So, let’s talk about fostering innovation in your cybersecurity culture.

What Is a Cybersecurity Culture of Innovation?

At the foundation of culture are people and behaviors. If those whose job is to protect data and networks have a closed mindset, fail to evolve their conceptions, or believe they are the smartest people in the room, culture will always be toxic. In these cases, risks become greater, turnover is high, and communication is nonexistent.

Conversely, a healthy culture has open-minded participants that want to work together effectively and continuously learn. That is an environment where innovation can thrive. It’s a place that welcomes new ideas, which can lead to a better security posture, engaged employees, and greater productivity. In this scenario, everyone benefits.

As you assess your current culture, you probably have gaps, some more than others. Filling those gaps aligns really well with the Secure Methodology™, so I’ll be referring to that as I describe the steps to take. The Secure Methodology is a seven-step guide for cybersecurity leaders to leverage to develop the people skills of technical folks. These steps don’t focus on cyber skills but rather interpersonal ones, which is the core of culture.

Building a Culture of Innovation

No matter where you’re starting in the culture journey, these pivotal elements will be necessary to propel your organization into one that’s agile, forward-thinking, and connected. Here are the areas to help you formulate a plan.

Cybersecurity Culture Involves Three Different Levels

When considering any culture configuration, there are always three levels to consider, from the top to the individual. While they have different roles in the organization and responsibilities around cybersecurity, they must work together to maintain a culture.


This segment is the c-suite, including the CEO and CISO. They must lead by example if they want the culture to permeate. They are top-level decision-makers, but those don’t happen in a vacuum. They need to understand risk and how cyber operations work, which requires clear, consistent communication from cyber teams and individuals. Unfortunately, communication is often the skill most lacking in technical employees. If those that set the strategy and budgets are only fed geek speak, culture leadership is working with a handicap.

Communication, of course, goes both ways. When leaders set a precedent on how they expect communication to flow, it can break down some barriers. In the end, the c-suite needs communication development, as well. It’s especially true regarding what questions they ask, which should be more granular than they might currently be.


Your cyber team comprises people with various skill sets, experience, and expertise. If they can build a coalition that taps into this, they’ll be at a good place regarding culture. However, we’re talking about behavior, communication, and cooperation. Those things are usually the Achilles’ heel of any cyber team.

The team dynamic and evolving it is a big part of the Secure Methodology. Its guidance takes into account the typical lack of people skills and how that impacts cybersecurity culture. Too often, your team operates in silos and wants to continue in this way. Many times, it’s about a fear that others will find out they don’t know everything. Except that’s precisely the kind of mindset you need to innovate!

When working on culture at this level, the Secure Methodology is an excellent framework that you can use to cultivate communication skills, awareness, empathy, and more.


The last layer of culture is the individual. What applies here is similar to the team level with caveats. The biggest of those is motivation, as each person has their own. At this level, as the leader, you must make specific connections to understand that individual’s capacity to change and grow. It’s the most challenging part of cultural shifts, and not every person on your team will be ready for this.

The Secure Methodology includes exercises throughout the seven steps to assist with this. How each person reacts to these will determine their long-term cultural fit.

Now that we’ve looked at each level of culture, here are some more tips you can use to further the pursuit of innovation.

Find Cultural Evangelists

Within your cyber staff, you’ll find those that are all-in on cementing culture as innovative. These people already have a good base of people skills and will prosper in this new dynamic. Assign those employees to be cultural evangelists. They can work together to develop training and upskilling opportunities. Since it’s coming from their peers, others may find this more inviting and appealing.

Define the Language of Innovation

Earlier I discussed the issues in communication among cyber professionals and mentioned their love of geek speak. Many use this language because they don’t want to reveal their weaknesses or limitations. It’s your job to banish this language and identify what the tenets of communication should be, which can include:

  • Eliminating jargon that has no purpose
  • Encouraging and promoting active listening skills, which are just as important as language
  • Using inclusive language so that those individuals outside of cyber teams would understand
  • Reframing communication as a way to reach a result that technical people can relate to
  • Simplifying messaging
  • Praising positive communication moments to reinforce the value of it
  • Outlining how clear communication leads to innovation

Transform Fixed Mindsets into Growth Mindsets

Mindset is the second step in the Secure Methodology, and it is critical to culture. People either have a fixed mindset or a growth mindset. You, of course, want professionals with the latter. That doesn’t mean those with fixed ones can’t evolve and grow, but it does take work.

A fixed mindset hampers your organization’s ability to be proactive in security and forward-thinking. These folks don’t want to innovate around this because it’s too unknown and uncertain. It will also erode culture. Here are some key steps to transform mindsets:

  • Coaching and reflection: When communicating with a fixed mindset, asking the right questions matters. You need to take them back to a moment when their fixed mindset was a barrier. Such a moment could instigate reflection and more awareness of their behaviors.
  • Asking why: Again, questions posed to these folks can create aha moments. There’s an exercise called the 7 Levels Deep Exercise, which I recommend. It will help uncover motivations.
  • Praising mindset changes: The third thing to do is to acknowledge and recognize when you see mindset shifts from fixed to growth. Something as simple as this can make a significant impact on future behavior.

To round out this discussion, I want to leave you with some additional insights into innovation and security.

Innovation and Security Aren’t Foes

One of the biggest misconceptions in the cyber world is that security is a barrier to innovation. Such a perspective is dangerous to your culture and ability to defend data and networks in the cyber war. Security does not impede innovation. In fact, they work together very well with the proper perspective.

It’s not unlike the principles of DevSecOps, where development, security, and operations convene. In this strategy, security is part of the conversation from the beginning. It has equal weight with development and procedures, as it should. You cannot have innovation without security. Innovation, at its core, is about devising solutions that enable better results. If security is outside the innovation bubble, you may have a good idea, but it won’t come to fruition. It won’t be deployable and scalable.

So, you must build the case that they both can coexist harmoniously and should always have a link. Otherwise, you’ll waste time, money, and resources. If you leverage the tips and ideas from this post, you can easily demonstrate how vital security is to innovation.

If you’re ready to build your culture of innovation, you should learn more about the Secure Methodology, which you can find in my book, The Smartest Person in the Room. Additionally, I have a Secure Methodology course, which delves further into the seven steps. Check them both out today.

How to Hire Cybersecurity Professionals to Ensure Success for the Organization and the Employee

cybersecurity hiringHiring practices are different for every field, and for cybersecurity professionals, there are many opinions. In a growing and evolving industry, some standardization exists, including a significant focus on certifications. But do certifications equal talent? Not always. As a cybersecurity leader with years of experience building teams, I want to teach you how to hire cybersecurity professionals so they and your organization can be successful.

The Failures in the Hiring Process

The number one failure by cybersecurity hiring managers is the blindness around certifications. Certifications should illustrate skillsets and experience; however, as I write about in my book, The Smartest Person in the Room, that over-dependence leads to retaining paper tigers. Paper tigers are the folks that look great on paper but aren’t ready for the real world of cybersecurity.

Why Certifications Don’t Hold Too Much Weight

The problem with cybersecurity certifications is that structure isn’t conducive to training people to be job-ready. The design of many is a quick multiple-choice test, which anyone can memorize. It’s not like a skilled trade, requiring hours of training or apprenticeships.

The rush to earn certifications accelerated because of the constant call of a lack of talent in the industry. That is certainly true, but many saw it as an opportunity to have a piece of paper that would lead them to a lucrative career.

Most certifications don’t test for practical, real-life skills in cybersecurity. Some are credible and mix hands-on experience with testing, such as CompTIA and EC-Council. So, if you’re going to look at certifications, investigate what they really mean about that candidate’s acumen.

Hard and Soft Skills Matter

Another area to discuss in hiring cybersecurity professionals is seeking a broad skillset. Cybersecurity is a technical field, so the person you’re interviewing should certainly understand:

  • Penetration testing
  • Ethical hacking
  • Incident response
  • SIEM (security information and event management) tools
  • Audit and compliance rules
  • Malware
  • Device management
  • IAM (Identity and Access Management)

These are all essential hard skills. Certifications and job experience can offer evidence of these. The questions you ask can as well (more on this in the best practices section).

However, don’t focus solely on hard skills. There are lots of great candidates out there that might fall short on an exhaustive list of technical prowess. If they have soft skills and an open mindset, they could be an excellent hire.

These soft skills should be on your radar when hiring cybersecurity professionals:

  • Leadership qualities: Gauge their ability to lead, no matter their career level. Cybersecurity is an intense field and having leaders on your team means they look at the big picture strategically.
  • Passion: One of the things most lacking in cybersecurity teams is passion. I firmly believe that the enemy — hackers — are deeply passionate about what they do, and that’s why they win a lot of the time. If you can find people that have a fire in their gut to learn and grow, they will care very much about keeping your data safe and secure.
  • Collaborative: Cybersecurity professionals shouldn’t work in silos. There are many specialist roles within the field, so it takes a team to execute a strategy and remain vigilant. Lean toward those applicants that appreciate collaboration and want to work in that kind of culture.
  • Communicative: Communication can be challenging for technical professionals. It’s a bit of a stereotype but also true. Being a good communicator isn’t about being articulate or having a large vocabulary. Rather, it means someone is a good listener and that they use communication to understand, show empathy, and work together. There are many ways to foster communication skills for tech folks, and I talk about this a lot in my book.
  • Curious and inquisitive: Cybersecurity professionals should not be afraid to ask questions. Only through these can they determine the organization’s needs and challenges around security. Some people don’t ask questions; they make assumptions. It doesn’t mean they aren’t talented. In fact, much of the time, those in this situation learn this from life experience. Having a curious nature is a great trait for cybersecurity candidates, and you can assess by the way they interact and if they actually ask you questions during the interview.
  • Empathy: Empathy is an attribute that’s an asset in every job. I find it’s constructive in cybersecurity because it enables people to be in the shoes of another and see their perspective. People who can do this can go far in their careers. There’s no substitute for empathy in professional or personal relationships. You can evaluate this characteristic by how the candidate talks and frames situations.

These are outlines of hard and soft skills and not an exhaustive list, but they are good points to consider as you rethink how to hire cybersecurity professionals. Next, I’ll share some best practices for hiring managers.

Best Practices for Cybersecurity Hiring

Whether you’ve been a cybersecurity manager for years or are just starting, this advice can support your recruiting efforts and help you avoid hiring unqualified people. Because once you do, it can become a bad cycle. Ultimately, you want to hire people that have the right skills and fit your culture. Success for all should always be the goal.

Recognize Past Mistakes

If you’ve been recruiting for some time, I would first recommend recognizing past mistakes. We’re all human and make mistakes. What’s important is we learn from them and do better the next time. The reality is that bad hiring hurts everybody. Turnover costs your company real money, and the effect of hiring candidates that are lacking could lead to expensive errors. So, face your past gaffes and go forward without those dragging you down.

Have Real Conversations with Candidates

An interview is a chance for the candidate to sell him or herself. Most interviews are very rigid with detailed questions or checklists. I’m not saying you should toss that out, but this is your chance to get to know the person and vice versa.

Having a natural conversation that touches on who they are and what they know will allow them to feel less nervous and be vulnerable. They may be more honest and introspective, and you can learn a lot about somebody when this happens. You’ll never find that on a resume.

Use an Assessment Tool

In my company, I use the TriMetrix HD. Such a tool allows you to discover important things about an applicant:

  • How they behave and communicate
  • Why moves them into action
  • What personal talents they have
  • Which competencies they have mastered, and to what degree

These aren’t technical tests. They give you insights into soft skills. It’s a good next step in the process after you determine they have technical acumen.

Screen Out Job Hoppers

I typically eliminate job hoppers from the applicant pile. This is not a finite rule; some people with multiple shorter job histories may have been the victim of layoffs or acquisitions. However, in the field, it’s rampant. Most of the time, if somebody is changing jobs every six to 18 months, it’s a red flag. If that looks to be the case, you should probably move on to others.

Don’t Rush Hiring

In many cases, the need to hire cybersecurity professionals is urgent. You needed somebody yesterday, but don’t let that guide you. You’ll make rash decisions that may not pan out just to have a body in a chair. Instead, have a strategic plan that will lead you to the right people. It will take longer, but it’s worth it in the long run.

Ensure Candidates Align with Organizational Values

Most companies, big and small, have a set of company values. Hopefully, these are more than in name only. Your values create your culture. The expectation is that your employees live and respect these.

You can ask candidates questions about your values. Talking about your culture and its attributes with the person should also give you insight into if they believe in them. You can find someone with amazing tech skills, but the employment will likely not last if they aren’t a good culture fit.

Seek Out Those with Great Focus

Monotasking is a pillar of my Secure Methodology, a framework for nurturing and fostering cybersecurity professionals to have better habits and behaviors. Monotasking is the opposite of multitasking and requires focus, which is very important in cybersecurity. You can tell a lot in body language about focus. Another way to assess for it is to ask them how they work. Those who see the value in monotasking could be great team members.

Cybersecurity Hiring: Get It Right So It’s Mutually Beneficial

Cybersecurity hiring can be challenging. There are many considerations — things to do and not to do. Focusing on hard and soft skills, deprioritizing certifications, and implementing these best practices can help. You can learn more about my hiring advice and the Secure Methodology by reading The Smartest Person in the Room.

Why Do Technical People Struggle with People Skills? And How Can Companies Fix It?

7 Step Secure Methodology - Christian Espinosa
The Secure Methodology Improves People and Life Skills

People skills are a challenge for many individuals. It’s often a combination of personality and experiences. Technical people often get put in a category of lacking them. While this is not universal, it does account for some of the failings of cybersecurity strategies.

Without a robust soft skill set, these professionals get caught in a cycle of bad communication practices, a lack of curiosity, and posturing. It’s time to peel back the onion on why they struggle in this area and how to fix it.

Why Technical People Struggle with People Skills

This analysis comes from years of experience, research, and asking the hard questions. Again, it’s not a condemnation of those in technical fields. Many have a nice balance and are thriving. Through the years, I’ve met and worked with many highly articulate, open, and excellent cybersecurity experts. However, in general, this is the exception, not the rule.

In my book, The Smartest Person in the Room, I lay out the evidence for why this struggle is all too real.

They See the World Exclusively in 1s and 0s

It’s hard to communicate and collaborate with others when your world is solely 1s and 0s or very black and white. The reality is that the world, people, and cybersecurity are gray. That’s hard for some technical minds to grasp.

In a lot of technical disciplines, there is a right answer and a wrong answer. No discussion required. It’s probably more applicable to some areas of math and science. However, cybersecurity isn’t just math and science. It’s an ever-evolving field. New risks and threats emerge all the time.

Further, it requires asking questions and understanding business needs. That can send some technical folks into a free-fall. They don’t have a naturally curious nature in public, so they fall back on what they know and don’t try to find out what they don’t. They fear curiosity in front on others may appear as a lack of knowing or incompetence.

Insecurity Leads to Soft Skill Failure

Many cybersecurity professionals never want to be wrong — another reflection of black/white thinking. The feeling often comes because they are insecure. They cling to certainty, and interacting with other people and having meaningful conversations are too uncertain.

They let insecurity guide what they do, pushing back on the need for two-way dialogue. They’ll figure it out on their own and don’t want to entertain outside ideas. That then leads to posturing.

Poor Communication Sinks Cybersecurity

There is a misconception that technical jobs don’t require communication skills. That’s not true. Every role depends on communication, and when that’s a challenge, it’s a house of cards filled with assumptions. It’s the biggest shortfall for many technical people. It doesn’t mean they aren’t articulate or don’t have a good vocabulary. It means they can’t converse in a healthy and productive manner. Having honest and transparent communication is about listening more than talking. Unfortunately, many people aren’t good at that. These communication issues will bring down any company department.

People fail at communication for many reasons, as discussed above — insecurity, fear, a closed mind, a lack of empathy. This revelation isn’t unknown. A study on business communications found that 89 percent of respondents believe effective communication is important. Yet, 80 percent of those same people said that communication in their company was average or poor.

However, it’s not a dead end. There are ways to develop communication and other soft skills.

Fixing the People Skills Problem for Technical Professionals

Attaining better people skills was a self-journey. The consequences, however, didn’t just benefit me. They helped me create a process that any technical employee can navigate and come out the other side.

There’s no magic fix for evolving people, and they must want to change. So, that’s a barrier for sure. If you’re going to invest in helping your team, you want to know they’re open and have a growth-mindset.

What I’ve developed to counter this problem is the Secure Methodology. The following is a quick review of the framework and how it works. By employing it, people can start to see the gray in the world and be better cybersecurity professionals and experience personal growth as well.

The Secure Methodology

Step One: Awareness

The first step is about being aware of yourself and others. The lack of awareness in a professional setting causes you to miss blind spots. It also causes relationship issues at work because without awareness, communication is poor, and posturing reigns.

The mind has to open itself to new perspectives to achieve awareness. That requires coaching on communication and understanding what motivates a person. There are exercises that can strengthen the awareness “muscle” and open eyes.

Step Two: Mindset

You either have a fixed or growth mindset. Those with poor people skills are trapped in fixed. It’s not permanent. The key to a growth mindset is accountability. It’s no secret that a growth mindset is critical for cybersecurity. So, you must open those minds. The best way to approach it is to encourage reflection, ask the right questions, and urge quick decision-making.

Step Three: Acknowledgment

Acknowledgment in the workplace is a rampant issue. In cybersecurity, without positive acknowledgment, employees fall into disengagement and resentment. Many times, if there is acknowledgment, it’s negative, which feeds into further anger.

The other issue is that a cybersecurity team that receives no acknowledgment can’t concede their overly complex framework isn’t working. They lose the ability to simplify. To end this cycle, you should recognize their positives in the present before you expect them to master acknowledgment. You can improve this by building rapport and trust with exercises from the book.

Step Four: Communication

We’ve talked a lot about communication because it’s applicable in every aspect of nurturing people. We’ve identified the reasons why people are bad at it. Another critical factor is that technical folks like to speak geek as a sign of their higher intelligence. For those outside the industry, it may as well be another language, and technical professionals have to interact with non-technical folks. They build a wall with it instead of a bridge.

Shared language is inclusive and promotes active listening. Getting to this involves reframing and simplification, achievable through specific activities.

Step Five: Monotasking

The world wrongly praises multitasking, believing it epitomizes capability. In fact, humans weren’t born to multitask. It’s a real problem in the cybersecurity field, leading to errors and mistakes. It also creates a lot of anxiety — as if anyone needs more of that.

Retraining to monotask means that you can focus completely on one task. It can be much more productive than trying to do five things at once. Fostering this behavior includes blocking time for specific tasks and blocking out distractions (that means not answering a call, email, or text immediately).

Step Six: Empathy

A cybersecurity culture without empathy will not succeed, at least not long-term. You may wonder why it matters in technical roles. It matters in everything, really. The problem in the workplace is an us vs. them mentality. There’s no room for consideration and compassion in this model.

Empathy is a core people skill, but we’re not born with it. It’s something people develop. When it’s nonexistent, technical people don’t care about their clients or their data. Nor do they have concern for colleagues. If you’ve been able to make it through the first five steps, then you’re on a path to spreading empathy. There are also specific activities to do on the team level to develop it further.

Step Seven: Kaizen

The final step is a Japanese term meaning “continuous improvement.” In terms of the Secure Methodology, it’s a more tangible action of root cause analysis. Root cause analysis helps understand real problems and how to improve them. That applies to cybersecurity and people skills. Mastering it requires constant change and adaption, and you can’t get there without the former six steps.

Do Better People Skills Really Lead to Better Cybersecurity?

You may look at the Secure Methodology and think it sounds great in theory but are skeptical about its real-world implications. That’s fair. Again, there isn’t a guarantee because nothing is. What you should know is that it’s proven. I’ve witnessed it, and I can without hesitation say that better people skills lead to better cybersecurity.

If this is a path you want to send your team on because you realize the deficit of soft skills, your next step is to get the complete picture of the Secure Methodology by reading my book, The Smartest Person in the Room. In it, you’ll find activities specific to the seven steps to build the people skills they’re missing.

Check Out The Smartest Person in The Room