cybersecurity culture

Cyber Risk and Digital Transformation: The Gap Is Growing

Digital Transformation - Cybersecurity - Christian EspinosaDigital transformation has been at the top of company pursuits for decades. It’s a long journey with lots of twists and turns. While digitizing operations provides many benefits, from streamlining processes to ensuring consistency, it’s not without challenges. At the top of this list is the inherent, increased cyber risk. Cyber risk and digital transformation can work in harmony toward business objectives, but it requires a strong culture and strategy. Unfortunately, the gap seems to be widening, not shrinking.

As a cybersecurity leader, you no doubt have been wrestling with the complications that digital transformation presents to security. Even with a foundation like DevSecOps in place to navigate digital transformation, you may still see the two components in siloes rather than centralized.

So, what’s the best step forward? Is it tools? People? Processes? Yes to all, with the people aspect being the most significant. It’s time to reevaluate where your organization is in the cyber risk and digital transformation ecosystem.

Let’s look at the challenges and risks, how to solve them, and why technical folks need to evolve their soft skills to close the gap.

The Impact of Digital Transformation on Cyber Risk

No cyber expert would dissuade an organization from digitally transforming. You are fully aware of the advantages it brings related to efficiency, productivity, revenue generation, and cost reduction.

However, digital transformation isn’t one initiative. It’s a set of them that impact every aspect of your company. When looking at it from a cyber angle, vulnerabilities emerge. Those cracks in the surface were fully exposed when digital transformation accelerated at light speed beginning in 2020. Organizations could no longer move at a pace of hesitation; business necessity became the priority.

The threat surface expanded for many reasons, including:

  • Remote and hybrid work models enlarged endpoints
  • The increased usage of cloud infrastructure
  • Implementation of advanced AI technologies
  • The enormous amount of big data generated, collected, aggregated, and analyzed
  • IoT (Internet of Things) devices

As a result, the threat surface for cyberattacks, data breaches, and other cyber incidents grew. As a cyber professional, your perspective has been to be cautious and thoughtful when deploying new technology. The business side of your organization has been less so. That’s a collision course, and 82% of surveyed technical professionals acknowledged that digital transformation was the cause of a data breach.

Beyond competing priorities, siloed operations, and differing mindsets on security, why are digital transformation and cyber risk not on the same path?

Digital Transformation Involves More Third Parties

Digital transformation requires reliance on third parties in almost every initiative. They are your cloud providers, cybersecurity tools and platforms, tech stacks, automation tools, and more. It’s a lot to manage and can be the Achilles’ heel for any cybersecurity threat assessment.

While you can’t achieve digital transformation without third parties, you can manage the relationships better, starting with initial and continual assessments. To address the third-party risk, you’ll need to:

  • Ensure that business leaders making decisions about third-party resources consult with cybersecurity
  • Evaluate the risk and security measures of each third party
  • Communicate and collaborate with third parties on a cyber risk management program

These tenets are critical but not always easy to manage. It requires both internal and external cooperation. As a result, your cyber team must be more flexible and outside their comfort zones. Without this, you risk the chance of more siloes, less alignment, and greater threats.

Accountability, awareness, and communication are all crucial to third-party risk management. In many cases, these are all vulnerabilities. They illustrate that technical acumen isn’t the defining component of digital transformation and cyber risk. It comes down to being a people problem, which is also the key factor in the next challenge of misalignment between cyber teams and business leaders.

Cyber Teams Don’t Communicate the Risk Accurately to Business Leaders

Most of the C-suite isn’t technically adept. They understand cybersecurity to a degree because they don’t want to expose the business to threats. However, they rarely receive information from technical teams that resonates. It’s not solely their fault; cyber professionals are as well. The biggest reason for the breakdown here is communication and collaboration deficiencies.

Cyber professionals have difficulty explaining cyber risk and the effects of digital transformation. Not because they don’t understand it; they choose to use language exclusive to their bubble of techies. Some of that is just bad practice, but many times it’s the sign of something worse. It’s posturing and deflection from people who long to be the smartest person in the room. They don’t want to be questioned on their knowledge and reserve communication for demands rather than a chance to expound on what’s happening in the risk category.

This misalignment is prevalent, as only 16% of organizations said that IT and lines of business are in sync. If this sounds like an accurate description of your organization, you aren’t alone. Now, it’s time to turn the tide and find solutions to the challenges that digital transformation presents to cybersecurity.

Digital Transformation Sans Cybersecurity Is a Path to Disaster

If you think about what digital transformation is, it’s the development of data and connections. It’s a necessity for driving innovation, accessibility, and insights. It’s a concerted investment of time and money that yields many advantages. The concern is that it also makes organizations more vulnerable to data breaches.

With any new technology, you must assess its opportunities and vulnerability. The approach then needs to be an interwoven cybersecurity strategy with digital transformation. You can only arrive here when everyone is on the same page and practicing communication and collaboration in a healthy and consistent way. When they are lacking, you will be more likely to incur a cyber incident, which can cause monetary and reputational harm.

So, what do you do to avoid disaster? Again, it’s about the people and how well they can adapt and adjust to the new environment. Technical folks aren’t known for these qualities, but it doesn’t mean they don’t exist or you can’t develop them. Here’s how.

Applying the Secure Methodology™ to Cyber Risk and Digital Transformation

In most strategies or solutions to cyber risk and digital transformation, the conversation is about technology, processes, workflows, and tools. Those are all important, but people are the biggest problem and solution! Cyber risk and digital transformation can move back into alignment when technical professionals can improve and consistently adopt better soft skills.

In my book, The Smartest Person in the Room, I outline the Secure Methodology. It’s a seven-step guide to transforming cyber teams into aware, accountable, communicative, and collaborative individuals. When this happens, the threat landscape is not as immense and is much more manageable.

Here’s a brief introduction to the seven steps and their association to cyber risk and digital transformation:


First is awareness, which includes of self and others. When awareness isn’t part of the cyberculture, relationships suffer, trust erodes, and communication is aggressive. As a result, perspective is skewed, and blind spots remain hidden. Becoming aware isn’t easy, but it’s essential to digital transformation goals and cybersecurity alignment.


Mindset can either be fixed or growth. The latter is, of course, what you want to foster. When your team has a fixed mindset, they aren’t accountable or agile. These are vital ingredients to digital transformation progress. A fixed mindset can evolve into a growth one with the right coaching and commitment.


Acknowledgment is elusive in cybersecurity, or at least the positive kind. Technical professionals can feel disconnected and unengaged when there isn’t any from leadership. Such a dynamic can lead to digital transformation failures and greater risk. Practicing specific, positive, immediate, and constructive feedback helps the relationships.


Communication is the heart of the Secure Methodology and digital transformation. When communication is stifled, inconsistent, or absent, your organization will falter at every attempt to transform. As noted, communication must be present internally and externally. Technical folks are not the best at it, but they can learn and improve this skill with dedication and the right mindset. They can learn to communicate without jargon and be better listeners.


It’s common to think multitasking is a skill that cyber professionals should embrace, especially in such a fast-paced environment. Digital transformation even leans on this concept. Yet multitasking causes distraction, impacts awareness, and increases errors. Monotasking is the opposite, where the focus is on one action at a time, and it’s critical to digital transformation success.


Empathy has a critical role in the technical world. When it’s absent, you can’t have a team that works together. Instead, the ecosystem is toxic, with large egos and intellectual bullies. If these fester, the risk rises exponentially. It comes down to being a human connection problem, but it’s not insurmountable. You can encourage and foster empathy in your team with various everyday practices and exercises.


The final step is Kaizen, which means continuous improvement and change for the better. The seven steps are their own Kaizen. It’s an ongoing process to grow and change, characteristics found in digital transformation and cybersecurity as well.

Close the Digital Transformation and Cyber Risk Gap with the Secure Methodology

Achieving digital transformation objectives can occur in unity with cybersecurity. They don’t have to compete or run parallel. The Secure Methodology can be your guide to healing the gap by addressing the people problem.

See how you can apply it by reading my book and checking out the Secure Methodology course.

The Cyber Threat No One Talks About — the Absence of a Cybersecurity Culture

Cybersecurity Culture - Christian EspinosaIn the conversation regarding cyber threats, the perspective is typically on defeating cybercriminals. The threat lens is from the outside, which is very true. Hackers are motivated and persistent in their pursuit of stealing data, deploying ransomware, and causing havoc.

However, the cyber threat that’s as potent is what’s happening within an organization. A lack of a cybersecurity culture can increase risk exponentially. While the concept of a cybersecurity culture isn’t new, it’s still a challenge for most technical teams. When not present, cyber professionals work in siloes, avoid accountability, communicate ineffectively, and erode collaboration.

If these characteristics seem too familiar, it’s time to address, reimagine, or build a culture that values communication, collaboration, curiosity, awareness, and cooperation. Failure to pivot and adopt such a framework could be the reason that you become a cyber statistic.

What’s the Ideal Cybersecurity Culture?

For the purpose of this discussion, I’m referring to cybersecurity culture as the principles and values of the cyber team, not the enterprise. There is a difference. In the latter, cybersecurity culture describes all stakeholders and employees to understand the threat landscape and work toward adopting best practices to avoid things like phishing attacks.

In terms of your team, cybersecurity culture is the environment in which your technical folks work to prevent attacks, analyze risks, deploy new strategies, and keep the organization as secure as possible.

The ideal culture to aim for includes these ingredients:

  • Consistent and clear communication
  • Awareness around someone’s actions and the perspectives of others
  • A foundation of trust and respect
  • Collaborative interactions that support the organization
  • Championing a growth mindset where individuals can adapt and evolve
  • Empathy and understanding other’s feelings and perceptions

You may find this list overwhelming, but they are the tenets of any effective culture. Each of these elements is necessary to drive progress on the individual and team levels. So, what happens when culture is nonexistent? And what’s the impact of risk?

A Lack of Cybersecurity Culture Compounds Risk

As a cyber professional, your entire view of your actions is measured in risk. Even those businesses with robust cyber controls still have exposure to risk. It’s unavoidable in the modern age. Except that the threat isn’t always outside. Cybercriminals are rightly painted as the enemy, but the absence of a cybersecurity culture makes you more vulnerable. Here’s why.

Shared Responsibility and Accountability Failures

Your cyber team must be one that shares responsibility and takes accountability. There is no leeway on this one. It would seem to be a given that your people must work together in every component of security. Unfortunately, this isn’t happening in most organizations.

The reasons are complex, but ultimately, it comes down to the fact that technical folks have deficiencies in people skills. They are defensive and aggressive with communication and singularly focus on what they believe are the proper practices. Instead of forming a team to defeat the hackers, they often in-fight with one another, each trying to take the title of the smartest person in the room. As with any situation like this, internal animosity gives cybercriminals the edge.

Communication Stalls, Heightening Risk Incrementally

When your people are acting as teams of one, communication is toxic and ineffective. It comes out as snide remarks with an air of condensation in every word. How can a team protect your organization when they can’t even communicate?

You likely recognize the attributes of dysfunctional communication within your team. Although, you might not see it for the risk it truly is. Without a set of rules around discussion and conversation as part of your culture, you will experience greater risk in every area of cybersecurity.

Acknowledgment Gaps Grow Seeds of Disengagement

Another key part of a cybersecurity culture is acknowledgment. All too often, the only acknowledgment teams receive is about what went wrong. You can’t avoid mistakes and errors, but as the cyber leader, you need to make room for acknowledgment of progress and what’s going right.

Your cybersecurity culture has to be a safe place for this to occur so that feedback can be more positive and specific. You can still correct behavior and guide people toward best practices. If this never happens, employees will become disengaged and resentful. They’ll see you or the organization as the enemy, not the hackers.

These challenges are inherent in cybersecurity but not without a solution. Transforming technical professionals into excellent communicators and collaborators is the core of building your culture.

How to Build a Sustainable Cybersecurity Culture

No matter how mature or large your cyber department is, you can construct and foster a sustainable culture that decreases risk. As someone who has years of experience building resilient and adaptable technical teams, it is evident that culture was a people problem.

As a result, I developed strategies and initiatives to correct it in the Secure Methodology™. It’s a seven-step process that helps cyber leaders develop soft skills in their staff with the outcome of a cohesive team ready to protect an organization. Here’s how it applies to culture development.

Employees Need to Know Their Contributions

The seven-step guide touches on how employees see themselves in terms of the enterprise and its impacts. The problems with this are twofold. First, they often believe themselves to be individual contributors because they ascribe to a lot of black-and-white thinking. They want to remain solely in their lane, which causes siloes and fractures in collaboration and communication.

The second part is that they don’t feel valued or appreciated for what they do. As a result, they don’t know that what they do matters, which makes them complacent, elevating risk.

To address this, you need to work on acknowledgment, provide a clear vision of the role cyber teams play in company objectives, and champion constant communication.

A Shift to a Growth Mindset Is Imperative

You can either have a fixed or growth mindset, and cybersecurity culture only flourishes under the latter. When your technical employees are set in how they see cybersecurity and the world, they can’t grow. It’s not about learning new technical skills; they feel comfortable with this. Rather, it’s about changing perspective, which requires hard work.

If you can construct a culture that encourages growth and change, your people may be less afraid to do so. They have the potential to do this. It simply requires commitment.

Communication Is Everything

Communication includes the words we use, how we interact, and our listening ability. A lot of communication is actually nonverbal, and I can’t emphasize enough how crucial it is to understand that.

Typical technical communication is acronyms, jargon, and overcomplicating the simplest explanation. Cyber professionals have been indoctrinated in many ways to communicate in this way. It’s time for you to help them break these bad habits because they’re hurting all parties.

You’ll need to dedicate a lot of soft skill development to communication with exercises and resources. You also must lead by example, ensuring that your message is consistent and instructive. It becomes the bedrock of your cybersecurity culture, enabling your team to work as one.

Communication skills are also always in need of improvement and work. With any change to culture or new risk on the horizon, your team must continue using what they learn. That’s how it becomes culture — through daily use!

Focus and Distractions in a Dynamic Environment

Another component of building a cybersecurity culture is that the environment is so dynamic. As a result, focus can become disrupted, and distractions are plentiful. The best way I know to tackle this is by monotasking.

Monotasking requires concentrated work. It’s not a term that’s celebrated in the business world because it’s the opposition to multitasking. We’re brainwashed to multitask constantly; when we do, our attention strays. In cybersecurity, this becomes a threat.

The demands on cybersecurity never ease and require immediate responses. This paradigm won’t change. However, if your culture encourages monotasking, so that focus on specific tasks is distraction-free, your people will likely be more productive and effective.

Connecting with Others Means Shedding Self-Centered Thinking

A healthy cybersecurity culture focuses on cognitive empathy. It’s the notion of understanding the feelings of others and their perceptions. Empathy is the choice to connect with someone and accept their perspective. When present, it delivers many advantages in how you manage cyber risk because it fuels the belief that change and adaptation are good.

Again, empathy starts with you as a leader. If you demonstrate it regularly, it begins to weave its way into your culture. Making it a priority to educate your people on empathy and how to make it part of their skill set is critical to their remembering who the real enemy is — the hackers.

A Strong Cybersecurity Culture Thwarts Internal Threats

Cultivating a strong cybersecurity culture is something you have control over, which is rare in the field. If you promote one that values communication, collaboration, trust, acknowledgment, and empathy, you have an advantage over external threats. You can learn more about applying the Secure Methodology to culture by reading my book, The Smartest Person in the Room.