Cybersecurity Workforce Retention: Keep Top Talent with the Secure Methodology

cybersecurity jobsFinding qualified and skilled talent has been a struggle in cybersecurity for years. According to data, that’s only getting harder. Exasperating the cybersecurity workforce shortage is the fact that retaining employees is challenging. Cybersecurity workforce retention is as important as your recruitment strategies.

So, how do you keep cyber professionals on the job? It’s not an easy answer, as so many factors impact this. However, you can build a retention plan alongside your recruitment strategy. In this post, we’ll uncover why turnover occurs and how to create a culture and environment that will make them stay.

The Cybersecurity Workforce Retention: State of the Industry

A study from the ISACA found that 60% of cyber leaders said it was difficult to retain cybersecurity professionals, up 7% year-over-year. The survey outlined why it’s happening, with these being the top reasons:

  • Recruited by other companies (59%)
  • Compensation and incentives (48%)
  • Few promotion and development opportunities (47%)
  • The high stress of the job (45%)
  • No management support (34%)

Some of these challenges are easier to combat than others. Currently, cybersecurity jobs are greater than those available to fill them. A study estimated that over 3.4 million cyber jobs are available, which will only increase. As a result, other companies will try to lure away your employees, even if they aren’t actively looking for another job. How they respond to this will depend on how they feel about working for you in terms of money, autonomy, support, and satisfaction.

Compensation is another tricky area. Competitors may be offering more money. While that’s a critical part of why people work, money may not be the top factor in retention. Regardless, depending on their experience, role, and market, you should pay your team a fair wage. With the cost of living increasing, you must keep up with this.

Next is development, which is something you can control. Continuing to train and upskill your team shows you’re investing in them and their future. You should also be clear with them about the opportunities to advance.

Stress is inevitable in almost any job. Cybersecurity is a dynamic industry with fire drills all the time. Focusing on ways to destress workers should be part of your culture. It could be rewarding your team with social or team-building activities. Having an open door for employees to share their experiences with you and their stress can also be helpful.

Finally, you have complete purview over management support. As a leader, you have to earn and keep the respect of your team. Being a great leader requires you to communicate honestly, listen intently, acknowledge their work, and support them in any way you can.

Addressing these common reasons for turnover is critical for your organization because its impact is considerable.

The Impact of Turnover

An inability to retain staff affects many aspects of operations. Being understaffed creates more risk because everyone’s stretched thin. It’s easy to miss key things when someone is overwhelmed. Turnover also prevents your ability to be more strategic because you’re in a reactive mode versus a proactive one. Productivity suffers as well.

Turnover also costs you money. The average cost of hire is $4,700 and could be even greater considering how in demand these roles are. It’s in your best interest to retain your technical folks, which isn’t easy. You may be looking at many methods to decrease turnover, including increasing wages and benefits, allowing for flexible work, asking for feedback from your team to propel improvement, and providing the right tools to do the job.

Those are all good things to have, but retention has much to do with engagement, satisfaction, feeling valued, and having respect for leadership. These things can mean more than money, which is why applying the Secure Methodology™ to cybersecurity workforce retention makes sense. It’s a seven-step guide that defines a roadmap to transform technical people into highly communicative and collaborative professionals.

Let’s see how each step can support retention.

Applying the Secure Methodology to Cybersecurity Workforce Retention

With every step of the Secure Methodology, there are lessons to learn that impact retention. Here’s how to use these in your organization.

Step One: Awareness

Tapping into awareness is an important attribute to have in life and work. We all have blind spots, but some are bigger than others. Without being aware of these, there are consequences. It negatively impacts relationships and erodes trust. Without being aware, your team doesn’t realize how their behavior affects others and the environment. Things can become toxic very fast. If those things are lacking, it’s easy to see why some would want to leave.

Awareness means being cognizant of your blind spots and working to address them. A more aware team will be more collaborative and communicative. Here are some ways that this can support retention:


Coaching is vital to broadening awareness. If you can open the eyes of your team in a conducive way, they may have “aha” moments. Shifting their stance from being self-centered allows people to get a better perspective.


Using specific, relatable language helps technical people better understand expectations and culture. When there’s no confusion about where everyone should focus, they will likely feel more empowered.


Understanding motivations is critical to unlocking awareness. Tapping into what makes them tick helps strip away some of the technical posturing cyber professionals often do. Knowing their motivations allows you to personalize how you support and coach them.

Step Two: Mindset

There are two types of mindsets — fixed and open. Many technical folks have fixed mindsets with no desire to change, learn, or grow. However, it doesn’t mean they have to stay that way. Fixed mindsets are poisonous to retention. Even if one in the group is this way, it can taint it for others. When we’re fixed, we refuse to move.

A growth mindset is freeing and enables people to be flexible and adaptable, which is necessary for cybersecurity. Evolving a fixed mindset to a growth one is possible, but it requires commitment from you and the employee.

Some key results of a fixed mindset include:

  • The ability to reflect on situations and understand how to handle it differently.
  • Healthier and consistent communication.
  • A culture that welcomes growth personally and professionally.
  • Growth mindsets can be a significant reason employees stay with your organization.

Step Three: Acknowledgment

Acknowledgment is scarce in technical fields. Yet, it’s so crucial to retention. Your employees want appreciation for the work they do. Its absence is because most cyber leaders only respond to things when they go wrong. The small wins everyday matter so much to your people, so you must become vigilant about feedback.

Your approach to acknowledgment should include:

  • Being positive by looking at what went right first
  • Specificity in your feedback
  • Immediately offering feedback in the moment
  • Praise in public and relay ways to improve in private
  • Consistency in how you address acknowledgment

Lack of appreciation and lack of feeling valued are two primary reasons why people leave their jobs. If your people don’t receive acknowledgment, they’ll actively seek another job.

Step Four: Communication

Communication is part of every step in the Secure Methodology, along with having its own step. It is, without a doubt, the most critical part of a thriving culture and support to retention. You probably know there are communication issues among your technical folks. It doesn’t mean they aren’t articulate. Rather, their communication styles are often too aggressive, overly complicated with geek speak, and always on the defense. They also suck at listening, the other component of communication.

This storm of dysfunction will have people, often your best, running away from your organization. Thus, it’s critical to make communication the foundation of your culture and retention strategy. Here’s how to use it:

  • Be honest and transparent as a leader.
  • Move away from overly technical language and simplify the message.
  • Encourage open discussion and dialogue that’s respectful.
  • Praise your people when they make adjustments in communication.
  • Practice active listening in exercises, so they grasp how crucial it is.

If you can lay out these tenets, your people will likely see the value and follow you. If some still don’t realize it, they may be dragging others down. In some cases, you may have to let those folks go, so they don’t make it unbearable for everyone else.

Step Five: Monotasking

Monotasking is focusing on one thing, the opposite of multitasking. Many describe multitasking as an excellent quality, but it can actually hamper productivity. Forcing multitasking can make your people feel pulled in many directions. Those feelings create animosity and dissatisfaction. So, remove this pressure and instead recommend blocking time for specific tasks, meetings without distractions, and saying “no” to some things that aren’t urgent.

Step Six: Empathy

Empathy is a valuable quality to have. In terms of cybersecurity, cognitive empathy is essential for a healthy environment. It means that others can understand the feelings and perspectives of others. Without it, you have no team or human connection, and you need those to retain your people. All the things you put in place to get to this step support the building of empathy. Developing this in your team enables a trust factor and creates more satisfaction.

Step Seven: Kaizen

The final step is kaizen, which is a Japanese term. When translated into English, it means “continuous improvement.” So, this step isn’t an end to the journey; it’s how to sustain it. If your team believes in this process, they’ll want to continue identifying ways to improve and follow through with them. When kaizen is part of your cybersecurity culture, your technical folks will evolve and realize that this is where they can continue learning and growing.

Retaining your workforce won’t be easy. With the Secure Methodology, you have a framework. You can go more in-depth by reading my book, The Smartest Person in the Room, and viewing the Secure Methodology course.

Cybersecurity and Meaningful Work: Why New Generations Entering the Field Want Purpose

Cybersecurity Purpose - Christian EspinosaThe cybersecurity talent pipeline is facing the same challenges as many industries. A strong job market and low unemployment mean that many well-qualified professionals aren’t actively seeking new jobs. As a result, cybersecurity needs to look to the latest generation entering the workforce, Gen Z. Gen Z is a unique generation, which makes the ability to recruit and retain them much different. They have new ideas about work and that it should be more than a job and provide them with purpose and fulfillment—a trending topic in the world of HR known as meaningful work.

In this post, we’ll examine the Gen Z demographic, what matters to them, the concept of meaningful work, and how cybersecurity leaders can use this information to connect with a new generation of workers.

All About Gen Z and Their Entrance into the Workforce

Gen Z describes individuals born between 1997 and 2012. They currently make up almost 21% of the U.S. population. The oldest of this group have entered the job market, with many more to come in the next few years.

Gen Z is described as the most racially and ethnically diverse generation. They are also digital natives who have had a device in their hands most of their lives. This demographic has also been through many major events during their young lives, including the war on terror, a major recession where they witnessed parents and family members lose jobs, and the pandemic.

All these factors shape how they view work and what’s important to them. They are often adamant about work-life balance, flexibility, autonomy, and having modern technology as part of their job. In addition to these expectations, they also want to work for organizations that share their values. In fact, 77% of Gen Z said this was important in response to a survey conducted by Deloitte. Another thing they value highly in an employer is diversity, equity, and inclusion (DEI), which 87% agreed was critical when considering jobs.

Gen Z also cares about company culture. Cybersecurity should be very culture-focused, which could entice them. Overall, they want to work for a company that cares about their well-being.

Work for them isn’t about a “grind” or purely a transactional relationship. They desire meaningful work, and if it’s not present, they’ll have no problem moving to the next opportunity. Long gone are the days when employees worked for a single company their entire lives.

As a cybersecurity leader, ingesting this information about Gen Z may give you pause. Yet, they have some key attributes that make them attractive as workers beyond technical skills.

How Gen Z Workers Can Benefit Cybersecurity

Gen Z had a big head start on technology aptitude. It’s been part of their lives forever, and they’ve been early adopters. Beyond these skills, cybersecurity leaders are placing more emphasis on people skills, which is the central message in my book, The Smartest Person in the Room. These can be very hard to develop in older workers that have been in the industry for years.

The nature of Gen Z’s life experiences naturally predisposes them to value being communicators and collaborators. The stereotype of this group as never putting down their phones and being detached in communication isn’t accurate. They do love tech and spend lots of time on social media, but it’s not their entire personality.

Since they sincerely care about the world around them, they also understand the value of having strong interpersonal skills. Some might not be as confident in soft skills, but they won’t “fight” you on realizing the need to develop them as older generations may. As a result, they may be more amenable to participating in exercises, programs, and activities that will help them cultivate better people skills.

All these things make Gen Z an attractive group for cybersecurity careers. The onus of making your industry and company appealing has a lot to do with meaningful work.

What Is Meaningful Work?

Meaningful work is a newish concept in the world of HR. Its definition is somewhat flexible because “meaning” is subjective to an individual. The idea is universal in that it means that an employee believes the work to be important for the greater good and is part of something. As a result, workers are motivated and engaged in what they do.

Another aspect of meaningful work is that employees can use critical thinking skills and be problem-solvers versus taskmasters.

Both align with a career in cybersecurity and what Gen Z wants in a career. In the end, meaningful work is good for workers and businesses.

For example, employees who engage in meaningful work from their perspective may positively impact their mental health, something Gen Z is serious about. Healthier employees typically have fewer absences than their depressed counterparts. They’ll also be more engaged in building a strong cybersecurity culture and collaborating to do great things.

An environment of meaningful work supports retention, as well. The attachment that occurs in this situation delivers tangible benefits. Companies can see 50% less turnover and a 56% increase in job performance.

It can also deter burnout, which can be a problem in cybersecurity. It’s a high-stress field with many risks, threats, and stakeholders. If you have a team that feels the work is meaningful, that you and the organization value them, and is a culture that’s inclusive, you have an advantage over others. As a result, you’ll be a more attractive option for those entering the field.

So, how do you promote your company as one that delivers meaningful work?

Attracting Gen Z with the Promise of Meaningful Work

There are a few key strategies to consider when recruiting Gen Z and using the angle of meaningful work. First, it’s essential to know that Gen Z is proactive in their job search. For those in college, a quarter of them began job searching in the first two years. Second, they seek internships to get experience for the future and test out a field to see if it’s a good fit. Taking this into consideration, here are some ideas.

Partner with Universities and Community Colleges to Find Talent

Get to Gen Z while they are still learning by creating relationships with educational institutions. It’s an excellent way for students to become aware of your company. This can lead to mutually beneficial internships. The first impressions that Gen Z has about your company will matter, so talk about culture and how much you value interpersonal skills as much as technical ones.

Add Meaningful Work to Job Descriptions

Most cybersecurity job descriptions are dry and standard. It looks like a computer wrote it! Gen Z will not respond to this, as they value authenticity. Be honest in how you position your roles. Yes, it’s important to talk about technical skills, but you can also include that meaningful work is part of your organization and that you provide an environment where people can learn and grow.

Tap Your Current Gen Z Employees for Referrals

If you already have Gen Z workers on your team, talk to them about referrals. Ideally, if they are happy with the company and the work, they’ll be up for this. A referral is better than most applications for both parties. For you, it’s a sign that your employee vouches for them. For the candidate, they’ve heard about what it’s really like to work for you and weren’t discouraged by what they learned.

Once Gen Z becomes part of your group, you have another consideration that makes or breaks. How will older generations react to them?

Is Your Team Ready for Gen Z and Meaningful Work?

If you’ve made meaningful work a priority, then your current employees know this. However, it’s not going to matter to all of them. Some are still stuck in old perceptions about cybersecurity. Their “meaning” is that they are the smartest, most capable technical people. If that’s your current predicament, there will be some friction.

In a way, you have to prepare them for the entrance of Gen Z, which will require that they work on their people skills. Hopefully, they’ll realize this process benefits them in many ways. However, it involves change, and resistance is inevitable. Through the Secure Methodology™, which I developed in my book, you can find a seven-step guide on how to transform these outdated mindsets.

They’ll be helpful for all your employees, regardless of their generation. The way they respond and their effort will vary. Ultimately, you’re trying to work as a cohesive team that respects each other, cooperates well, communicates clearly, and can find meaning in what they do.

The journey ahead will be challenging at times. You have a chance to make a real difference in the lives of your employees and your company’s ability to manage risk and mitigate threats. Use the Secure Methodology as a blueprint to do that. Get the entire message by reading my book and check out the Secure Methodology course, as well.

The Secure Methodology™ Step Six: Empathy

Empathy - Christian EspinosaEmpathy in the professional world isn’t a new concept, but its adoption is lagging. Look no further than the Great Resignation as proof that how companies treat people must change. Many people have readjusted their beliefs about work and life in the past few years, so empathy’s importance is greater than ever and has a pivotal role to play in cybersecurity.

Empathy is a key component in winning the cybersecurity war. As such, it’s the sixth step in the Secure Methodology, which is a guide of seven steps that helps cyber leaders transform their employees into high-functioning communicators and collaborators. It builds on the five preceding steps: awarenessmindsetacknowledgmentcommunication, and monotasking.

Let’s dive into empathy and why it’s a critical aspect of cybersecurity.

Empathy Is Hard to Find These Days

While empathy is critically absent in many technical folks, the rest of the world isn’t demonstrating it much, either. It doesn’t mean that people are naturally unkind; instead, their concept of doing things to support others and the greater good gets canceled by their focus on differences.

It’s easy to ground a worldview in differences and an us-versus-them mentality. If we don’t feel personally impacted by something, we’re glad to look the other way. If “others” are different, then many of us can feel it’s none of our concern.

Except, at the end of the day, we have so much more in common. First, we’re all humans and face many of the same challenges. There’s a microcosm of this happening in your cyber team, especially in their beliefs about others. They typically see nontechnical roles as “others” who could never understand what they do, which creates a wall for communication and collaboration.

Everyone will always have specific roles, but when they become the foundation of how you react to others, it’s not serving anyone. For example, saying, “Oh, he’s a salesperson and can’t understand security risk,” means someone’s already discounting them and looking at them like a caricature.

This initial premise creates an empathy void, which has consequences for cybersecurity.

The Impact of the Absence of Empathy on Cybersecurity

So, how does a lack of empathy affect cybersecurity? It can cause a lot of problems, which can have a devastating impact on risk.

Technical Folks Can Be Intellectual Bullies

Bullying in the workplace is just as common as in the schoolyard. When people cannot see the perspective of others, they tend to act condescending and be defensive in every conversation. They use their intellect to belittle others, which fosters distrust and resentment. Unfortunately, bullying is often part of cybersecurity culture and goes unchecked.

Ego Cripples Empathy

These bullies often only have concerns for themselves. They have a narrow view that doesn’t include the needs of others. It’s especially detrimental when managers have egos that stunt the growth of others. It’s toxic and hampers the capabilities of a team.

Without Empathy, You Can’t Have a Team

The basic principle of a team is a group of people working together to accomplish a goal or solve a problem. Empathy is a prerequisite for this. When it’s missing, you can’t have a team.

On the one hand, we all have some type of belief about our inabilities. You would think this would encourage us all to be more empathetic. The challenge for many technical people is that they want to cover up insecurities and reject empathy for themselves and others. As a result, the foundational trust of being teammates isn’t there.

Empathy Emptiness Is More Than an Internal Problem

A cyber team that doesn’t prioritize empathy also hurts the relationships it has with others, whether they are an internal or external client. Technical people are responsible for security, but not in a vacuum. They must work with others to understand the objectives and concerns of these parties. When they don’t, they create a greater divide and overcomplicate situations, which causes further ostracization.

The stakeholders want to be involved and understand threats and risks. Just because they aren’t technical people doesn’t mean they can’t understand these things. However, if cyber professionals keep them in the dark, it only helps cyber criminals.

The Real Empathy Struggle for Technical People Is a Human Connection Problem

In my career and experiences, I’ve learned that human connection is the root of the empathy struggle for technical folks. Obviously, connection is essential to empathy in any capacity. If we’re all lone wolves and only focus on ourselves, there’s no connection.

Striving to build a human connection is an asset anyone can appreciate. It improves communication, collaboration, and perspective. Those things make people better at their job and happier in life in general.

So, how do you break people out of their one-track minds and cultivate a cybersecurity culture built on empathy?

How to Develop Empathy in Your Cyber Staff

You may think that developing empathy in technical professionals is beyond impossible. You’re already ready to skip to the next step and leave this one out because empathy is too emotional. Fair enough, but I wouldn’t have included it in the Secure Methodology without a plan. It’s an entire chapter in my book, The Smartest Person in the Room, and these are some excerpts that can help you find success.

The Framework Starts With Cognitive Empathy

There is more than one kind of empathy, and the focus here is cognitive empathy, which is the ability to understand someone else’s feelings and perspective. It’s somewhat different from its emotional counterpart, affective empathy, but it still has the same roots.

Additionally, you must frame your approach to differentiate between empathy and sympathy. They are quite different. Empathy describes the choice to connect with someone and accept their perspective. Sympathy doesn’t require the perspective aspect. Rather, it’s merely the ability to feel sorrow for how someone else feels.

People can be sympathetic but not empathetic. It’s a good trait to have, but empathy is what can drive organizational change and success.

Understanding Motivation

Motivation is a recurring theme in the Secure Methodology and applies to empathy. Grasping what motivates an employee is a key to helping them become more empathetic. Their motivation ties to the role they play in cybersecurity and supports a perception of a team working together. If they get this, they’ll want to grow their empathy.

Acknowledging Accomplishments

When you recognize the hard work of your staff, you create positive connections with them. In turn, it becomes a way to foster empathy. In addition to acknowledging achievements, you should also highlight similarities, struggles, and perspectives. This can create further connections between teammates and enrich trust.

Adapting Communication

It starts with you and your communication if you want your people to exemplify cognitive empathy. You have to be an example through how you communicate, which means admitting uncertainty and not always having an answer. They may be more likely to do the same if you can do this. Adapting your communication is critical and includes:

  • Avoid the word “why” because it triggers defensive responses.
  • Try making statements to uncover information, such as “Tell me what your plan is for this.”
  • Include the perspectives of others in how you communicate to demonstrate that the topic impacts many people.
  • Encourage people to explain those impacts on others when working through a cybersecurity challenge.
  • Continue to impress upon your team that listening is just as vital in communication as speaking.

Putting the Target Back on the Actual Enemy

It may seem apparent, but the enemy in the cybersecurity ware is the hackers. Yet, the “otherism” I defined earlier pits cyber professionals against colleagues. For those people who are stuck in the mindset of us versus them, they forget who the actual bad guys are. In fact, they’re helping the bad guys by functioning without empathy.

Staff too busy trying to stay in control of every cyber discussion and decision refuse to let the needs and perspectives of others have a place. As a result, cybercriminals win because team cohesion is absent. This is the most dangerous environment to operate in and will likely end in a breach or incident.

In working toward greater empathy, you must be clear about who the adversary is and that it’s nobody in the room. Connection within your team and with clients is critical to being proactive and prepared for cyberattacks. You can outmaneuver the hackers if you consistently focus on this and encourage empathetic capabilities.

Trust in Empathy to Revolutionize Your Cyber Culture

All the work from the previous Secure Methodology steps will put you in a position to develop empathy with your technical people. Having this new approach should also help you make better hiring decisions in the future. The bottom line is that empathy isn’t an innate human quality. We have to learn it, and you’re in a position to help people do this. That’s good for them personally and professionally. Get more tips on empathy and exercises by reading The Smartest Person in the Room.

How to Create a Culture of Innovation in Cybersecurity

Cybersecurity CultureCreating a cybersecurity culture isn’t a novel idea. It’s one that’s been around for some time, as the field and organizations realized that cybersecurity isn’t just about tools, protocols, and technical aptitude. Culture is much more about the people and, as a result, makes it much harder to build and sustain. People are unpredictable and don’t always have the skillsets to participate in culture. There’s an additional component of cultural manifestation, and it revolves around innovation. So, how do you develop a cybersecurity culture of innovation?

If it’s not a question you’re asking yourself as a cybersecurity leader, I would suggest you should. Innovation is the enemy of complacency. However, it requires cyber teams to look beyond their technical aptitude and leverage soft skills, which they may not have. It can seem like an uphill battle, but it’s worth considering the benefits it can bring your staff and business. Those advantages include satisfied employees, mitigation of risk, and the ability to meet continuous improvement goals.

So, let’s talk about fostering innovation in your cybersecurity culture.

What Is a Cybersecurity Culture of Innovation?

At the foundation of culture are people and behaviors. If those whose job is to protect data and networks have a closed mindset, fail to evolve their conceptions, or believe they are the smartest people in the room, culture will always be toxic. In these cases, risks become greater, turnover is high, and communication is nonexistent.

Conversely, a healthy culture has open-minded participants that want to work together effectively and continuously learn. That is an environment where innovation can thrive. It’s a place that welcomes new ideas, which can lead to a better security posture, engaged employees, and greater productivity. In this scenario, everyone benefits.

As you assess your current culture, you probably have gaps, some more than others. Filling those gaps aligns really well with the Secure Methodology™, so I’ll be referring to that as I describe the steps to take. The Secure Methodology is a seven-step guide for cybersecurity leaders to leverage to develop the people skills of technical folks. These steps don’t focus on cyber skills but rather interpersonal ones, which is the core of culture.

Building a Culture of Innovation

No matter where you’re starting in the culture journey, these pivotal elements will be necessary to propel your organization into one that’s agile, forward-thinking, and connected. Here are the areas to help you formulate a plan.

Cybersecurity Culture Involves Three Different Levels

When considering any culture configuration, there are always three levels to consider, from the top to the individual. While they have different roles in the organization and responsibilities around cybersecurity, they must work together to maintain a culture.


This segment is the c-suite, including the CEO and CISO. They must lead by example if they want the culture to permeate. They are top-level decision-makers, but those don’t happen in a vacuum. They need to understand risk and how cyber operations work, which requires clear, consistent communication from cyber teams and individuals. Unfortunately, communication is often the skill most lacking in technical employees. If those that set the strategy and budgets are only fed geek speak, culture leadership is working with a handicap.

Communication, of course, goes both ways. When leaders set a precedent on how they expect communication to flow, it can break down some barriers. In the end, the c-suite needs communication development, as well. It’s especially true regarding what questions they ask, which should be more granular than they might currently be.


Your cyber team comprises people with various skill sets, experience, and expertise. If they can build a coalition that taps into this, they’ll be at a good place regarding culture. However, we’re talking about behavior, communication, and cooperation. Those things are usually the Achilles’ heel of any cyber team.

The team dynamic and evolving it is a big part of the Secure Methodology. Its guidance takes into account the typical lack of people skills and how that impacts cybersecurity culture. Too often, your team operates in silos and wants to continue in this way. Many times, it’s about a fear that others will find out they don’t know everything. Except that’s precisely the kind of mindset you need to innovate!

When working on culture at this level, the Secure Methodology is an excellent framework that you can use to cultivate communication skills, awareness, empathy, and more.


The last layer of culture is the individual. What applies here is similar to the team level with caveats. The biggest of those is motivation, as each person has their own. At this level, as the leader, you must make specific connections to understand that individual’s capacity to change and grow. It’s the most challenging part of cultural shifts, and not every person on your team will be ready for this.

The Secure Methodology includes exercises throughout the seven steps to assist with this. How each person reacts to these will determine their long-term cultural fit.

Now that we’ve looked at each level of culture, here are some more tips you can use to further the pursuit of innovation.

Find Cultural Evangelists

Within your cyber staff, you’ll find those that are all-in on cementing culture as innovative. These people already have a good base of people skills and will prosper in this new dynamic. Assign those employees to be cultural evangelists. They can work together to develop training and upskilling opportunities. Since it’s coming from their peers, others may find this more inviting and appealing.

Define the Language of Innovation

Earlier I discussed the issues in communication among cyber professionals and mentioned their love of geek speak. Many use this language because they don’t want to reveal their weaknesses or limitations. It’s your job to banish this language and identify what the tenets of communication should be, which can include:

  • Eliminating jargon that has no purpose
  • Encouraging and promoting active listening skills, which are just as important as language
  • Using inclusive language so that those individuals outside of cyber teams would understand
  • Reframing communication as a way to reach a result that technical people can relate to
  • Simplifying messaging
  • Praising positive communication moments to reinforce the value of it
  • Outlining how clear communication leads to innovation

Transform Fixed Mindsets into Growth Mindsets

Mindset is the second step in the Secure Methodology, and it is critical to culture. People either have a fixed mindset or a growth mindset. You, of course, want professionals with the latter. That doesn’t mean those with fixed ones can’t evolve and grow, but it does take work.

A fixed mindset hampers your organization’s ability to be proactive in security and forward-thinking. These folks don’t want to innovate around this because it’s too unknown and uncertain. It will also erode culture. Here are some key steps to transform mindsets:

  • Coaching and reflection: When communicating with a fixed mindset, asking the right questions matters. You need to take them back to a moment when their fixed mindset was a barrier. Such a moment could instigate reflection and more awareness of their behaviors.
  • Asking why: Again, questions posed to these folks can create aha moments. There’s an exercise called the 7 Levels Deep Exercise, which I recommend. It will help uncover motivations.
  • Praising mindset changes: The third thing to do is to acknowledge and recognize when you see mindset shifts from fixed to growth. Something as simple as this can make a significant impact on future behavior.

To round out this discussion, I want to leave you with some additional insights into innovation and security.

Innovation and Security Aren’t Foes

One of the biggest misconceptions in the cyber world is that security is a barrier to innovation. Such a perspective is dangerous to your culture and ability to defend data and networks in the cyber war. Security does not impede innovation. In fact, they work together very well with the proper perspective.

It’s not unlike the principles of DevSecOps, where development, security, and operations convene. In this strategy, security is part of the conversation from the beginning. It has equal weight with development and procedures, as it should. You cannot have innovation without security. Innovation, at its core, is about devising solutions that enable better results. If security is outside the innovation bubble, you may have a good idea, but it won’t come to fruition. It won’t be deployable and scalable.

So, you must build the case that they both can coexist harmoniously and should always have a link. Otherwise, you’ll waste time, money, and resources. If you leverage the tips and ideas from this post, you can easily demonstrate how vital security is to innovation.

If you’re ready to build your culture of innovation, you should learn more about the Secure Methodology, which you can find in my book, The Smartest Person in the Room. Additionally, I have a Secure Methodology course, which delves further into the seven steps. Check them both out today.

2023 Cybersecurity Trends: What Every Cyber Professional Needs to Know

cybersecurity trends - christian espinosaThe world of cybersecurity is dynamic. It quickly changes because cybercriminals are relentlessly persistent in their goal to breach organizations and steal valuable data. Many of the biggest threats aren’t new, but they evolve as hackers become smarter and the systems to stop them become stronger. In the year ahead, cyber professionals will have the daunting task of defending their domain. So, what cybersecurity trends are on the horizon for 2023, and what strategies will you need to avert them?

Let’s find out.

The Cybersecurity Trends: Existing and Emerging Threats Are on the Calendar

Can you confidently say your cyber team is ready for the rapid changes in cybersecurity and the threat landscape? It’s hard to be certain. In fact, 40% of chief security officers agree they are unprepared. They cite many different reasons—inadequate budgets, talent shortage, and the fast pace of innovation. These and any other barriers will always exist regardless of if you have a blank check and a room full of experts.

To achieve a higher level of confidence in your organization’s ability to defend its digital turf, you must understand what the landscape looks like and admit that you can’t stop everything. Proactive measures to address the risky trends ahead are ideal but not always possible. In the following list of trends, I’ll give you the bad news on risk along with some good news about what to do about it that looks different than what you’ll hear any other cyber experts say.

Hybrid Work Becomes the Norm, and Your Security Footprint Will Only Get Larger

Unsurprisingly, hybrid and remote work models are becoming the norm. Employees want flexibility and autonomy, and employers have to stay in tune with what they want to retain them. Cyber professionals, however, aren’t exactly thrilled with this. They, too, want to work remotely, but it’s expanded the security footprint of every organization.

It’s not the company-issued devices that are the weak link, as you still have control over those, ensuring that anti-malware and antivirus tools are running and that applications are up to date. The problem is personal device usage to check email, engage in chats, and access documents. That’s where incidents are most likely to occur, and you have no idea how protected these devices are or aren’t.

Connecting to networks with these devices could cause employees to be more susceptible to fall for phishing attacks, either by email or text message. These situations can also make a company more exposed to ransomware attacks. So, what is a cyber leader to do with the abundance of employees working from anywhere?

You can develop specific BYOD (bring your own device) rules and require that they use the Outlook App versus the email feature on smartphones. More stringent policies that exclude all personal devices are another option, but they will be met with lots of resistance.

Building a security-aware culture that your cyber employees spearhead could be a strategy that has more sustainability. It also requires your cyber staff to think like a typical user and explore what their day-to-day looks like regarding security. If your team has buy-in to this approach, it will be more authentic and resonate more than some top-down directive that most will disregard.

Persistent Phishing: Hackers Use Many Angles to Hook Users

You likely aren’t surprised that a variation of phishing is on the 2023 cybersecurity trends list. Hackers have become much more sophisticated in how they target phishing attacks. They narrowly focus on a specific organization and keep trying new approaches, hoping they eventually wear down a person’s defenses and get them to respond.

Persistent phishing is the new normal, and cyber criminals do more than just send you an email from a spoofed URL. There are elements of social engineering in these tactics, where a recipient wouldn’t think it odd to receive an email from a company they recently engaged.

These can work, but hackers are taking it to the next level by attempting to impersonate others from a company, often CEOs or other high-profile people, so the user will take notice and respond. Their common sense can out the door when they see an email that appears to be from the CEO.

Another new phishing tactic is sharing Google docs (or other public cloud storage) within emails, which can look legitimate. Many businesses use Google Drive as their file-sharing solution. Unfortunately, the security here is lax at best.

In the new era of persistent phishing, you’ll need to step up employee education to start. You can also use filtering tools to keep these emails from appearing in an inbox. AI tools can assist with this as well.

However, some things will get through your perimeter. Turn to your cyber team to manage this constant barrage of phishing scams and get their perspectives. Make this a regular discussion in team meetings. Look at your data and listen to your team. Not everyone is going to have a new idea. Many will just say to stay the course. You want your technical employees to be innovators, and you must create a space where that’s the culture. If you do, you may get some really good strategies to deploy to lessen the hook of phishing.

IoT Vulnerability Grows

No one would argue that IoT (Internet of Things) devices aren’t valuable. They are generating many quality data crucial in various sectors, from manufacturing to transportation to retail. However, these devices must connect to your network to access and aggregate that data. As a result, they’ve become a target for hackers to infiltrate an enterprise. The more devices you connect, the more potential for a backdoor to open for hackers.

The proliferation of IoT devices is now a part of many companies’ data strategies. The IoT devices consumers use have long had lax security measures in the name of convenience. In the commercial space, security has been more robust. The problem with IoT devices as a vulnerability often arises from the need for them to be interoperable with other applications. Connecting all these points can become burdensome, so there may be slips around security. Additionally, these devices aren’t always under the control of cybersecurity teams because they sit in warehouses, assets in the field, and store locations.

You need to have IoT security protocols in place, but what may be more important is confirming that the devices are continuing to abide by them. That will require your technical folks to communicate with non-technical employees in the field. They’ll need to ask questions and possibly go to the sites where they are. That’s outside the comfort zone of many, and one more reason why developing soft skills for cyber employees is critical. Without effective and consistent communication, you’ll just be counting the days until an IoT security incident occurs.

Hackers Are Still Hungry for Your Data

In most organizations, protecting assets is both digital and physical. The digital ones, being the data about customers, products, analytics, and everything else, have become much more valuable to criminals. The primary goal of hackers is to access your data and sell it. Data breaches are daily headlines now; there’s no surprise when we see the latest one.

Your organization has put all its efforts into protecting this data, but vulnerabilities still exist. It would be impossible to eliminate all of them. So, you’ve learned to live with risk, or have you? The biggest problem I’ve witnessed in my many years in cybersecurity is that those in charge of protecting your most valuable assets can’t admit that they don’t have all the answers. Many of them will do anything to hide uncertainty around this problem, and that mindset is dangerous.

If your cyber team can’t be honest that data breaches are still possible, they’ll be doing little to fortify your protections. They will be averse to applying new tools or strategies and unable to communicate and collaborate effectively. Hackers are the enemy, but the inside threat looms when you have employees that aren’t living in reality.

The best way to address this cybersecurity trend is by breaking norms and getting honest about who on your team is willing to grow and change their mindset. They may not fit the culture you want to cultivate if they can’t. They may have brilliant minds for technology, but their inability to think critically and with transparency means they are more of a risk than an asset.

Addressing Cybersecurity Trends Requires an Agile Team

The risks of modern business will only grow. Digital transformation is accelerating at light speed, and every organization wants to future-proof its technology and infrastructure. You should be on this path as well, with one major caveat. Even more important than the tools you use and the policies you set are the people behind them. You’ll be ahead of the curve if you have cyber talent on your team that’s agile and ready to pivot when needed.

You can learn how to develop this kind of team by following the Secure Methodology™, a seven-step process to help technical folks gain soft skills that can lead to an improved security posture. Learn all about it in my book, The Smartest Person in the Room.

3 Reasons Why Current Cybersecurity Measures Aren’t Working and How to Fix Them

cybercrimeMost organizations think they have a good approach to cybersecurity. They check all the boxes and hope for the best. However, cybersecurity is dynamic, with new threats always on the horizon. However, the traditional cybersecurity measures most businesses use don’t work. They often put too much emphasis on the technical element versus the human element. That’s where things are going awry.

The real reason cybersecurity measures are failing is because of a people problem. It’s the core foundation of my book, The Smartest Person in the Room. Correcting this path requires the initial acknowledgment that you must develop your people into more than just technical minds. They need soft skills to adapt to a changing environment that will enable them to be strong communicators and collaborators.

In this post, I’ll review the latest data on cybersecurity risk and explore how to pave a new path to a more secure and agile system.

The Latest Cybersecurity Data

Threats continue to mount on the cybersecurity front. Cybercriminals have become more sophisticated and advanced. As a result, your people become either the strongest or weakest link in your cybersecurity measures. Here are some of the latest data points on the rate of crimes and how companies are dealing with it (or not).

  • 95% of cyber breaches are the result of human error.
  • 68% of business leaders said their cybersecurity risk is increasing.
  • 42% of companies are suffering from cyber fatigue.
  • The breach breakdown for 2021 was 40% phishing attacks, 11% malware, and 22% hacking.
  • There were 1,862 reported data breaches in 2021, surpassing the previous record of 1,506 in 2017.
  • The average time to identify a breach was 212 days in 2021.
  • The average data breach cost in 2021 was $4.24 million, the highest ever.

From these statistics, it’s easy to see that cybersecurity is a challenge for any organization, regardless of its maturity. 2021 was a record year, and not in a good way. It’s also critical to look at the numbers on why these incidents occur —human error. On top of that, you have apathy circulating in cyber teams, which is just as dangerous as hackers.

So, how do you avoid becoming a statistic?

It’s Your People, Not Your Budget

Many companies continue to increase their cybersecurity budget. These investments can be critical to the long-term protection of data and networks. They, however, don’t usually correlate with the development of your people. If you raise your spending, you’ll be better at fighting cybercrime but may not have the best-prepared team to back you up.

The point is that unlimited spending doesn’t make you more secure. You can have the best technology and a full staff, but you’re still weak if your people don’t work well together or with the rest of the company. If your employees have rigid mindsets about cybersecurity measures and won’t deviate from them, that’s a significant issue.

You likely don’t think of your team as incompetent, and no one is saying they are. They may have substantial experience and technical aptitude. However, it doesn’t cover up the fact that the profession is in a precarious position right now. There are three main reasons your cybersecurity measures aren’t working.

First, you have the issue of recruitment and retention. The field is in desperate need of new talent. Unfortunately, your choices may be slim since it’s a candidate-driven job market. When you do look for more people, are you only concentrating on their technical experience and expertise? Are people skills even on the list?

Second, there is a large group of cybersecurity professionals that have to be the smartest person in the room. Technical folks often think they are the only ones who know the answer and fail to communicate and cooperate. They are punching holes in the ship and waiting for it to sink. They believe they alone will be able to rescue it.

Third, those entering the field may have credentials or degrees but aren’t ready to defend the company against cyber warfare. Again, it’s not that they don’t know the technical side of things. Most often, they aren’t prepared to work cohesively and amend their very narrow views. Further, most organizations aren’t doing anything to address this.

With all these challenges related to your people regarding cybersecurity measures, it’s time to pave that new path. As someone who has been in the industry in many different roles, this shift is hard. You, as a leader, have to commit, and so do your employees. However, I’ve tried to make it easy with a solution I developed called the Secure Methodology. It’s a seven-step approach that focuses on people skills development. When your team has the technical and people skills, your organization can be in a better position to ward off cyber-attacks.

Let’s look at each step and how it relates to developing your people.

The Secure Methodology: How to Solve the People Problem in Cybersecurity

Each step in the Secure Methodology ties together, building on each other. Some steps take longer than others, but you can right your ship when you commit to them.

Step One: Awareness

Awareness includes self and others. First, people must understand what behaviors they can control and the impact of those behaviors. This can be difficult to comprehend for many technical people who often seem blissfully unaware. Getting in touch with your persona and how you affect the world is critical.

Second, to gain better soft skills and be collective problem-solvers, you must be aware of others. That requires communicating with them, asking questions, and avoiding making assumptions.

Step Two: Mindset

A fixed mindset is a big problem for cyber professionals. The objective is to move from fixed to growth. Many of your people will think they are already there because they can learn new technology, but we’re talking about being growth-minded in terms of soft skills.

At its core, a growth mindset welcomes the ability to change. Without this belief, people won’t grow. However, they also have to realize that change can be slow, but progress is progress, no matter how small.

Step Three: Acknowledgment

Acknowledgment also has multiple layers. First, technical folks need to have self-acknowledgment and believe in their capabilities. Second, leaders need to acknowledge the work of their people and what they’ve accomplished. When you do this, people are more open to you and to change. Third, you should continue to acknowledge them for all the adjustments they make in the journey to achieve a higher level of people skills.

Step Four: Communication

Communication is a part of every step and is often the most challenging for technical people. Communication includes word choice, the way you say it (tone), and body language. Communication is also about being active listeners.

Your cyber team may be very articulate and well-versed in technical speak, but that doesn’t make them good communicators. Honing these skills has such positive effects. Everyone can relate better, understand what’s important, work toward solutions together, and be more compassionate in how they talk to one another.

Step Five: Monotasking

Concentrated work is vital in cybersecurity measures. Its opposite — multitasking — can be a risk factor. When people monotask, the quality of work increases. The quantity may decrease, but scattered attention increases human error risk.

It’s hard to monotask with all the stimuli — emails, chats, phone calls, etc. So, your team can set a specific time to work on tasks and remove distractions to monotask effectively.

Step Six: Empathy

A lack of empathy is usually a lack of connection. Cyber professionals often can’t see past their own challenges. They have a self-centered view that doesn’t consider the plight of others. This type of thinking can lead to quick, inaccurate conclusions. As a result, it impacts communication and collaboration.

Empathy is about understanding someone else’s perspective. It’s not the same as sympathy. As a leader, you should embody empathy. That can help others transition their thinking, which often leads to better results and mitigated risk.

Step Seven: Kaizen

The last step is kaizen, a Japanese term that is the philosophy of continuous improvement of operations involving all employees. It’s all about the progression that people make every day, and when they are on this path, they are more engaged and satisfied. When people can come to this way of thinking, they are growing and contributing. However, it requires practice and a stable resolve. It’s also crucial to hold to this even when things are uncertain, which is often the case in cybersecurity and life.

Improve Your Cybersecurity Measures With the Right Guidance

The seven steps are a kaizen of their own. Learning them and bringing them to your team is all about continuous improvement that includes all members. Some steps will be easier than others for some people. You’re there to go through them as well and stand by your employees who are willing to evolve!

You can learn more about each step and how to execute them, and find exercises in my book, The Smartest Person in the RoomRead it today to start the journey.