The cybersecurity workforce landscape is at a serious threat level. Millions of jobs are unfilled, and most companies state they can’t find qualified cybersecurity job candidates. If we continue on this trajectory, risks will rise and jeopardize the data and networks of thousands of businesses.

As an industry, we must change how we hire, recruit, and develop cybersecurity talent. Expanding how you consider someone qualified is a necessary step. Seeing the potential in someone who doesn’t necessarily check all the boxes is one way to address the shortage. For this to work long-term, upskilling must be a part of your employee development strategy.

This upskilling includes hard and soft skills because cyber job candidates need both to thrive. Let’s review the current cybersecurity workforce challenges, the facts about the skills gap, and how to upskill new hires.

Cybersecurity Workforce Challenges

Cybersecurity job growth is a bright spot in the tech industry, with many opportunities for someone to have a career that pays a good wage and is in demand. However, the field is currently experiencing significant shortages.

According to the (ISC)2 2022 Cybersecurity Workforce Study, the global cybersecurity workforce grew to over 4.6 million, which is an 11.1% year-over-year increase. Unfortunately, 3.4 million jobs remain empty. As a result, many companies and cyber firms are operating without enough people, which can directly impact risk.

So, why is the industry struggling with recruitment and retention? It’s a complicated ecosystem, so there’s no easy answer. The cybersecurity workforce shortage is the result of several trends and occurrences, including:

• The cyber threat landscape is rapidly expanding, driving the demand for cyber professionals in all industries and businesses. In part, this is a supply and demand issue.
• People leave the industry due to burnout. It’s a common problem in a high-stress environment, and most organizations aren’t doing enough to mitigate this. Without proper staffing, people have to do more work, which increases the feeling of burnout.
• Younger generations aren’t choosing cybersecurity as a career. Only 12% of the cybersecurity workforce is 34 or younger. The industry needs to find ways to connect with students to attract new people into the field.
• Many organizations place too much emphasis on degrees and certifications, which often don’t correlate to having the right abilities, aptitudes, and attitudes. As a result, companies reject those who could be a better fit but need some upskilling.

If the industry remains on this path, the shortages will only worsen. Intervention is necessary for the entire community. What you can do to ensure your data and networks remain under protection is to focus back on skills-based hiring.

The Cybersecurity Skills Gap

We can’t talk about the labor shortage without addressing the cybersecurity skills gap. It would be great if every cybersecurity job candidate had years of experience and an array of skills. However, cyber leaders agree that a skills gap exists. According to the same workforce study cited above, 55% of hiring managers say applicants don’t meet the criteria of being qualified. The deficit here includes:

• Hands-on training and experience
• Credentials
• Degrees
• Recommendations

These things don’t always indicate that the person can do the job. The same study also looked at specific skills with gaps, which are the ones that matter in terms of upskilling. The skills in demand and often lacking are:

• Soft skills (e.g., communication, leadership, adaptability)
• Cloud computing
• Security controls (e.g., network, application, endpoint, implementation)
• Coding skills
• Software development-related topics (e.g., machine code, testing, languages, deployment)
• Data-related topics (e.g., characteristics, collection, classification, processing, structure)
• Network-related topics (e.g., architecture, networking components)
• Pattern analysis
• System hardening
• Computing devices (e.g., software, hardware, file systems)

It’s a mix of soft and hard skills, but the latter was at the top of the list. It’s possible to develop both of these in an individual who has the desire to learn and evolve. Those abilities aren’t always apparent in technical folks. However, if they are willing and have a good foundation to start from, upskilling can be the key to keeping great people long-term and continuously improving.

So, what’s the upskilling plan?

Building an Upskilling Plan for Cybersecurity Job Candidates

The first part of the plan should start with a clean slate of qualifications. Define what is imperative and what someone can learn over time. Get to the root of what makes someone a good cyber professional and what attributes they should possess.

In upskilling, you’ll have two paths — technical and soft skill development.

Addressing Technical Upskilling

In looking back at the list of skills above, those in the technical category are pretty standard. That’s a good starting point, but you should also consider the future and add training around AI tools and use cases. The curriculum will evolve as the threat landscape does.

How will they learn these skills? You need to create a learning environment for employees. This can include hands-on training internally, certification classes that you determine as high-quality, and other resources. Making continuing skill development part of your recruitment and retention strategy can attract people to your company and ensure you keep high-performers.

The other part of this is soft skills, and the plan to develop these in technical folks can be more demanding and challenging.

Improving Soft Skills in Cybersecurity

Soft skill development is a path that requires commitment and consistency. It’s about behavior change, and there can be many growing pains. First and foremost, you want to find cybersecurity job candidates who are open to this. Sometimes that might not be obvious until you have a few conversations and try to understand what motivates them and if they can handle flexibility.

Transforming anyone into a better communicator and collaborator isn’t easy. With technical folks, it can be harder, as they often have fixed mindsets, see things as black-and-white, and believe they know all the answers. These people could have impressive technical prowess, but these attitudes won’t fit into a healthy culture where everyone is open and transparent. Are they lost causes? No, but again, they must want to change.

You can drive this change with guidance from the Secure Methodology. It’s a seven-step process that I developed because of the soft skill deficiency and recognizing its value in creating and maintaining a strong cybersecurity posture.

The Secure Methodology: The Framework for Soft Upskilling

Here’s a preview of each step and how you can leverage it to improve the soft skills of technical people:

Awareness

The guide starts with awareness, with the objective of being mindful of the self and others. When this is missing, people don’t see or understand how their behavior affects others. If this is rampant in a culture, conflict and resentment build. With exercises on reflection and perspective, people can get to a state of awareness that improves how they interact with others.

Mindset

Mindset is crucial in soft skills, and every person on your team needs an open one. A person cannot change without it. Key to this is defining someone’s motivations and why they respond as they do. In this step, the 7 Levels Deep Exercise is a good foundation.

Acknowledgment

The third step is acknowledgment. There are several layers to this step. First, it encompasses feedback and its value to cyber professionals. Your staff wants to hear from you about accomplishments and how they are helping the organization. Not all feedback will be positive, and accountability matters, but you should do this in one-on-one conversations. Ensuring that your team feels appreciated and valued will prompt them to adapt with less friction.

Second is acknowledging that cybersecurity is difficult and filled with uncertainty. You set the tone of the culture, and if you do this well, your team will follow, enhancing their people skills.

Communication

Communication is the fourth step and the most essential soft skill for anyone. It’s never a bad investment to develop someone’s communication skills. Just be clear on what this means. Being a good communicator and articulate aren’t the same thing. Yes, what we say matters, but most communication isn’t verbal.

An excellent communicator is clear, concise, and transparent. They also recognize the needs of the audience and listen to them fully. Assessing candidates based on communication skills can involve prompting them to share real-life stories about how they used it to overcome challenges.

Listen for their use of geek speak or overly technical terms. This could be a red flag if they aren’t willing to drop the posturing.

Monotasking

Next is monotasking; it’s a soft skill you don’t hear much about. Most technical people have been doing the opposite — multitasking. Many believe this is a valuable trait. It is important to be able to juggle priorities, but blocking off specific time to concentrate on one task can make people more productive and eliminate feelings of being in fight-or-flight mode all the time. They will need to act quickly at times and move around priorities, but encouraging monotasking lets people think more critically and problem-solve more effectively.

Empathy

In the Secure Methodology, cognitive empathy is the sixth step. This type of empathy is the ability to understand another’s feelings and perspectives. It’s crucial to a person’s ability to be a great communicator and collaborator. Much of this relates to stripping down egos and dynamics of “me vs. them.” You can’t have a successful cybersecurity strategy and team without empathy.

Human connection is vital in cybersecurity, and in this phase, you support people to become more empathetic.

Kaizen

The last step is kaizen. It’s a Japanese term meaning “continuous improvement.” It’s the step that never ends and focuses on adaptability and flexibility. When you reach this phase, your staff should be in a state where they want to continue to develop their soft skills and transfer them to others.

Upskill Cybersecurity Job Candidates with the Secure Methodology

The Secure Methodology provides a framework and tools to transform candidates lacking skills. It’s a proven way to change behavior, with benefits for the person and the organization.

Get more insights on each step by reading my book, The Smartest Person in the Room. You can also explore how to apply it in the Secure Methodology course.

The post How to Upskill Cybersecurity Job Candidates to Transform Them Into High-Performers and Excellent Communicators appeared first on Christian Espinosa.

Building a cybersecurity team comes with many challenges. So many factors are impacting the ability to do this effectively and efficiently. The cybersecurity workforce shortage means more competition for talent, but you can’t be confident all those vying for positions have the hard and soft skills to succeed and thrive. On top of all this, the threat landscape keeps expanding as cybercriminals develop new tools and strategies to exploit weaknesses.

So, what can you do as a cybersecurity leader? As someone who’s been in the position, I have some insights to share on how to accomplish this. Keep reading for strategies, tips, and info about the Secure Methodology as a framework for constructing a cybersecurity team.

Steps to Take to Build a Sustainable Cybersecurity Team

Where should you start on this journey? Should you jump right into recruiting and hiring? I would urge you to first develop a strategy, define the tools you need, and create some principles for the culture you hope to cultivate.

To do this, follow these steps:

Acknowledge that cybersecurity is a people problem and let that guide your strategy.

It’s easy to blame the breaches and attacks in the cyber world on technology. Without it, there wouldn’t be an issue, but categorizing it only this way is a fallacy. Behind every attack is a person. Every defense also has human intelligence executing it, and most causes of cyber incidents relate to errors, mistakes, or intentions of someone.

It’s very much a people problem, and that fundamental principle should guide your team-building strategy. Yes, there are lots of great cyber tools out there that are leveraging AI and enabling automation. You need those, but the people charged with managing them need knowledge and skills to do so. Those skills must include soft ones, as the human issue in cybersecurity won’t find a resolution without staff that cannot communicate or collaborate.

There is a current soft skills gap in every industry, including cybersecurity. The people who are a good fit for your roles may not possess these. If they are curious to learn and motivated to evolve, they can be great additions to your team.

Ensure the bad guys are cybercriminals, not internal.

Another element of creating a cybersecurity team is to eliminate the “us vs. them” mentality that often happens between technical and business folks. You’re all on the same side, but much of that can get lost in translation. The business side may not take cybersecurity as seriously as they should, frustrating cyber professionals. There’s animosity on your side, too, as your team may resent others, especially when they have questions and challenges.

It’s critical to put the target back on the real enemy’s head. There must be balance and cooperation between business and technical groups. You don’t want to bring someone on who fails to understand the perspective of others. Employees like this will degrade the trust and credibility of your team and do anything to avoid being wrong. You can spot this in how they respond to queries about collaborating and if they do a lot of posturing.

Look for a wide range of skills.

You have to define the requirements you want in your team, which should include various abilities and aptitudes. In doing so, you have to shift your definition of qualified. The majority of cyber leaders believe applicants don’t have the right qualifications, according to the State of Cybersecurity 2022 report. What they say people lack includes hands-on experience and training along with credentials and degrees.

The hands-on part makes sense because you want people to have real-world interactions. One cannot get this without opportunity. It’s especially true for younger generations, who we need to join the field. These people could be bright and eager to learn, making them excellent hires.

Credentials and degrees can demonstrate skill sets but not always. Often, people look great on paper because of these achievements but lack the knowledge to apply what they learned in classes. The learning may also be insufficient, especially for courses that validate aptitude based on multiple-choice tests. You can only be confident in one thing for those passing these — they can memorize answers. Beware of these “paper tigers.”

Instead, use skills-based hiring models. This approach focuses on a candidate with specific competencies that directly relate to the work. It involves soft and hard skills.

Develop your recruitment strategy on skills-based hiring.

Building a strong, multi-dimensional team requires a mix of people. Not everyone has to be strong in everything. You can create a staff who can learn from each other and you.

With skills-based hiring, you can:

• Identify people with abundant soft skills and a desire to improve their technical skills.
• Find candidates who have familiarity in all areas of cybersecurity but don’t have real-world experience yet and develop them.
• Attract people newly entering the workforce and those starting over, which can help you build that right mix.
• Assess people holistically instead of only looking at their technical aptitude.
• Reduce barriers for people getting a shot at a cyber career who didn’t attend college.

Putting together a team of cyber professionals in this manner can lead to a strong and healthy culture. It can also decrease risk and ensure that cybersecurity has a seat at the table to influence business decisions. You simply won’t be able to do that if you hire with bias found in the old ideals of “qualified.”

All these ideas and opportunities align directly with the Secure Methodology, which is a seven-step process of transforming people with purely technical and closed mindsets into great communicators and partners.

The Secure Methodology and Building Your Cybersecurity Team

The Secure Methodology is the foundation for creating and maintaining a team that thrives and is adaptable. I based it on my own experiences and observations of what was going wrong in cybersecurity, which is a people problem.

Here’s a glimpse of each step and how it can support your hiring strategy:

Awareness

The process kicks off with awareness. It pertains to both self and others. Without it, people don’t understand the impact of their behavior on relationships and communication. It’s about opening up people’s blind spots.

Will every candidate already have awareness? And how do you evaluate this? Most people lack awareness to some extent, so it often requires development. You can assess someone’s state of awareness or willingness to get there by asking them to reflect and tell you about a challenging time and how they handled their interactions with others.

Mindset

Mindset is critical for anyone’s ability to grow and evolve. Those with a fixed mindset will resist any type of change. It’s a problem for technical people because they desire absolutes, but cybersecurity is a dynamic and volatile field! It’s kind of a paradox, so be observant of how people communicate about themselves and their experiences. This can give you a good idea of how open their mindset is and if they’ll be a good fit for your team.

Acknowledgment

Next is acknowledgment, which you’ll want to make a pillar of your culture. Technical employees crave feedback and understanding of their place in the business. Of course, they must also be receptive to it because it won’t always be positive. You also want to know if someone can acknowledge the work and contributions of others within the group or outside of it.

Communication

The fourth step is communication, and it’s the most important concept when creating a team. We can’t do anything well without honest, transparent, and consistent communication.

Being a good communicator doesn’t just mean being articulate. In the world of cybersecurity, your team must be clear about what they need, the challenges they face, and what’s really happening in the threat landscape. They also have to be active listeners to be good collaborators.

You can likely assess someone’s communication skills within the context of your conversations. Look for those who can clearly express big ideas and don’t use geek speak. If they show signs of this and seem to be listening to you, it’s a good sign, and you can continue to help them master this skill.

Monotasking

Monotasking is the fifth step, and it means concentrating on one task or project at a time without disruptions. It’s hard to find anyone who monotasks much in the workforce, where we seem always to be doing five things at once.

You can talk about monotasking in interviews to see someone’s reaction to it. Do they think it’s bad for productivity or impossible? Emphasize that you believe it to be a critical component of the workday because it enables critical thinking and problem solving, which are two huge assets in cybersecurity.

Empathy

Empathy is the sixth step, and in this connotation, it means the ability to understand someone’s perspective and feelings. It’s one of the hardest things for anyone to build, and yes, we must learn it. We are not innately empathetic. Achieving this can help with stress, burnout, and frustration toward others.

In speaking with prospective hires, ask them about a time when empathy would have been a good response to a problem. The answers they give can reveal a lot about their inner workings.

Kaizen

The last step is Kaizen. It’s a Japanese term that means “change for the better.” It never ends because continuous improvement is forever. When hiring, you want to put people on your team who believes in this approach to work.

Ready to learn more about the Secure Methodology? Start by reading The Smartest Person in the Room and explore the Secure Methodology course.

The post How to Build a Cybersecurity Team from Scratch Using the Secure Methodology™ appeared first on Christian Espinosa.

Cyber professionals often lack the full knowledge of the threat landscape because of their own fears, lack of perspective, and hubris. As a result of these blind spots, poor decision-making and more risk become a problem. This internal misalignment and struggle put your cybersecurity strategy and resilience in jeopardy.

The problem isn’t usually that they don’t have robust technical skills and aptitude regarding threats. It’s much more than that. To ensure your team understands the threat landscape, they must be more aware. Achieving this requires a commitment to change and adapt, which may seem like a goal that’s impossible to reach. However, there are ways to develop soft skills in cyber professionals with the Secure Methodology.

In this post, we’ll discuss the current state of threat landscapes, the challenges that cyber teams face, and how the Secure Methodology can help evolve technical folks.

The State of Threat Landscapes

The threat landscape describes the complete ecosystem of cyber threats, both potential and known, for an organization. It’s a volatile, ever-changing environment, which means those in charge of cybersecurity must be adaptable and agile. There’s a lot of uncertainty, which can be difficult for technical professionals who crave the certain. This clash of mindsets is a hurdle you must overcome to succeed.

Additionally, some major trends are shifting and changing the threat landscape.

Cybercrime-as-a-Service Expands the Threat Landscape

A big trend in cybersecurity is the cybercrime marketplace, where hacking is now a managed service. Because of this trend, cybercriminals no longer have to be technical experts. It’s now a billion-dollar business, and the barrier to entry for hacking just got lower.

The threat landscape is now much greater, with hackers for hire that can lead to malware attacks, ransomware, more phishing emails, and cyber extortion schemes.

You may be surprised to know that cybercrime-as-a-service is very sophisticated. It delivers templates that are usable for content encryption, inspection blocking, and hidden URLs in attachments. So, the threats aren’t different; they are just more voluminous.

Cybercrime-as-a-service is a challenging concept to combat, and it requires technical people to look beyond the black-and-white of the cyber war. To defend against the increasing number of attacks, cyber professionals have to communicate with many parties effectively, understand the hacker perspective, adapt their mindsets, and be better collaborators.

AI Complicates the Threat Landscape

There is a good and bad side to AI in cybersecurity. It can be a valuable tool in identifying threats and responding to them. It enables automation around monitoring to augment human intelligence. Its capabilities as a mechanism to thwart attacks include:

• Detecting fraud and anomalies
• Filtering spam emails to reduce phishing attacks ending up in inboxes
• Identifying botnets
• Managing vulnerabilities
• Allowing for better usage of anti-malware
• Preventing data leaks
• Boosting data automation and intelligence gathering

There’s also the downside, as hackers can apply the technology to expand the threat landscape. They can use it to gather data to better profile victims for social engineering. It’s also a means to launch ransomware attacks, which are becoming increasingly prolific. In fact, 89% of organizations relayed they were a target of ransomware in 2022. Hackers can use it to develop realistic phishing scams, create deep fakes for voice phishing, hide malware, and break passwords and CAPTCHAs.

Understanding the two sides of AI’s capabilities is critical for your cyber team to understand the entire threat landscape and what’s possible. Again, it will require some mindset shifts for them to include innovations in cyberattacks.

Identity Risk Becomes Even More Urgent

According to the 2023 Identity Security Threat Landscape Report, credential compromise was the top area of risk for respondents. Several factors are influencing this risk growth. Access for employees can have loopholes and not be adequately secured, something 63% of organizations said was the case.

Strategies to combat this beyond the foundational aspects of IAM (identity and access management) involve moving to a zero trust architecture. It’s the strategic approach of mitigating identity risk by eliminating implicit trust and transitioning to continuous validation. Applying this framework to this risk area will be a change for cyber professionals, but it gets them back to the core questions of: what are you trying to protect, and from whom? It simplifies a complicated landscape and can assist technical folks in evolving their perspectives and mindsets.

Next, let’s look at more challenges your cyber team may face regarding awareness of the threat landscape.

Why Are Technical Folks Blind to Many Areas of Threat?

As noted earlier, the blind spots often have little to do with technological knowledge. However, it can still be a problem. It’s a consequence of the paper tiger syndrome in cybersecurity. Paper tigers are people who appear very qualified on paper with lists of certifications. In reality, they don’t often have strong skill sets and are really just good at memorizing information for a multiple-choice quiz.

Most of the disconnect has to do with failings in soft skills. While many technical folks do a great job in communicating and collaborating, it’s also a gap for many. Here’s why it’s a problem:

• Cyber professionals tend to think in black and white. Yet, most everything is gray. They have a fixed mindset that there is one correct answer and approach to threats without opening their minds to the changing landscape. It causes them to lose perspective on how hackers are planning attacks. It goes back to the idea of technical people being most comfortable with certainty, and they’ll need to shift to accepting the uncertainty.
• Cyber professionals can have fears and insecurities about their abilities and don’t want that to be apparent to anyone. They have a misconception in their thinking that not knowing the answer is a sign of weakness. Except, the threat landscape is something no one could possibly know every corner of. To avoid this discomfort, they’ll posture in how they speak and be unable to listen to others.
• Communication can be difficult for your team. They rely a lot on jargon and geek speak, which is alienating and condescending. Communication is the most critical skill your team needs, and its ongoing development is crucial to better understanding the threat landscape.
• Communication isn’t easy for them, especially if they posture and use jargon. When they do, they alienate others quickly and live up to their reputation. Communication is the single most crucial skill a cyber professional can possess.
• Technical people also often lack awareness of themselves and others. Many don’t even realize this, and it clouds their perspective regarding where threats are and how they’re changing. They may also be unable to comprehend the business side of things and how the threat landscape correlates to this. They believe themselves to be outsiders when they need to be collaborators.

All these things make it a challenging journey for cyber leaders and managing the threat landscape. You can find some support for developing the people skills of your team with the Secure Methodology.

Using the Secure Methodology to Address Threat Landscape Gaps

For your team to be in the best position to defend against threats, they need to work on their people skills. The Secure Methodology is a seven-step process for doing this. Here’s a preview of each step and how it can help address threat landscape gaps:

• Awareness: Being aware of themselves and others is the first phase of the framework. It’s about opening them up to new perspectives — those of their peers, the business, and even hackers. Coaching and understanding motivations are key to turning the light on in technical folks.
• Mindset: From awareness, you move to mindset. The idea is to move from a fixed one to a growth one. Cyber professionals have to free themselves from black-and-white thinking and embrace the gray. Reflection and accountability are essential in this step.
• Acknowledgment: In this step, you play a big role. Being able to acknowledge team members for their efforts and work creates a more positive culture instead of one of blame. Positive reinforcement builds trust and rapport, which your team needs to be effective against threats.
• Communication: Having these skills is essential in every part of a cyber professional’s job. When it’s absent or poor, risk and threats increase. Developing communication aptitude involves simplifying language, losing the geek speak, and learning how to listen.
• Monotasking: Most people think multitasking is the key to productivity. It’s actually a concept that can lead to errors and mistakes. Encouraging your team to focus on one task at a time blocks out distractions and allows them to think deeper about threats.
• Empathy: In this step, you want to help people be able to put themselves in the shoes of others. It builds on what they learn in awareness, mindset, and communication. A technical professional who has empathy translates to an excellent collaborator.
• Kaizen: This is a Japanese term that translates to “continuous improvement.” By using this approach, you align with cybersecurity fundamentals to constantly improve defenses and strategies. It’s a continuous state of evolving and adapting, just like the threat landscape.

With these seven steps, you can build a team that’s more in tune with the threats of today and tomorrow. Learn more about how to apply it to your organization by checking out the Secure Methodology course.

The post Does Your Cyber Team Truly Understand Your Threat Landscape? appeared first on Christian Espinosa.

Having to do more with less is a common quandary for any industry or department. When cuts have to be made, companies look for any opportunities, and sometimes limited funding can significantly impact operations and performance. Cybersecurity budgets are not immune from this. Even though organizations understand the gravity of investing in cybersecurity, they often have no choice but to curb spending.

As a result, you may not have the resources to hire more team members, adopt new tools, or complete major projects like migrations. It’s not a comfortable place for any cybersecurity leaders, but it’s also not something that has to paralyze your strategies and development of employees.

Let’s look at the state of cybersecurity budgets and how changes in the way you manage your team can help you do more with less.

The State of Cybersecurity Budgets

Overall, Gartner predicts that spending on security will increase by 11% through 2026. However, that’s a macro-level perspective. What’s happening inside your organization may not reflect this. You could actually see slight increases in your spending capacity, but that doesn’t mean you have “enough” budget. Factors like inflation and the need to be more competitive with compensation can quickly eat up any new dollars.

Additionally, more cyber spending doesn’t make threats or risks disappear. Strategically using your budget may, however. There aren’t enough dollars in the world to curtail the bombardment of cyberattacks companies face every day. That’s especially true for SMBs with smaller budgets and less human capital. They are often the target of hackers, as illustrated in the Verizon 2023 Data Breach Investigations Report. It documented 699 incidents in the year prior that occurred for companies with less than 1,000 employees.

SMBs are more likely to face limited budgets. Rising costs all around operations can impact spending more significantly than larger companies. No matter the size of the company or its capital, tightening budgets is a growing concern. So, how can you focus your spending on the areas that matter?

Where to Focus Your Company’s Limited Cyber Budget

There are several categories worth investing in to ensure systems stay secure. Those can include both human and machine intelligence. These are my recommendations for any SMB that needs to make the best decisions regarding cybersecurity spending.

Controls That Can Successfully Defend Against Threats

In order to know what controls will deliver the best ROI, you have to assess your threats and vulnerabilities. A risk assessment is a good first step in deciding on budget allocation. Once you have a picture of your position and the threat landscape, you can make data-driven decisions about controls.

Knowing more precisely how a hacker might try to infiltrate can guide you to controls that work best for those scenarios. A risk assessment is a good starting point or place to restart cybersecurity efforts. Then you have to make comparisons in the categories of controls you want to employ, looking at their features, costs, and other factors.

When building your tech stack, you’ll also have to consider the people you need to lead the efforts around controls and do further analysis based on data. When choosing those team members, assess their soft skills in the same way you do the hard skills. Leading such a project requires great communication, collaboration, perspective, and flexibility. Technical people often struggle with these things. So much so that it can increase your risk.

Next, you’ll finalize recommendations and move forward with procurement.

Protecting Public-Facing Applications

Whatever is in the public domain can be risky in cybersecurity. Vulnerabilities in these assets are the most common initial access technique hackers take. This part of your digital footprint is what the business side depends on for awareness, lead generation, and revenue. It’s a tricky situation that can often have different departments on two different sides of the argument. There are some ways to resolve this and another place to spend budget money—web application penetration testing.

Web application penetration testing is a method of simulating cyberattacks to access sensitive data. This test assesses all elements of your web applications—the architecture, design, and configuration. It’s inclusive of anything delivered over the internet through a browser interface. Hiring a firm to perform these tests should be on your budget list. Depending on your industry and compliance requirements, you may do these twice a year or more.

There are different options for web application penetrating testing: Black Box, Gray Box, and White Box. The differences are the levels of access the ethical hackers have. Most start with Black Box because testers know nothing about the company, so they’re just like hackers looking for public-facing information to exploit.

The more exposed your company is in the media and digitally, the more you could be at risk. So, earmark the budget for these exercises. Make sure they deliver the best value by remediating what the testers find and having conversations about how to avoid these things in the future. Conversations like these are essential for people to become better at their job and more connected to it.

Building More Redundancy to Deepen Your Defenses

The next area that should be on your budget is redundancy and contingencies. Ransomware is a bigger threat than ever, and SMBs have had their share of situations. The best defense will be prevention, which you’re investing in with controls and pen testing. These dollars are all about the “what-if” scenarios.

These redundant capabilities won’t have a connection to your main network. Keeping them separate is the best way to avoid malware spreading. Most attacks spread throughout the entire enterprise. Hackers are using command and scripting activity, which are also things you can monitor for and then be able to detect and respond to the threat.

Within this category of spending, you’ll have cloud computing, monitoring, hosting, and other fees associated with having redundant operations. Make prudent decisions about what needs to move over and what doesn’t. Work through scenarios and threat contingencies with your team to make decisions.

Behavioral Tracking with Advanced AI

AI is weaving its way into cybersecurity in many ways. Much of what AI can do is monitor and spot patterns or anomalies. The technology is advancing, and AI can now analyze data collected regarding online behaviors. Tracking the behavioral movements of hackers seems a little futuristic, but it’s the next logical step. This technology is really augmenting your team. The AI cleans up the data and gives raw results, which your team can decipher to continue to understand attack methods and defend against them.

There’s another way that AI is worth investing in with your budget.

Automation Increases Productivity and Has a Strong ROI

Automation tools that assist with managing, validating, remediating, and tracking your security should be on your budget. They leverage things like RPA (robotic process automation) and AI to deliver digital robots that can do a lot of manual, repetitive tasks so your people can focus on more strategic work.

There are many different things that you can automate. You’ll need to understand your end goal and the processes related to them to determine what to adopt. Some categories include:

• Software updates for devices connected to the network
• Tracking asset posture
• Monitoring and alerting
• Network Intrusion Detection Systems (NIDS)
• Network Intrusion Prevention Systems (NIPS)
• Security logging tools
• Data aggregation

Focus on the most labor-intensive processes that rarely deviate when selecting automation tools. Get feedback from your team on the tasks they’d most like to move to automation when deciding where to spend these budget dollars.

Investing in Your Team in Traditional and Nontraditional Ways

Using cybersecurity budget dollars to upskill, train, and certify your staff is always a wise investment. For one, they become better at their job. They also can appreciate the acknowledgment that they are worth upskilling, which can support longer retention and less turnover. You can do this with those at all levels, from junior roles to senior ones. Cybersecurity is a dynamic, ever-changing ecosystem, and your good guys need to be learning more ways to outwit the bad guys.

Along with technical skills, you should consider helping them develop soft skills. They pay off just as much as hard ones. When technical people are better communicators and have greater awareness, everyone can be more efficient and effective. In such a high-stress environment, people that have people skills are immeasurably valuable.

So, how do you develop technical people into excellent communicators and collaborators? The Secure Methodology is a concept I created that includes seven steps to do just that. This kind of investment in people demonstrates that you want them to be successful and contribute. It’s a great framework for any cybersecurity leader to adopt. You don’t need a huge budget to do this. You’ll likely invest more time, but it’s worth the work. The return on this investment is positive for your people and the business’s ability to mitigate risk.

You can learn more about it by reading my book, The Smartest Person in the Room, and checking out the Secure Methodology Course.

The post Is Your Cybersecurity Budget Limited? How to Do More with Less appeared first on Christian Espinosa.

Finding qualified and skilled talent has been a struggle in cybersecurity for years. According to data, that’s only getting harder. Exasperating the cybersecurity workforce shortage is the fact that retaining employees is challenging. Cybersecurity workforce retention is as important as your recruitment strategies.

So, how do you keep cyber professionals on the job? It’s not an easy answer, as so many factors impact this. However, you can build a retention plan alongside your recruitment strategy. In this post, we’ll uncover why turnover occurs and how to create a culture and environment that will make them stay.

The Cybersecurity Workforce Retention: State of the Industry

A study from the ISACA found that 60% of cyber leaders said it was difficult to retain cybersecurity professionals, up 7% year-over-year. The survey outlined why it’s happening, with these being the top reasons:

• Recruited by other companies (59%)
• Compensation and incentives (48%)
• Few promotion and development opportunities (47%)
• The high stress of the job (45%)
• No management support (34%)

Some of these challenges are easier to combat than others. Currently, cybersecurity jobs are greater than those available to fill them. A study estimated that over 3.4 million cyber jobs are available, which will only increase. As a result, other companies will try to lure away your employees, even if they aren’t actively looking for another job. How they respond to this will depend on how they feel about working for you in terms of money, autonomy, support, and satisfaction.

Compensation is another tricky area. Competitors may be offering more money. While that’s a critical part of why people work, money may not be the top factor in retention. Regardless, depending on their experience, role, and market, you should pay your team a fair wage. With the cost of living increasing, you must keep up with this.

Next is development, which is something you can control. Continuing to train and upskill your team shows you’re investing in them and their future. You should also be clear with them about the opportunities to advance.

Stress is inevitable in almost any job. Cybersecurity is a dynamic industry with fire drills all the time. Focusing on ways to destress workers should be part of your culture. It could be rewarding your team with social or team-building activities. Having an open door for employees to share their experiences with you and their stress can also be helpful.

Finally, you have complete purview over management support. As a leader, you have to earn and keep the respect of your team. Being a great leader requires you to communicate honestly, listen intently, acknowledge their work, and support them in any way you can.

Addressing these common reasons for turnover is critical for your organization because its impact is considerable.

The Impact of Turnover

An inability to retain staff affects many aspects of operations. Being understaffed creates more risk because everyone’s stretched thin. It’s easy to miss key things when someone is overwhelmed. Turnover also prevents your ability to be more strategic because you’re in a reactive mode versus a proactive one. Productivity suffers as well.

Turnover also costs you money. The average cost of hire is $4,700 and could be even greater considering how in demand these roles are. It’s in your best interest to retain your technical folks, which isn’t easy. You may be looking at many methods to decrease turnover, including increasing wages and benefits, allowing for flexible work, asking for feedback from your team to propel improvement, and providing the right tools to do the job.

Those are all good things to have, but retention has much to do with engagement, satisfaction, feeling valued, and having respect for leadership. These things can mean more than money, which is why applying the Secure Methodology to cybersecurity workforce retention makes sense. It’s a seven-step guide that defines a roadmap to transform technical people into highly communicative and collaborative professionals.

Let’s see how each step can support retention.

Applying the Secure Methodology to Cybersecurity Workforce Retention

With every step of the Secure Methodology, there are lessons to learn that impact retention. Here’s how to use these in your organization.

Step One: Awareness

Tapping into awareness is an important attribute to have in life and work. We all have blind spots, but some are bigger than others. Without being aware of these, there are consequences. It negatively impacts relationships and erodes trust. Without being aware, your team doesn’t realize how their behavior affects others and the environment. Things can become toxic very fast. If those things are lacking, it’s easy to see why some would want to leave.

Awareness means being cognizant of your blind spots and working to address them. A more aware team will be more collaborative and communicative. Here are some ways that this can support retention:

Coaching

Coaching is vital to broadening awareness. If you can open the eyes of your team in a conducive way, they may have “aha” moments. Shifting their stance from being self-centered allows people to get a better perspective.

Language

Using specific, relatable language helps technical people better understand expectations and culture. When there’s no confusion about where everyone should focus, they will likely feel more empowered.

Motivation

Understanding motivations is critical to unlocking awareness. Tapping into what makes them tick helps strip away some of the technical posturing cyber professionals often do. Knowing their motivations allows you to personalize how you support and coach them.

Step Two: Mindset

There are two types of mindsets — fixed and open. Many technical folks have fixed mindsets with no desire to change, learn, or grow. However, it doesn’t mean they have to stay that way. Fixed mindsets are poisonous to retention. Even if one in the group is this way, it can taint it for others. When we’re fixed, we refuse to move.

A growth mindset is freeing and enables people to be flexible and adaptable, which is necessary for cybersecurity. Evolving a fixed mindset to a growth one is possible, but it requires commitment from you and the employee.

Some key results of a fixed mindset include:

• The ability to reflect on situations and understand how to handle it differently.
• Healthier and consistent communication.
• A culture that welcomes growth personally and professionally.
• Growth mindsets can be a significant reason employees stay with your organization.

Step Three: Acknowledgment

Acknowledgment is scarce in technical fields. Yet, it’s so crucial to retention. Your employees want appreciation for the work they do. Its absence is because most cyber leaders only respond to things when they go wrong. The small wins everyday matter so much to your people, so you must become vigilant about feedback.

Your approach to acknowledgment should include:

• Being positive by looking at what went right first
• Specificity in your feedback
• Immediately offering feedback in the moment
• Praise in public and relay ways to improve in private
• Consistency in how you address acknowledgment

Lack of appreciation and lack of feeling valued are two primary reasons why people leave their jobs. If your people don’t receive acknowledgment, they’ll actively seek another job.

Step Four: Communication

Communication is part of every step in the Secure Methodology, along with having its own step. It is, without a doubt, the most critical part of a thriving culture and support to retention. You probably know there are communication issues among your technical folks. It doesn’t mean they aren’t articulate. Rather, their communication styles are often too aggressive, overly complicated with geek speak, and always on the defense. They also suck at listening, the other component of communication.

This storm of dysfunction will have people, often your best, running away from your organization. Thus, it’s critical to make communication the foundation of your culture and retention strategy. Here’s how to use it:

• Be honest and transparent as a leader.
• Move away from overly technical language and simplify the message.
• Encourage open discussion and dialogue that’s respectful.
• Praise your people when they make adjustments in communication.
• Practice active listening in exercises, so they grasp how crucial it is.

If you can lay out these tenets, your people will likely see the value and follow you. If some still don’t realize it, they may be dragging others down. In some cases, you may have to let those folks go, so they don’t make it unbearable for everyone else.

Step Five: Monotasking

Monotasking is focusing on one thing, the opposite of multitasking. Many describe multitasking as an excellent quality, but it can actually hamper productivity. Forcing multitasking can make your people feel pulled in many directions. Those feelings create animosity and dissatisfaction. So, remove this pressure and instead recommend blocking time for specific tasks, meetings without distractions, and saying “no” to some things that aren’t urgent.

Step Six: Empathy

Empathy is a valuable quality to have. In terms of cybersecurity, cognitive empathy is essential for a healthy environment. It means that others can understand the feelings and perspectives of others. Without it, you have no team or human connection, and you need those to retain your people. All the things you put in place to get to this step support the building of empathy. Developing this in your team enables a trust factor and creates more satisfaction.

Step Seven: Kaizen

The final step is kaizen, which is a Japanese term. When translated into English, it means “continuous improvement.” So, this step isn’t an end to the journey; it’s how to sustain it. If your team believes in this process, they’ll want to continue identifying ways to improve and follow through with them. When kaizen is part of your cybersecurity culture, your technical folks will evolve and realize that this is where they can continue learning and growing.

Retaining your workforce won’t be easy. With the Secure Methodology, you have a framework. You can go more in-depth by reading my book, The Smartest Person in the Room, and viewing the Secure Methodology course.

The post Cybersecurity Workforce Retention: Keep Top Talent with the Secure Methodology appeared first on Christian Espinosa.

The cybersecurity talent pipeline is facing the same challenges as many industries. A strong job market and low unemployment mean that many well-qualified professionals aren’t actively seeking new jobs. As a result, cybersecurity needs to look to the latest generation entering the workforce, Gen Z. Gen Z is a unique generation, which makes the ability to recruit and retain them much different. They have new ideas about work and that it should be more than a job and provide them with purpose and fulfillment—a trending topic in the world of HR known as meaningful work.

In this post, we’ll examine the Gen Z demographic, what matters to them, the concept of meaningful work, and how cybersecurity leaders can use this information to connect with a new generation of workers.

All About Gen Z and Their Entrance into the Workforce

Gen Z describes individuals born between 1997 and 2012. They currently make up almost 21% of the U.S. population. The oldest of this group have entered the job market, with many more to come in the next few years.

Gen Z is described as the most racially and ethnically diverse generation. They are also digital natives who have had a device in their hands most of their lives. This demographic has also been through many major events during their young lives, including the war on terror, a major recession where they witnessed parents and family members lose jobs, and the pandemic.

All these factors shape how they view work and what’s important to them. They are often adamant about work-life balance, flexibility, autonomy, and having modern technology as part of their job. In addition to these expectations, they also want to work for organizations that share their values. In fact, 77% of Gen Z said this was important in response to a survey conducted by Deloitte. Another thing they value highly in an employer is diversity, equity, and inclusion (DEI), which 87% agreed was critical when considering jobs.

Gen Z also cares about company culture. Cybersecurity should be very culture-focused, which could entice them. Overall, they want to work for a company that cares about their well-being.

Work for them isn’t about a “grind” or purely a transactional relationship. They desire meaningful work, and if it’s not present, they’ll have no problem moving to the next opportunity. Long gone are the days when employees worked for a single company their entire lives.

As a cybersecurity leader, ingesting this information about Gen Z may give you pause. Yet, they have some key attributes that make them attractive as workers beyond technical skills.

How Gen Z Workers Can Benefit Cybersecurity

Gen Z had a big head start on technology aptitude. It’s been part of their lives forever, and they’ve been early adopters. Beyond these skills, cybersecurity leaders are placing more emphasis on people skills, which is the central message in my book, The Smartest Person in the Room. These can be very hard to develop in older workers that have been in the industry for years.

The nature of Gen Z’s life experiences naturally predisposes them to value being communicators and collaborators. The stereotype of this group as never putting down their phones and being detached in communication isn’t accurate. They do love tech and spend lots of time on social media, but it’s not their entire personality.

Since they sincerely care about the world around them, they also understand the value of having strong interpersonal skills. Some might not be as confident in soft skills, but they won’t “fight” you on realizing the need to develop them as older generations may. As a result, they may be more amenable to participating in exercises, programs, and activities that will help them cultivate better people skills.

All these things make Gen Z an attractive group for cybersecurity careers. The onus of making your industry and company appealing has a lot to do with meaningful work.

What Is Meaningful Work?

Meaningful work is a newish concept in the world of HR. Its definition is somewhat flexible because “meaning” is subjective to an individual. The idea is universal in that it means that an employee believes the work to be important for the greater good and is part of something. As a result, workers are motivated and engaged in what they do.

Another aspect of meaningful work is that employees can use critical thinking skills and be problem-solvers versus taskmasters.

Both align with a career in cybersecurity and what Gen Z wants in a career. In the end, meaningful work is good for workers and businesses.

For example, employees who engage in meaningful work from their perspective may positively impact their mental health, something Gen Z is serious about. Healthier employees typically have fewer absences than their depressed counterparts. They’ll also be more engaged in building a strong cybersecurity culture and collaborating to do great things.

An environment of meaningful work supports retention, as well. The attachment that occurs in this situation delivers tangible benefits. Companies can see 50% less turnover and a 56% increase in job performance.

It can also deter burnout, which can be a problem in cybersecurity. It’s a high-stress field with many risks, threats, and stakeholders. If you have a team that feels the work is meaningful, that you and the organization value them, and is a culture that’s inclusive, you have an advantage over others. As a result, you’ll be a more attractive option for those entering the field.

So, how do you promote your company as one that delivers meaningful work?

Attracting Gen Z with the Promise of Meaningful Work

There are a few key strategies to consider when recruiting Gen Z and using the angle of meaningful work. First, it’s essential to know that Gen Z is proactive in their job search. For those in college, a quarter of them began job searching in the first two years. Second, they seek internships to get experience for the future and test out a field to see if it’s a good fit. Taking this into consideration, here are some ideas.

Partner with Universities and Community Colleges to Find Talent

Get to Gen Z while they are still learning by creating relationships with educational institutions. It’s an excellent way for students to become aware of your company. This can lead to mutually beneficial internships. The first impressions that Gen Z has about your company will matter, so talk about culture and how much you value interpersonal skills as much as technical ones.

Add Meaningful Work to Job Descriptions

Most cybersecurity job descriptions are dry and standard. It looks like a computer wrote it! Gen Z will not respond to this, as they value authenticity. Be honest in how you position your roles. Yes, it’s important to talk about technical skills, but you can also include that meaningful work is part of your organization and that you provide an environment where people can learn and grow.

Tap Your Current Gen Z Employees for Referrals

If you already have Gen Z workers on your team, talk to them about referrals. Ideally, if they are happy with the company and the work, they’ll be up for this. A referral is better than most applications for both parties. For you, it’s a sign that your employee vouches for them. For the candidate, they’ve heard about what it’s really like to work for you and weren’t discouraged by what they learned.

Once Gen Z becomes part of your group, you have another consideration that makes or breaks. How will older generations react to them?

Is Your Team Ready for Gen Z and Meaningful Work?

If you’ve made meaningful work a priority, then your current employees know this. However, it’s not going to matter to all of them. Some are still stuck in old perceptions about cybersecurity. Their “meaning” is that they are the smartest, most capable technical people. If that’s your current predicament, there will be some friction.

In a way, you have to prepare them for the entrance of Gen Z, which will require that they work on their people skills. Hopefully, they’ll realize this process benefits them in many ways. However, it involves change, and resistance is inevitable. Through the Secure Methodology, which I developed in my book, you can find a seven-step guide on how to transform these outdated mindsets.

They’ll be helpful for all your employees, regardless of their generation. The way they respond and their effort will vary. Ultimately, you’re trying to work as a cohesive team that respects each other, cooperates well, communicates clearly, and can find meaning in what they do.

The journey ahead will be challenging at times. You have a chance to make a real difference in the lives of your employees and your company’s ability to manage risk and mitigate threats. Use the Secure Methodology as a blueprint to do that. Get the entire message by reading my book and check out the Secure Methodology course, as well.

The post Cybersecurity and Meaningful Work: Why New Generations Entering the Field Want Purpose appeared first on Christian Espinosa.

The post The Secure Methodology™ Step Six: Empathy appeared first on Christian Espinosa.

Creating a cybersecurity culture isn’t a novel idea. It’s one that’s been around for some time, as the field and organizations realized that cybersecurity isn’t just about tools, protocols, and technical aptitude. Culture is much more about the people and, as a result, makes it much harder to build and sustain. People are unpredictable and don’t always have the skillsets to participate in culture. There’s an additional component of cultural manifestation, and it revolves around innovation. So, how do you develop a cybersecurity culture of innovation?

If it’s not a question you’re asking yourself as a cybersecurity leader, I would suggest you should. Innovation is the enemy of complacency. However, it requires cyber teams to look beyond their technical aptitude and leverage soft skills, which they may not have. It can seem like an uphill battle, but it’s worth considering the benefits it can bring your staff and business. Those advantages include satisfied employees, mitigation of risk, and the ability to meet continuous improvement goals.

So, let’s talk about fostering innovation in your cybersecurity culture.

What Is a Cybersecurity Culture of Innovation?

At the foundation of culture are people and behaviors. If those whose job is to protect data and networks have a closed mindset, fail to evolve their conceptions, or believe they are the smartest people in the room, culture will always be toxic. In these cases, risks become greater, turnover is high, and communication is nonexistent.

Conversely, a healthy culture has open-minded participants that want to work together effectively and continuously learn. That is an environment where innovation can thrive. It’s a place that welcomes new ideas, which can lead to a better security posture, engaged employees, and greater productivity. In this scenario, everyone benefits.

As you assess your current culture, you probably have gaps, some more than others. Filling those gaps aligns really well with the Secure Methodology, so I’ll be referring to that as I describe the steps to take. The Secure Methodology is a seven-step guide for cybersecurity leaders to leverage to develop the people skills of technical folks. These steps don’t focus on cyber skills but rather interpersonal ones, which is the core of culture.

Building a Culture of Innovation

No matter where you’re starting in the culture journey, these pivotal elements will be necessary to propel your organization into one that’s agile, forward-thinking, and connected. Here are the areas to help you formulate a plan.

Cybersecurity Culture Involves Three Different Levels

When considering any culture configuration, there are always three levels to consider, from the top to the individual. While they have different roles in the organization and responsibilities around cybersecurity, they must work together to maintain a culture.

Leadership

This segment is the c-suite, including the CEO and CISO. They must lead by example if they want the culture to permeate. They are top-level decision-makers, but those don’t happen in a vacuum. They need to understand risk and how cyber operations work, which requires clear, consistent communication from cyber teams and individuals. Unfortunately, communication is often the skill most lacking in technical employees. If those that set the strategy and budgets are only fed geek speak, culture leadership is working with a handicap.

Communication, of course, goes both ways. When leaders set a precedent on how they expect communication to flow, it can break down some barriers. In the end, the c-suite needs communication development, as well. It’s especially true regarding what questions they ask, which should be more granular than they might currently be.

Team

Your cyber team comprises people with various skill sets, experience, and expertise. If they can build a coalition that taps into this, they’ll be at a good place regarding culture. However, we’re talking about behavior, communication, and cooperation. Those things are usually the Achilles’ heel of any cyber team.

The team dynamic and evolving it is a big part of the Secure Methodology. Its guidance takes into account the typical lack of people skills and how that impacts cybersecurity culture. Too often, your team operates in silos and wants to continue in this way. Many times, it’s about a fear that others will find out they don’t know everything. Except that’s precisely the kind of mindset you need to innovate!

When working on culture at this level, the Secure Methodology is an excellent framework that you can use to cultivate communication skills, awareness, empathy, and more.

Individuals

The last layer of culture is the individual. What applies here is similar to the team level with caveats. The biggest of those is motivation, as each person has their own. At this level, as the leader, you must make specific connections to understand that individual’s capacity to change and grow. It’s the most challenging part of cultural shifts, and not every person on your team will be ready for this.

The Secure Methodology includes exercises throughout the seven steps to assist with this. How each person reacts to these will determine their long-term cultural fit.

Now that we’ve looked at each level of culture, here are some more tips you can use to further the pursuit of innovation.

Find Cultural Evangelists

Within your cyber staff, you’ll find those that are all-in on cementing culture as innovative. These people already have a good base of people skills and will prosper in this new dynamic. Assign those employees to be cultural evangelists. They can work together to develop training and upskilling opportunities. Since it’s coming from their peers, others may find this more inviting and appealing.

Define the Language of Innovation

Earlier I discussed the issues in communication among cyber professionals and mentioned their love of geek speak. Many use this language because they don’t want to reveal their weaknesses or limitations. It’s your job to banish this language and identify what the tenets of communication should be, which can include:

• Eliminating jargon that has no purpose
• Encouraging and promoting active listening skills, which are just as important as language
• Using inclusive language so that those individuals outside of cyber teams would understand
• Reframing communication as a way to reach a result that technical people can relate to
• Simplifying messaging
• Praising positive communication moments to reinforce the value of it
• Outlining how clear communication leads to innovation

Transform Fixed Mindsets into Growth Mindsets

Mindset is the second step in the Secure Methodology, and it is critical to culture. People either have a fixed mindset or a growth mindset. You, of course, want professionals with the latter. That doesn’t mean those with fixed ones can’t evolve and grow, but it does take work.

A fixed mindset hampers your organization’s ability to be proactive in security and forward-thinking. These folks don’t want to innovate around this because it’s too unknown and uncertain. It will also erode culture. Here are some key steps to transform mindsets:

• Coaching and reflection: When communicating with a fixed mindset, asking the right questions matters. You need to take them back to a moment when their fixed mindset was a barrier. Such a moment could instigate reflection and more awareness of their behaviors.
• Asking why: Again, questions posed to these folks can create aha moments. There’s an exercise called the 7 Levels Deep Exercise, which I recommend. It will help uncover motivations.
• Praising mindset changes: The third thing to do is to acknowledge and recognize when you see mindset shifts from fixed to growth. Something as simple as this can make a significant impact on future behavior.

To round out this discussion, I want to leave you with some additional insights into innovation and security.

Innovation and Security Aren’t Foes

One of the biggest misconceptions in the cyber world is that security is a barrier to innovation. Such a perspective is dangerous to your culture and ability to defend data and networks in the cyber war. Security does not impede innovation. In fact, they work together very well with the proper perspective.

It’s not unlike the principles of DevSecOps, where development, security, and operations convene. In this strategy, security is part of the conversation from the beginning. It has equal weight with development and procedures, as it should. You cannot have innovation without security. Innovation, at its core, is about devising solutions that enable better results. If security is outside the innovation bubble, you may have a good idea, but it won’t come to fruition. It won’t be deployable and scalable.

So, you must build the case that they both can coexist harmoniously and should always have a link. Otherwise, you’ll waste time, money, and resources. If you leverage the tips and ideas from this post, you can easily demonstrate how vital security is to innovation.

If you’re ready to build your culture of innovation, you should learn more about the Secure Methodology, which you can find in my book, The Smartest Person in the Room. Additionally, I have a Secure Methodology course, which delves further into the seven steps. Check them both out today.

The post How to Create a Culture of Innovation in Cybersecurity appeared first on Christian Espinosa.

The world of cybersecurity is dynamic. It quickly changes because cybercriminals are relentlessly persistent in their goal to breach organizations and steal valuable data. Many of the biggest threats aren’t new, but they evolve as hackers become smarter and the systems to stop them become stronger. In the year ahead, cyber professionals will have the daunting task of defending their domain. So, what cybersecurity trends are on the horizon for 2023, and what strategies will you need to avert them?

Let’s find out.

The Cybersecurity Trends: Existing and Emerging Threats Are on the Calendar

Can you confidently say your cyber team is ready for the rapid changes in cybersecurity and the threat landscape? It’s hard to be certain. In fact, 40% of chief security officers agree they are unprepared. They cite many different reasons—inadequate budgets, talent shortage, and the fast pace of innovation. These and any other barriers will always exist regardless of if you have a blank check and a room full of experts.

To achieve a higher level of confidence in your organization’s ability to defend its digital turf, you must understand what the landscape looks like and admit that you can’t stop everything. Proactive measures to address the risky trends ahead are ideal but not always possible. In the following list of trends, I’ll give you the bad news on risk along with some good news about what to do about it that looks different than what you’ll hear any other cyber experts say.

Hybrid Work Becomes the Norm, and Your Security Footprint Will Only Get Larger

Unsurprisingly, hybrid and remote work models are becoming the norm. Employees want flexibility and autonomy, and employers have to stay in tune with what they want to retain them. Cyber professionals, however, aren’t exactly thrilled with this. They, too, want to work remotely, but it’s expanded the security footprint of every organization.

It’s not the company-issued devices that are the weak link, as you still have control over those, ensuring that anti-malware and antivirus tools are running and that applications are up to date. The problem is personal device usage to check email, engage in chats, and access documents. That’s where incidents are most likely to occur, and you have no idea how protected these devices are or aren’t.

Connecting to networks with these devices could cause employees to be more susceptible to fall for phishing attacks, either by email or text message. These situations can also make a company more exposed to ransomware attacks. So, what is a cyber leader to do with the abundance of employees working from anywhere?

You can develop specific BYOD (bring your own device) rules and require that they use the Outlook App versus the email feature on smartphones. More stringent policies that exclude all personal devices are another option, but they will be met with lots of resistance.

Building a security-aware culture that your cyber employees spearhead could be a strategy that has more sustainability. It also requires your cyber staff to think like a typical user and explore what their day-to-day looks like regarding security. If your team has buy-in to this approach, it will be more authentic and resonate more than some top-down directive that most will disregard.

Persistent Phishing: Hackers Use Many Angles to Hook Users

You likely aren’t surprised that a variation of phishing is on the 2023 cybersecurity trends list. Hackers have become much more sophisticated in how they target phishing attacks. They narrowly focus on a specific organization and keep trying new approaches, hoping they eventually wear down a person’s defenses and get them to respond.

Persistent phishing is the new normal, and cyber criminals do more than just send you an email from a spoofed URL. There are elements of social engineering in these tactics, where a recipient wouldn’t think it odd to receive an email from a company they recently engaged.

These can work, but hackers are taking it to the next level by attempting to impersonate others from a company, often CEOs or other high-profile people, so the user will take notice and respond. Their common sense can out the door when they see an email that appears to be from the CEO.

Another new phishing tactic is sharing Google docs (or other public cloud storage) within emails, which can look legitimate. Many businesses use Google Drive as their file-sharing solution. Unfortunately, the security here is lax at best.

In the new era of persistent phishing, you’ll need to step up employee education to start. You can also use filtering tools to keep these emails from appearing in an inbox. AI tools can assist with this as well.

However, some things will get through your perimeter. Turn to your cyber team to manage this constant barrage of phishing scams and get their perspectives. Make this a regular discussion in team meetings. Look at your data and listen to your team. Not everyone is going to have a new idea. Many will just say to stay the course. You want your technical employees to be innovators, and you must create a space where that’s the culture. If you do, you may get some really good strategies to deploy to lessen the hook of phishing.

IoT Vulnerability Grows

No one would argue that IoT (Internet of Things) devices aren’t valuable. They are generating many quality data crucial in various sectors, from manufacturing to transportation to retail. However, these devices must connect to your network to access and aggregate that data. As a result, they’ve become a target for hackers to infiltrate an enterprise. The more devices you connect, the more potential for a backdoor to open for hackers.

The proliferation of IoT devices is now a part of many companies’ data strategies. The IoT devices consumers use have long had lax security measures in the name of convenience. In the commercial space, security has been more robust. The problem with IoT devices as a vulnerability often arises from the need for them to be interoperable with other applications. Connecting all these points can become burdensome, so there may be slips around security. Additionally, these devices aren’t always under the control of cybersecurity teams because they sit in warehouses, assets in the field, and store locations.

You need to have IoT security protocols in place, but what may be more important is confirming that the devices are continuing to abide by them. That will require your technical folks to communicate with non-technical employees in the field. They’ll need to ask questions and possibly go to the sites where they are. That’s outside the comfort zone of many, and one more reason why developing soft skills for cyber employees is critical. Without effective and consistent communication, you’ll just be counting the days until an IoT security incident occurs.

Hackers Are Still Hungry for Your Data

In most organizations, protecting assets is both digital and physical. The digital ones, being the data about customers, products, analytics, and everything else, have become much more valuable to criminals. The primary goal of hackers is to access your data and sell it. Data breaches are daily headlines now; there’s no surprise when we see the latest one.

Your organization has put all its efforts into protecting this data, but vulnerabilities still exist. It would be impossible to eliminate all of them. So, you’ve learned to live with risk, or have you? The biggest problem I’ve witnessed in my many years in cybersecurity is that those in charge of protecting your most valuable assets can’t admit that they don’t have all the answers. Many of them will do anything to hide uncertainty around this problem, and that mindset is dangerous.

If your cyber team can’t be honest that data breaches are still possible, they’ll be doing little to fortify your protections. They will be averse to applying new tools or strategies and unable to communicate and collaborate effectively. Hackers are the enemy, but the inside threat looms when you have employees that aren’t living in reality.

The best way to address this cybersecurity trend is by breaking norms and getting honest about who on your team is willing to grow and change their mindset. They may not fit the culture you want to cultivate if they can’t. They may have brilliant minds for technology, but their inability to think critically and with transparency means they are more of a risk than an asset.

Addressing Cybersecurity Trends Requires an Agile Team

The risks of modern business will only grow. Digital transformation is accelerating at light speed, and every organization wants to future-proof its technology and infrastructure. You should be on this path as well, with one major caveat. Even more important than the tools you use and the policies you set are the people behind them. You’ll be ahead of the curve if you have cyber talent on your team that’s agile and ready to pivot when needed.

You can learn how to develop this kind of team by following the Secure Methodology, a seven-step process to help technical folks gain soft skills that can lead to an improved security posture. Learn all about it in my book, The Smartest Person in the Room.

The post 2023 Cybersecurity Trends: What Every Cyber Professional Needs to Know appeared first on Christian Espinosa.

Most organizations think they have a good approach to cybersecurity. They check all the boxes and hope for the best. However, cybersecurity is dynamic, with new threats always on the horizon. However, the traditional cybersecurity measures most businesses use don’t work. They often put too much emphasis on the technical element versus the human element. That’s where things are going awry.

The real reason cybersecurity measures are failing is because of a people problem. It’s the core foundation of my book, The Smartest Person in the Room. Correcting this path requires the initial acknowledgment that you must develop your people into more than just technical minds. They need soft skills to adapt to a changing environment that will enable them to be strong communicators and collaborators.

In this post, I’ll review the latest data on cybersecurity risk and explore how to pave a new path to a more secure and agile system.

The Latest Cybersecurity Data

Threats continue to mount on the cybersecurity front. Cybercriminals have become more sophisticated and advanced. As a result, your people become either the strongest or weakest link in your cybersecurity measures. Here are some of the latest data points on the rate of crimes and how companies are dealing with it (or not).

• 95% of cyber breaches are the result of human error.
• 68% of business leaders said their cybersecurity risk is increasing.
• 42% of companies are suffering from cyber fatigue.
• The breach breakdown for 2021 was 40% phishing attacks, 11% malware, and 22% hacking.
• There were 1,862 reported data breaches in 2021, surpassing the previous record of 1,506 in 2017.
• The average time to identify a breach was 212 days in 2021.
• The average data breach cost in 2021 was $4.24 million, the highest ever.

From these statistics, it’s easy to see that cybersecurity is a challenge for any organization, regardless of its maturity. 2021 was a record year, and not in a good way. It’s also critical to look at the numbers on why these incidents occur —human error. On top of that, you have apathy circulating in cyber teams, which is just as dangerous as hackers.

So, how do you avoid becoming a statistic?

It’s Your People, Not Your Budget

Many companies continue to increase their cybersecurity budget. These investments can be critical to the long-term protection of data and networks. They, however, don’t usually correlate with the development of your people. If you raise your spending, you’ll be better at fighting cybercrime but may not have the best-prepared team to back you up.

The point is that unlimited spending doesn’t make you more secure. You can have the best technology and a full staff, but you’re still weak if your people don’t work well together or with the rest of the company. If your employees have rigid mindsets about cybersecurity measures and won’t deviate from them, that’s a significant issue.

You likely don’t think of your team as incompetent, and no one is saying they are. They may have substantial experience and technical aptitude. However, it doesn’t cover up the fact that the profession is in a precarious position right now. There are three main reasons your cybersecurity measures aren’t working.

First, you have the issue of recruitment and retention. The field is in desperate need of new talent. Unfortunately, your choices may be slim since it’s a candidate-driven job market. When you do look for more people, are you only concentrating on their technical experience and expertise? Are people skills even on the list?

Second, there is a large group of cybersecurity professionals that have to be the smartest person in the room. Technical folks often think they are the only ones who know the answer and fail to communicate and cooperate. They are punching holes in the ship and waiting for it to sink. They believe they alone will be able to rescue it.

Third, those entering the field may have credentials or degrees but aren’t ready to defend the company against cyber warfare. Again, it’s not that they don’t know the technical side of things. Most often, they aren’t prepared to work cohesively and amend their very narrow views. Further, most organizations aren’t doing anything to address this.

With all these challenges related to your people regarding cybersecurity measures, it’s time to pave that new path. As someone who has been in the industry in many different roles, this shift is hard. You, as a leader, have to commit, and so do your employees. However, I’ve tried to make it easy with a solution I developed called the Secure Methodology. It’s a seven-step approach that focuses on people skills development. When your team has the technical and people skills, your organization can be in a better position to ward off cyber-attacks.

Let’s look at each step and how it relates to developing your people.

The Secure Methodology: How to Solve the People Problem in Cybersecurity

Each step in the Secure Methodology ties together, building on each other. Some steps take longer than others, but you can right your ship when you commit to them.

Step One: Awareness

Awareness includes self and others. First, people must understand what behaviors they can control and the impact of those behaviors. This can be difficult to comprehend for many technical people who often seem blissfully unaware. Getting in touch with your persona and how you affect the world is critical.

Second, to gain better soft skills and be collective problem-solvers, you must be aware of others. That requires communicating with them, asking questions, and avoiding making assumptions.

Step Two: Mindset

A fixed mindset is a big problem for cyber professionals. The objective is to move from fixed to growth. Many of your people will think they are already there because they can learn new technology, but we’re talking about being growth-minded in terms of soft skills.

At its core, a growth mindset welcomes the ability to change. Without this belief, people won’t grow. However, they also have to realize that change can be slow, but progress is progress, no matter how small.

Step Three: Acknowledgment

Acknowledgment also has multiple layers. First, technical folks need to have self-acknowledgment and believe in their capabilities. Second, leaders need to acknowledge the work of their people and what they’ve accomplished. When you do this, people are more open to you and to change. Third, you should continue to acknowledge them for all the adjustments they make in the journey to achieve a higher level of people skills.

Step Four: Communication

Communication is a part of every step and is often the most challenging for technical people. Communication includes word choice, the way you say it (tone), and body language. Communication is also about being active listeners.

Your cyber team may be very articulate and well-versed in technical speak, but that doesn’t make them good communicators. Honing these skills has such positive effects. Everyone can relate better, understand what’s important, work toward solutions together, and be more compassionate in how they talk to one another.

Step Five: Monotasking

Concentrated work is vital in cybersecurity measures. Its opposite — multitasking — can be a risk factor. When people monotask, the quality of work increases. The quantity may decrease, but scattered attention increases human error risk.

It’s hard to monotask with all the stimuli — emails, chats, phone calls, etc. So, your team can set a specific time to work on tasks and remove distractions to monotask effectively.

Step Six: Empathy

A lack of empathy is usually a lack of connection. Cyber professionals often can’t see past their own challenges. They have a self-centered view that doesn’t consider the plight of others. This type of thinking can lead to quick, inaccurate conclusions. As a result, it impacts communication and collaboration.

Empathy is about understanding someone else’s perspective. It’s not the same as sympathy. As a leader, you should embody empathy. That can help others transition their thinking, which often leads to better results and mitigated risk.

Step Seven: Kaizen

The last step is kaizen, a Japanese term that is the philosophy of continuous improvement of operations involving all employees. It’s all about the progression that people make every day, and when they are on this path, they are more engaged and satisfied. When people can come to this way of thinking, they are growing and contributing. However, it requires practice and a stable resolve. It’s also crucial to hold to this even when things are uncertain, which is often the case in cybersecurity and life.

Improve Your Cybersecurity Measures With the Right Guidance

The seven steps are a kaizen of their own. Learning them and bringing them to your team is all about continuous improvement that includes all members. Some steps will be easier than others for some people. You’re there to go through them as well and stand by your employees who are willing to evolve!

You can learn more about each step and how to execute them, and find exercises in my book, The Smartest Person in the Room. Read it today to start the journey.

The post 3 Reasons Why Current Cybersecurity Measures Aren’t Working and How to Fix Them appeared first on Christian Espinosa.