cybersecurity

The Secure Methodology™ Step Six: Empathy

December 7, 2022 by Christian Espinosa

Empathy - Christian Espinosa Empathy in the professional world isn’t a new concept, but its adoption is lagging. Look no further than the Great Resignation as proof that how companies treat people must change. Many people have readjusted their beliefs about work and life in the past few years, so empathy’s importance is greater than ever and has a pivotal role to play in cybersecurity.

Empathy is a key component in winning the cybersecurity war. As such, it’s the sixth step in the Secure Methodology, which is a guide of seven steps that helps cyber leaders transform their employees into high-functioning communicators and collaborators. It builds on the five preceding steps: awareness, mindset, acknowledgment, communication, and monotasking.

Let’s dive into empathy and why it’s a critical aspect of cybersecurity.

Empathy Is Hard to Find These Days

While empathy is critically absent in many technical folks, the rest of the world isn’t demonstrating it much, either. It doesn’t mean that people are naturally unkind; instead, their concept of doing things to support others and the greater good gets canceled by their focus on differences.

It’s easy to ground a worldview in differences and an us-versus-them mentality. If we don’t feel personally impacted by something, we’re glad to look the other way. If “others” are different, then many of us can feel it’s none of our concern.

Except, at the end of the day, we have so much more in common. First, we’re all humans and face many of the same challenges. There’s a microcosm of this happening in your cyber team, especially in their beliefs about others. They typically see nontechnical roles as “others” who could never understand what they do, which creates a wall for communication and collaboration.

Everyone will always have specific roles, but when they become the foundation of how you react to others, it’s not serving anyone. For example, saying, “Oh, he’s a salesperson and can’t understand security risk,” means someone’s already discounting them and looking at them like a caricature.

This initial premise creates an empathy void, which has consequences for cybersecurity.

The Impact of the Absence of Empathy on Cybersecurity

So, how does a lack of empathy affect cybersecurity? It can cause a lot of problems, which can have a devastating impact on risk.

Technical Folks Can Be Intellectual Bullies

Bullying in the workplace is just as common as in the schoolyard. When people cannot see the perspective of others, they tend to act condescending and be defensive in every conversation. They use their intellect to belittle others, which fosters distrust and resentment. Unfortunately, bullying is often part of cybersecurity culture and goes unchecked.

Ego Cripples Empathy

These bullies often only have concerns for themselves. They have a narrow view that doesn’t include the needs of others. It’s especially detrimental when managers have egos that stunt the growth of others. It’s toxic and hampers the capabilities of a team.

Without Empathy, You Can’t Have a Team

The basic principle of a team is a group of people working together to accomplish a goal or solve a problem. Empathy is a prerequisite for this. When it’s missing, you can’t have a team.

On the one hand, we all have some type of belief about our inabilities. You would think this would encourage us all to be more empathetic. The challenge for many technical people is that they want to cover up insecurities and reject empathy for themselves and others. As a result, the foundational trust of being teammates isn’t there.

Empathy Emptiness Is More Than an Internal Problem

A cyber team that doesn’t prioritize empathy also hurts the relationships it has with others, whether they are an internal or external client. Technical people are responsible for security, but not in a vacuum. They must work with others to understand the objectives and concerns of these parties. When they don’t, they create a greater divide and overcomplicate situations, which causes further ostracization.

The stakeholders want to be involved and understand threats and risks. Just because they aren’t technical people doesn’t mean they can’t understand these things. However, if cyber professionals keep them in the dark, it only helps cyber criminals.

The Real Empathy Struggle for Technical People Is a Human Connection Problem

In my career and experiences, I’ve learned that human connection is the root of the empathy struggle for technical folks. Obviously, connection is essential to empathy in any capacity. If we’re all lone wolves and only focus on ourselves, there’s no connection.

Striving to build a human connection is an asset anyone can appreciate. It improves communication, collaboration, and perspective. Those things make people better at their job and happier in life in general.

So, how do you break people out of their one-track minds and cultivate a cybersecurity culture built on empathy?

How to Develop Empathy in Your Cyber Staff

You may think that developing empathy in technical professionals is beyond impossible. You’re already ready to skip to the next step and leave this one out because empathy is too emotional. Fair enough, but I wouldn’t have included it in the Secure Methodology without a plan. It’s an entire chapter in my book, The Smartest Person in the Room, and these are some excerpts that can help you find success.

The Framework Starts With Cognitive Empathy

There is more than one kind of empathy, and the focus here is cognitive empathy, which is the ability to understand someone else’s feelings and perspective. It’s somewhat different from its emotional counterpart, affective empathy, but it still has the same roots.

Additionally, you must frame your approach to differentiate between empathy and sympathy. They are quite different. Empathy describes the choice to connect with someone and accept their perspective. Sympathy doesn’t require the perspective aspect. Rather, it’s merely the ability to feel sorrow for how someone else feels.

People can be sympathetic but not empathetic. It’s a good trait to have, but empathy is what can drive organizational change and success.

Understanding Motivation

Motivation is a recurring theme in the Secure Methodology and applies to empathy. Grasping what motivates an employee is a key to helping them become more empathetic. Their motivation ties to the role they play in cybersecurity and supports a perception of a team working together. If they get this, they’ll want to grow their empathy.

Acknowledging Accomplishments

When you recognize the hard work of your staff, you create positive connections with them. In turn, it becomes a way to foster empathy. In addition to acknowledging achievements, you should also highlight similarities, struggles, and perspectives. This can create further connections between teammates and enrich trust.

Adapting Communication

It starts with you and your communication if you want your people to exemplify cognitive empathy. You have to be an example through how you communicate, which means admitting uncertainty and not always having an answer. They may be more likely to do the same if you can do this. Adapting your communication is critical and includes:

Avoid the word “why” because it triggers defensive responses.
Try making statements to uncover information, such as “Tell me what your plan is for this.”
Include the perspectives of others in how you communicate to demonstrate that the topic impacts many people.
Encourage people to explain those impacts on others when working through a cybersecurity challenge.
Continue to impress upon your team that listening is just as vital in communication as speaking.

Putting the Target Back on the Actual Enemy

It may seem apparent, but the enemy in the cybersecurity ware is the hackers. Yet, the “otherism” I defined earlier pits cyber professionals against colleagues. For those people who are stuck in the mindset of us versus them, they forget who the actual bad guys are. In fact, they’re helping the bad guys by functioning without empathy.

Staff too busy trying to stay in control of every cyber discussion and decision refuse to let the needs and perspectives of others have a place. As a result, cybercriminals win because team cohesion is absent. This is the most dangerous environment to operate in and will likely end in a breach or incident.

In working toward greater empathy, you must be clear about who the adversary is and that it’s nobody in the room. Connection within your team and with clients is critical to being proactive and prepared for cyberattacks. You can outmaneuver the hackers if you consistently focus on this and encourage empathetic capabilities.

Trust in Empathy to Revolutionize Your Cyber Culture

All the work from the previous Secure Methodology steps will put you in a position to develop empathy with your technical people. Having this new approach should also help you make better hiring decisions in the future. The bottom line is that empathy isn’t an innate human quality. We have to learn it, and you’re in a position to help people do this. That’s good for them personally and professionally. Get more tips on empathy and exercises by reading The Smartest Person in the Room.

How to Create a Culture of Innovation in Cybersecurity

December 4, 2022 by Christian Espinosa

Creating a cybersecurity culture isn’t a novel idea. It’s one that’s been around for some time, as the field and organizations realized that cybersecurity isn’t just about tools, protocols, and technical aptitude. Culture is much more about the people and, as a result, makes it much harder to build and sustain. People are unpredictable and don’t always have the skillsets to participate in culture. There’s an additional component of cultural manifestation, and it revolves around innovation. So, how do you develop a cybersecurity culture of innovation?

If it’s not a question you’re asking yourself as a cybersecurity leader, I would suggest you should. Innovation is the enemy of complacency. However, it requires cyber teams to look beyond their technical aptitude and leverage soft skills, which they may not have. It can seem like an uphill battle, but it’s worth considering the benefits it can bring your staff and business. Those advantages include satisfied employees, mitigation of risk, and the ability to meet continuous improvement goals.

So, let’s talk about fostering innovation in your cybersecurity culture.

What Is a Cybersecurity Culture of Innovation?

At the foundation of culture are people and behaviors. If those whose job is to protect data and networks have a closed mindset, fail to evolve their conceptions, or believe they are the smartest people in the room, culture will always be toxic. In these cases, risks become greater, turnover is high, and communication is nonexistent.

Conversely, a healthy culture has open-minded participants that want to work together effectively and continuously learn. That is an environment where innovation can thrive. It’s a place that welcomes new ideas, which can lead to a better security posture, engaged employees, and greater productivity. In this scenario, everyone benefits.

As you assess your current culture, you probably have gaps, some more than others. Filling those gaps aligns really well with the Secure Methodology™, so I’ll be referring to that as I describe the steps to take. The Secure Methodology is a seven-step guide for cybersecurity leaders to leverage to develop the people skills of technical folks. These steps don’t focus on cyber skills but rather interpersonal ones, which is the core of culture.

Building a Culture of Innovation

No matter where you’re starting in the culture journey, these pivotal elements will be necessary to propel your organization into one that’s agile, forward-thinking, and connected. Here are the areas to help you formulate a plan.

Cybersecurity Culture Involves Three Different Levels

When considering any culture configuration, there are always three levels to consider, from the top to the individual. While they have different roles in the organization and responsibilities around cybersecurity, they must work together to maintain a culture.

Leadership

This segment is the c-suite, including the CEO and CISO. They must lead by example if they want the culture to permeate. They are top-level decision-makers, but those don’t happen in a vacuum. They need to understand risk and how cyber operations work, which requires clear, consistent communication from cyber teams and individuals. Unfortunately, communication is often the skill most lacking in technical employees. If those that set the strategy and budgets are only fed geek speak, culture leadership is working with a handicap.

Communication, of course, goes both ways. When leaders set a precedent on how they expect communication to flow, it can break down some barriers. In the end, the c-suite needs communication development, as well. It’s especially true regarding what questions they ask, which should be more granular than they might currently be.

Team

Your cyber team comprises people with various skill sets, experience, and expertise. If they can build a coalition that taps into this, they’ll be at a good place regarding culture. However, we’re talking about behavior, communication, and cooperation. Those things are usually the Achilles’ heel of any cyber team.

The team dynamic and evolving it is a big part of the Secure Methodology. Its guidance takes into account the typical lack of people skills and how that impacts cybersecurity culture. Too often, your team operates in silos and wants to continue in this way. Many times, it’s about a fear that others will find out they don’t know everything. Except that’s precisely the kind of mindset you need to innovate!

When working on culture at this level, the Secure Methodology is an excellent framework that you can use to cultivate communication skills, awareness, empathy, and more.

Individuals

The last layer of culture is the individual. What applies here is similar to the team level with caveats. The biggest of those is motivation, as each person has their own. At this level, as the leader, you must make specific connections to understand that individual’s capacity to change and grow. It’s the most challenging part of cultural shifts, and not every person on your team will be ready for this.

The Secure Methodology includes exercises throughout the seven steps to assist with this. How each person reacts to these will determine their long-term cultural fit.

Now that we’ve looked at each level of culture, here are some more tips you can use to further the pursuit of innovation.

Find Cultural Evangelists

Within your cyber staff, you’ll find those that are all-in on cementing culture as innovative. These people already have a good base of people skills and will prosper in this new dynamic. Assign those employees to be cultural evangelists. They can work together to develop training and upskilling opportunities. Since it’s coming from their peers, others may find this more inviting and appealing.

Define the Language of Innovation

Earlier I discussed the issues in communication among cyber professionals and mentioned their love of geek speak. Many use this language because they don’t want to reveal their weaknesses or limitations. It’s your job to banish this language and identify what the tenets of communication should be, which can include:

Eliminating jargon that has no purpose
Encouraging and promoting active listening skills, which are just as important as language
Using inclusive language so that those individuals outside of cyber teams would understand
Reframing communication as a way to reach a result that technical people can relate to
Simplifying messaging
Praising positive communication moments to reinforce the value of it
Outlining how clear communication leads to innovation

Transform Fixed Mindsets into Growth Mindsets

Mindset is the second step in the Secure Methodology, and it is critical to culture. People either have a fixed mindset or a growth mindset. You, of course, want professionals with the latter. That doesn’t mean those with fixed ones can’t evolve and grow, but it does take work.

A fixed mindset hampers your organization’s ability to be proactive in security and forward-thinking. These folks don’t want to innovate around this because it’s too unknown and uncertain. It will also erode culture. Here are some key steps to transform mindsets:

Coaching and reflection: When communicating with a fixed mindset, asking the right questions matters. You need to take them back to a moment when their fixed mindset was a barrier. Such a moment could instigate reflection and more awareness of their behaviors.
Asking why: Again, questions posed to these folks can create aha moments. There’s an exercise called the 7 Levels Deep Exercise, which I recommend. It will help uncover motivations.
Praising mindset changes: The third thing to do is to acknowledge and recognize when you see mindset shifts from fixed to growth. Something as simple as this can make a significant impact on future behavior.

To round out this discussion, I want to leave you with some additional insights into innovation and security.

Innovation and Security Aren’t Foes

One of the biggest misconceptions in the cyber world is that security is a barrier to innovation. Such a perspective is dangerous to your culture and ability to defend data and networks in the cyber war. Security does not impede innovation. In fact, they work together very well with the proper perspective.

It’s not unlike the principles of DevSecOps, where development, security, and operations convene. In this strategy, security is part of the conversation from the beginning. It has equal weight with development and procedures, as it should. You cannot have innovation without security. Innovation, at its core, is about devising solutions that enable better results. If security is outside the innovation bubble, you may have a good idea, but it won’t come to fruition. It won’t be deployable and scalable.

So, you must build the case that they both can coexist harmoniously and should always have a link. Otherwise, you’ll waste time, money, and resources. If you leverage the tips and ideas from this post, you can easily demonstrate how vital security is to innovation.

If you’re ready to build your culture of innovation, you should learn more about the Secure Methodology, which you can find in my book, The Smartest Person in the Room. Additionally, I have a Secure Methodology course, which delves further into the seven steps. Check them both out today.

2023 Cybersecurity Trends: What Every Cyber Professional Needs to Know

December 1, 2022 by Christian Espinosa

The world of cybersecurity is dynamic. It quickly changes because cybercriminals are relentlessly persistent in their goal to breach organizations and steal valuable data. Many of the biggest threats aren’t new, but they evolve as hackers become smarter and the systems to stop them become stronger. In the year ahead, cyber professionals will have the daunting task of defending their domain. So, what cybersecurity trends are on the horizon for 2023, and what strategies will you need to avert them?

Let’s find out.

The Cybersecurity Trends: Existing and Emerging Threats Are on the Calendar

Can you confidently say your cyber team is ready for the rapid changes in cybersecurity and the threat landscape? It’s hard to be certain. In fact, 40% of chief security officers agree they are unprepared. They cite many different reasons—inadequate budgets, talent shortage, and the fast pace of innovation. These and any other barriers will always exist regardless of if you have a blank check and a room full of experts.

To achieve a higher level of confidence in your organization’s ability to defend its digital turf, you must understand what the landscape looks like and admit that you can’t stop everything. Proactive measures to address the risky trends ahead are ideal but not always possible. In the following list of trends, I’ll give you the bad news on risk along with some good news about what to do about it that looks different than what you’ll hear any other cyber experts say.

Hybrid Work Becomes the Norm, and Your Security Footprint Will Only Get Larger

Unsurprisingly, hybrid and remote work models are becoming the norm. Employees want flexibility and autonomy, and employers have to stay in tune with what they want to retain them. Cyber professionals, however, aren’t exactly thrilled with this. They, too, want to work remotely, but it’s expanded the security footprint of every organization.

It’s not the company-issued devices that are the weak link, as you still have control over those, ensuring that anti-malware and antivirus tools are running and that applications are up to date. The problem is personal device usage to check email, engage in chats, and access documents. That’s where incidents are most likely to occur, and you have no idea how protected these devices are or aren’t.

Connecting to networks with these devices could cause employees to be more susceptible to fall for phishing attacks, either by email or text message. These situations can also make a company more exposed to ransomware attacks. So, what is a cyber leader to do with the abundance of employees working from anywhere?

You can develop specific BYOD (bring your own device) rules and require that they use the Outlook App versus the email feature on smartphones. More stringent policies that exclude all personal devices are another option, but they will be met with lots of resistance.

Building a security-aware culture that your cyber employees spearhead could be a strategy that has more sustainability. It also requires your cyber staff to think like a typical user and explore what their day-to-day looks like regarding security. If your team has buy-in to this approach, it will be more authentic and resonate more than some top-down directive that most will disregard.

Persistent Phishing: Hackers Use Many Angles to Hook Users

You likely aren’t surprised that a variation of phishing is on the 2023 cybersecurity trends list. Hackers have become much more sophisticated in how they target phishing attacks. They narrowly focus on a specific organization and keep trying new approaches, hoping they eventually wear down a person’s defenses and get them to respond.

Persistent phishing is the new normal, and cyber criminals do more than just send you an email from a spoofed URL. There are elements of social engineering in these tactics, where a recipient wouldn’t think it odd to receive an email from a company they recently engaged.

These can work, but hackers are taking it to the next level by attempting to impersonate others from a company, often CEOs or other high-profile people, so the user will take notice and respond. Their common sense can out the door when they see an email that appears to be from the CEO.

Another new phishing tactic is sharing Google docs (or other public cloud storage) within emails, which can look legitimate. Many businesses use Google Drive as their file-sharing solution. Unfortunately, the security here is lax at best.

In the new era of persistent phishing, you’ll need to step up employee education to start. You can also use filtering tools to keep these emails from appearing in an inbox. AI tools can assist with this as well.

However, some things will get through your perimeter. Turn to your cyber team to manage this constant barrage of phishing scams and get their perspectives. Make this a regular discussion in team meetings. Look at your data and listen to your team. Not everyone is going to have a new idea. Many will just say to stay the course. You want your technical employees to be innovators, and you must create a space where that’s the culture. If you do, you may get some really good strategies to deploy to lessen the hook of phishing.

IoT Vulnerability Grows

No one would argue that IoT (Internet of Things) devices aren’t valuable. They are generating many quality data crucial in various sectors, from manufacturing to transportation to retail. However, these devices must connect to your network to access and aggregate that data. As a result, they’ve become a target for hackers to infiltrate an enterprise. The more devices you connect, the more potential for a backdoor to open for hackers.

The proliferation of IoT devices is now a part of many companies’ data strategies. The IoT devices consumers use have long had lax security measures in the name of convenience. In the commercial space, security has been more robust. The problem with IoT devices as a vulnerability often arises from the need for them to be interoperable with other applications. Connecting all these points can become burdensome, so there may be slips around security. Additionally, these devices aren’t always under the control of cybersecurity teams because they sit in warehouses, assets in the field, and store locations.

You need to have IoT security protocols in place, but what may be more important is confirming that the devices are continuing to abide by them. That will require your technical folks to communicate with non-technical employees in the field. They’ll need to ask questions and possibly go to the sites where they are. That’s outside the comfort zone of many, and one more reason why developing soft skills for cyber employees is critical. Without effective and consistent communication, you’ll just be counting the days until an IoT security incident occurs.

Hackers Are Still Hungry for Your Data

In most organizations, protecting assets is both digital and physical. The digital ones, being the data about customers, products, analytics, and everything else, have become much more valuable to criminals. The primary goal of hackers is to access your data and sell it. Data breaches are daily headlines now; there’s no surprise when we see the latest one.

Your organization has put all its efforts into protecting this data, but vulnerabilities still exist. It would be impossible to eliminate all of them. So, you’ve learned to live with risk, or have you? The biggest problem I’ve witnessed in my many years in cybersecurity is that those in charge of protecting your most valuable assets can’t admit that they don’t have all the answers. Many of them will do anything to hide uncertainty around this problem, and that mindset is dangerous.

If your cyber team can’t be honest that data breaches are still possible, they’ll be doing little to fortify your protections. They will be averse to applying new tools or strategies and unable to communicate and collaborate effectively. Hackers are the enemy, but the inside threat looms when you have employees that aren’t living in reality.

The best way to address this cybersecurity trend is by breaking norms and getting honest about who on your team is willing to grow and change their mindset. They may not fit the culture you want to cultivate if they can’t. They may have brilliant minds for technology, but their inability to think critically and with transparency means they are more of a risk than an asset.

Addressing Cybersecurity Trends Requires an Agile Team

The risks of modern business will only grow. Digital transformation is accelerating at light speed, and every organization wants to future-proof its technology and infrastructure. You should be on this path as well, with one major caveat. Even more important than the tools you use and the policies you set are the people behind them. You’ll be ahead of the curve if you have cyber talent on your team that’s agile and ready to pivot when needed.

You can learn how to develop this kind of team by following the Secure Methodology™, a seven-step process to help technical folks gain soft skills that can lead to an improved security posture. Learn all about it in my book, The Smartest Person in the Room.

3 Reasons Why Current Cybersecurity Measures Aren’t Working and How to Fix Them

November 14, 2022 by Christian Espinosa

Most organizations think they have a good approach to cybersecurity. They check all the boxes and hope for the best. However, cybersecurity is dynamic, with new threats always on the horizon. However, the traditional cybersecurity measures most businesses use don’t work. They often put too much emphasis on the technical element versus the human element. That’s where things are going awry.

The real reason cybersecurity measures are failing is because of a people problem. It’s the core foundation of my book, The Smartest Person in the Room. Correcting this path requires the initial acknowledgment that you must develop your people into more than just technical minds. They need soft skills to adapt to a changing environment that will enable them to be strong communicators and collaborators.

In this post, I’ll review the latest data on cybersecurity risk and explore how to pave a new path to a more secure and agile system.

The Latest Cybersecurity Data

Threats continue to mount on the cybersecurity front. Cybercriminals have become more sophisticated and advanced. As a result, your people become either the strongest or weakest link in your cybersecurity measures. Here are some of the latest data points on the rate of crimes and how companies are dealing with it (or not).

95% of cyber breaches are the result of human error.
68% of business leaders said their cybersecurity risk is increasing.
42% of companies are suffering from cyber fatigue.
The breach breakdown for 2021 was 40% phishing attacks, 11% malware, and 22% hacking.
There were 1,862 reported data breaches in 2021, surpassing the previous record of 1,506 in 2017.
The average time to identify a breach was 212 days in 2021.
The average data breach cost in 2021 was $4.24 million, the highest ever.

From these statistics, it’s easy to see that cybersecurity is a challenge for any organization, regardless of its maturity. 2021 was a record year, and not in a good way. It’s also critical to look at the numbers on why these incidents occur —human error. On top of that, you have apathy circulating in cyber teams, which is just as dangerous as hackers.

So, how do you avoid becoming a statistic?

It’s Your People, Not Your Budget

Many companies continue to increase their cybersecurity budget. These investments can be critical to the long-term protection of data and networks. They, however, don’t usually correlate with the development of your people. If you raise your spending, you’ll be better at fighting cybercrime but may not have the best-prepared team to back you up.

The point is that unlimited spending doesn’t make you more secure. You can have the best technology and a full staff, but you’re still weak if your people don’t work well together or with the rest of the company. If your employees have rigid mindsets about cybersecurity measures and won’t deviate from them, that’s a significant issue.

You likely don’t think of your team as incompetent, and no one is saying they are. They may have substantial experience and technical aptitude. However, it doesn’t cover up the fact that the profession is in a precarious position right now. There are three main reasons your cybersecurity measures aren’t working.

First, you have the issue of recruitment and retention. The field is in desperate need of new talent. Unfortunately, your choices may be slim since it’s a candidate-driven job market. When you do look for more people, are you only concentrating on their technical experience and expertise? Are people skills even on the list?

Second, there is a large group of cybersecurity professionals that have to be the smartest person in the room. Technical folks often think they are the only ones who know the answer and fail to communicate and cooperate. They are punching holes in the ship and waiting for it to sink. They believe they alone will be able to rescue it.

Third, those entering the field may have credentials or degrees but aren’t ready to defend the company against cyber warfare. Again, it’s not that they don’t know the technical side of things. Most often, they aren’t prepared to work cohesively and amend their very narrow views. Further, most organizations aren’t doing anything to address this.

With all these challenges related to your people regarding cybersecurity measures, it’s time to pave that new path. As someone who has been in the industry in many different roles, this shift is hard. You, as a leader, have to commit, and so do your employees. However, I’ve tried to make it easy with a solution I developed called the Secure Methodology. It’s a seven-step approach that focuses on people skills development. When your team has the technical and people skills, your organization can be in a better position to ward off cyber-attacks.

Let’s look at each step and how it relates to developing your people.

The Secure Methodology: How to Solve the People Problem in Cybersecurity

Each step in the Secure Methodology ties together, building on each other. Some steps take longer than others, but you can right your ship when you commit to them.

Step One: Awareness

Awareness includes self and others. First, people must understand what behaviors they can control and the impact of those behaviors. This can be difficult to comprehend for many technical people who often seem blissfully unaware. Getting in touch with your persona and how you affect the world is critical.

Second, to gain better soft skills and be collective problem-solvers, you must be aware of others. That requires communicating with them, asking questions, and avoiding making assumptions.

Step Two: Mindset

A fixed mindset is a big problem for cyber professionals. The objective is to move from fixed to growth. Many of your people will think they are already there because they can learn new technology, but we’re talking about being growth-minded in terms of soft skills.

At its core, a growth mindset welcomes the ability to change. Without this belief, people won’t grow. However, they also have to realize that change can be slow, but progress is progress, no matter how small.

Step Three: Acknowledgment

Acknowledgment also has multiple layers. First, technical folks need to have self-acknowledgment and believe in their capabilities. Second, leaders need to acknowledge the work of their people and what they’ve accomplished. When you do this, people are more open to you and to change. Third, you should continue to acknowledge them for all the adjustments they make in the journey to achieve a higher level of people skills.

Step Four: Communication

Communication is a part of every step and is often the most challenging for technical people. Communication includes word choice, the way you say it (tone), and body language. Communication is also about being active listeners.

Your cyber team may be very articulate and well-versed in technical speak, but that doesn’t make them good communicators. Honing these skills has such positive effects. Everyone can relate better, understand what’s important, work toward solutions together, and be more compassionate in how they talk to one another.

Step Five: Monotasking

Concentrated work is vital in cybersecurity measures. Its opposite — multitasking — can be a risk factor. When people monotask, the quality of work increases. The quantity may decrease, but scattered attention increases human error risk.

It’s hard to monotask with all the stimuli — emails, chats, phone calls, etc. So, your team can set a specific time to work on tasks and remove distractions to monotask effectively.

Step Six: Empathy

A lack of empathy is usually a lack of connection. Cyber professionals often can’t see past their own challenges. They have a self-centered view that doesn’t consider the plight of others. This type of thinking can lead to quick, inaccurate conclusions. As a result, it impacts communication and collaboration.

Empathy is about understanding someone else’s perspective. It’s not the same as sympathy. As a leader, you should embody empathy. That can help others transition their thinking, which often leads to better results and mitigated risk.

Step Seven: Kaizen

The last step is kaizen, a Japanese term that is the philosophy of continuous improvement of operations involving all employees. It’s all about the progression that people make every day, and when they are on this path, they are more engaged and satisfied. When people can come to this way of thinking, they are growing and contributing. However, it requires practice and a stable resolve. It’s also crucial to hold to this even when things are uncertain, which is often the case in cybersecurity and life.

Improve Your Cybersecurity Measures With the Right Guidance

The seven steps are a kaizen of their own. Learning them and bringing them to your team is all about continuous improvement that includes all members. Some steps will be easier than others for some people. You’re there to go through them as well and stand by your employees who are willing to evolve!

You can learn more about each step and how to execute them, and find exercises in my book, The Smartest Person in the Room. Read it today to start the journey.

What Is Zero Trust Architecture, and Why Should Your Organization Shift to It?

September 27, 2022 by Christian Espinosa

Zero trust architecture has become a buzz term in the cybersecurity landscape. Its development came from the realization that traditional security models were operating on outdated assumptions that everything inside an organization’s network should be trusted implicitly. With implicit trust, any user, once on the network, could move through it to access or exfiltrate data since no security controls existed. It’s a revolutionary way to think about cybersecurity for an organization and one that creates a disruption into business as usual.

But isn’t that what cybersecurity needs? I’ve been in the field for decades and authored a book about turning cybersecurity operations on their head. The reality is that we’re losing the cybersecurity war to hackers and threat actors. While my book focuses a lot on the professionals doing the job and their lack of valuable people skills, which causes the risk to increase, zero trust architecture should be part of the conversation on the next generation of cybersecurity.

What Is Zero Trust Architecture?

Zero trust architecture describes a strategic approach to cybersecurity that enables an organization to be secure by eliminating implicit trust and replacing it with continuous validation. Its beginnings sprung from the “never trust, always verify” principle. The design of the architecture is for modern environments in a modern world.

Zero trust architecture can play a critical role in digital transformation and leverages robust authentication methods, network segmentation, lateral move prevention, Layer 7 threat prevention, and granular simplification.

How Zero Trust Architecture Fits the Modern Business Landscape

Most companies, regardless of if they are digital natives, are striving toward digital transformation goals. There was a significant acceleration of this in the past two years due to the pandemic. The shift to hybrid work, migration to the cloud, and adaptation of security operations mean that zero trust architecture is having a big moment.

When set up and deployed correctly, this type of architecture provides higher overall levels of security while simplifying security complexity and operating overhead. This point is of major importance. Simplification of architecture doesn’t mean that it’s “less than” in any way. Rather, it’s about getting back to the basics.

Simplification is a big part of my book, The Smartest Person in the Room. Unfortunately, cybersecurity professionals tend to overcomplicate everything. Often this happens because of insecurities and the desire to be the smartest person in the room. If cybersecurity appears complex, they are always in a position of power. Zero trust architecture takes care of simplification so that a company can reinvent its security posture and culture.

So, how does an organization transition to this architecture and become a zero-trust enterprise?

How Does Zero Trust Security Work?

Establishing zero trust involves having visibility and control over the environment’s users and traffic. That covers the entire spectrum, including:

What’s encrypted
Monitoring and verification of traffic within the environment
Strong multifactor authentication (MFA) methods (not just passwords!)

This architecture also changes segmentation. It’s no longer rigid network segmentation at play. Instead, data, workflows, services, and everything else receive protection with software-defined micro-segmentation. As a result, everything is secure anywhere.

The Core Concept of Zero Trust

In this approach, the foundation of the strategy is to trust no one and assume everything is hostile. That’s a substantial change from traditional network security models that rely on centralized data centers and secure network perimeters. They grant access based on approved IP addresses, ports, and protocols. However, it’s easy to see why this setup just doesn’t fit the real world of cybersecurity. Hackers are too good these days. Infiltrating from the inside is something they do well.

Continuing to stay the course with these outdated security models heightens risk. While it may seem like a no-brainer to transition, the problem may be with your cybersecurity team. As I discuss in my book, technical folks are often resistant to any type of change. They may “fear” the move to zero trust, not because they don’t believe it will work, but because it’s outside of what they “know.” And that can be an even bigger threat to you than hackers.

With zero trust, there is no trust. The architecture treats all traffic, even that within the parameter, as in need of validation. It blocks workloads until such validation occurs. Protection is now environment-agnostic, enabling secure connections for users, devices, and applications.

Along with this core concept, there are more principles of the Zero Trust Model.

The Three Principles of the Zero Trust Model

It’s essential to remember that zero trust is a cybersecurity strategy to build your ecosystem. It goes beyond user identity, secure access, and segmentation. Its three tenets are:

Terminate every connection: Every connection terminates to allow an inline proxy architecture to assess all traffic, including encrypted traffic, in real-time before reaching its destination. It’s a much different approach than firewalls, which inspect files as they are delivered and then detect if they’re malicious. At that point, it’s too late. You have more control over traffic, which helps prevent malware and ransomware.
Protect data with granular, context-based policies: A zero trust policy will verify access requests and rights through context, such as identity, device, location, content type, and application requested. These policies are adaptive, meaning access privileges undergo continuous reassessment when the context changes.
Reduce risk by eliminating the attack surface: In zero trust, users connect directly to apps and resources they need — never to networks. This process removes the risk of lateral movement, preventing compromised devices from infecting others. Additionally, users and apps are invisible to the internet, so they aren’t discoverable for an attack.

Based on these principles, you can see that zero trust takes a new perspective on cybersecurity. In transforming your architecture in this way, you can also shift the mindset of your cybersecurity professionals.

Mindset is a vital aspect for cybersecurity professionals. It’s part of the Secure Methodology, which is a seven-step guide to transforming technical folks into excellent communicators and collaborators that welcome change and evolution. Getting cybersecurity professionals to adjust their fixed mindsets to growth ones is another crucial step to adopting zero trust architecture.

One way to facilitate this is by understanding the benefits of the approach.

The Benefits of Zero Trust that Will Interest Cybersecurity Professionals

There are many benefits to zero trust that the entire enterprise can reap. But what’s “in it” for the cybersecurity team? Will this change make them fearful and resistant? How do you get them on board?

No security position is 100% secure, and the risk of breach will always be present. The key point to hammer in on for cybersecurity professionals is reducing the attack surface. That’s something they can quickly grasp and see the advantages of without much pushback. With a reduced surface, mitigation of the impact and severity of cyberattacks is achievable.

Another benefit they can immediately understand is how zero trust is the most effective method for cloud security. It doesn’t trust any connection without verification. Your organization’s data sprawl and cloud computing are only increasing. Zero trust offers a path to being safer from end to end.

Finally, you just have to let them know it will make their life easier. No matter how resistant to change, cybersecurity professionals can’t argue with something that removes burdens from their plate. They might argue, but they must understand that this is in their best interest. The level of visibility that zero trust provides will deliver a much easier day-to-day workload.

Zero Trust Architecture and Its Impact on Cybersecurity Operations

Beginning the move toward zero trust begins with two questions:

What are you trying to protect?
From whom are you trying to protect it?

These are similar to the questions I talk about in my book that are the kickoff of any cyber project. Again, it goes back to the notion of simplification. These questions embody everything about cybersecurity.

When you have the answers to these questions, they’ll inform your strategy and architecture design. In most cases, it will involve layering technologies and processes on top of the strategy.

So, when does zero trust architecture make sense for an organization?

It’s prime for any use case with infrastructures that include multi or hybrid clouds, unmanaged devices, legacy systems, and SaaS apps. Further, it’s a vital component in preventing ransomware, supply chain, and insider attacks.

Implementation of zero trust has three main stages:

Visualize: Define all resources and their access points, then determine the risk.
Mitigate: Detect and prohibit threats or reduce the impact of a breach in case threats cannot be immediately stopped.
Optimize: Extend protections across the entire infrastructure and all resources, regardless of where they are while ensuring a seamless user experience for end users, IT, and security professionals.

That’s just the condensed version of stages, so you’ll want to flush out these stages in your strategy.

Is Zero Trust Your Next Cyber Move?

Evolving your cybersecurity operations involves architecture enhancements like zero trust, but it’s not something that will solve all risk problems. You must evolve your people as well. To learn more about how to do that in tandem with architecture transformation, read The Smartest Person in the Room.

How to Recruit and Hire Cybersecurity Professionals to Help You Win the Cybersecurity War

September 27, 2022 by Christian Espinosa

cybersecurity jobs The field of cybersecurity is growing, but the pool of qualified candidates is not. Nearly every industry deals with labor shortage challenges due to the pandemic, the Great Resignation, and other factors. However, cybersecurity was already experiencing recruitment and retention problems. Even with new people entering the market, it would be remiss to count them all as ready for the cybersecurity war. So, how do you recruit and hire cybersecurity professionals in these times? And is technical prowess the only factor to consider?

The Cybersecurity Labor Landscape

To begin the discussion on recruitment and hiring, let’s look at some of the data on the cybersecurity labor landscape.

The shortage of cybersecurity professionals is 2.72 million globally.
As of June 2022, there were 714,548 total cybersecurity job openings.
78% of decision-makers stated that it’s hard to find certified people.

So, it seems there is a tremendous opportunity for those that want to enter the field. Many employers welcome them, with 91% willing to pay for training and certification. Cybersecurity is an attractive field with the potential for high earnings and upward mobility. With such an appealing opportunity, you could argue that labor shortages will dwindle, especially as more digital natives enter the workforce. So, maybe recruiting and hiring cybersecurity professionals will get easier.

The risk of these presumptions goes back to the idea of qualification, which goes beyond technical skills. In fact, leaders said the highest skill gap in cybersecurity is people skills. This response demonstrates a needed shift from what makes someone a good hire for these roles.

So, why should you care about people skills if candidates have the credentials and experience? As I’ve learned in my decades in the industry, people skills should always be a priority for technical roles. Without these, cybersecurity professionals make crucial missteps based on their own hubris and over-confidence. They don’t communicate or collaborate, and that’s the real reason we’re losing the cybersecurity war. It’s the central theme of my book, The Smartest Person in the Room.

So, let’s talk more about people skills.

Why People Skills Matter in Recruiting and Hiring Cybersecurity Professionals

There are many stereotypes about those in technical roles. It’s easy to lob them all together as bad communicators, inflexible, stubborn, and difficult. Some of this is true, as technical folks often eschew people skills as being important. Yet, they are so vital! Without people skills, these people won’t learn, grow, collaborate, or adapt, and those things are crucial in cybersecurity.

People skills matter because the war zone of cybersecurity isn’t just ones and zeroes. There are hackers on the other side who are deeply passionate about what they do, even though it’s illegal and immoral, to say the least.

Your cybersecurity team needs to have that same passion, which comes only from people skills. The most adept technical professional can be a bad hire when they come up short here.

These are the people skills I think are the most critical:

Empathy: When someone can understand another’s perspective, it makes them better at their job. They can comprehend someone’s mental state and what that might mean, whether that’s a coworker or a criminal on their other side.
Communication: This is the number one people skill for cybersecurity candidates. It’s the core of how we operate. Being a great communicator doesn’t mean you say whatever comes to mind. Rather, it balances expressing thoughts wisely and being excellent listeners. Successful interactions within the team and with other stakeholders are imperative to avoid miscommunication and misconceptions, which are the leading causes of cybersecurity failures.
Adaptability: Cybersecurity is a dynamic field, so those working in it must adapt quickly and be willing and open to change. A lack of this people skill could sink your cybersecurity operations.
Vulnerability: Being vulnerable is really about being honest and having trust. You’ll have to create a safe place for people to be vulnerable, where no one is scared to be wrong. Making this part of your people skills list can provide an ideal environment for solving cybersecurity challenges.

Gauging these people skills is much more complex than testing technical ability. There are many candidates out there masquerading as qualified applicants. They may be, on paper, that is.

Avoiding Hiring Paper Tigers

Paper tiger is a term in the industry that originates from the Chinese phrase zhi lao hu (纸老虎). In the technical world, it simply means that people look good on paper—resumes with an extensive list of certifications, for example. Yet, they lack the skills, experience, and expertise to succeed in cybersecurity.

Candidates like these will land in your inbox. You may not be able to spot them at first glance. So, you’ll have to draw conclusions based on interviews and conversations. Here are some key things to consider:

Where did they earn certifications? Not all organizations that provide credentials are “cyber mills,” taking in money to deliver the certification. The most legitimate and credible are practical and scenario-based exams from CompTIA and EC-Council.
How do they speak about their work experience? Not every applicant will have multiple years of experience, and you shouldn’t discount those new to the field. For those that do, you’ll want to hear about specific projects or responsibilities. Someone who uses a lot of jargon and buzzwords and talks in the abstract is likely a paper tiger.
What motivates them? Different people have different motivations for why they work. Money is at the top of the list. It’s not necessarily a red flag for those that are money motivated. After all, we’re not working for free. However, you’ll find that those who desire meaningful work (roles that are fulfilling), a collaborative team, and being part of something bigger will rank highly on people skills.
What kind of people skills do they exude? Ask questions that tie into the people skills described above. You can even “score” their people skills with assessments like TriMetrix® HD.
Is their knowledge book-based or experience-based? This evaluation concerns your defense posture and whether someone can react in the real world where stress and pressure exist.
How big is their ego? Ego can be a detriment to cybersecurity when your employees believe they can never be wrong. They will be wrong eventually and many times over. If their ego doesn’t fit through the door, it won’t fit on your team, either.
How do they work? Someone’s approach to the day-to-day matters, and you want to see someone with focus. Ideally, in cybersecurity, your employees should be mono-taskers (the opposite of multi-taskers). That undivided attention is necessary in the high-stakes world of cybersecurity.

Now that you know what people skills are critical and the steps to avoid paper tigers, I’ve got a few more tips for recruiting and hiring cybersecurity professionals.

Final Takeaways on Recruiting and Hiring Cybersecurity Professionals

Look to past hiring decisions as learnings, whether they turned out good or bad. Even as you evolve how you hire and recruit, you won’t always make the perfect hire. If you can learn from the past, you’ll be better prepared for the next hire.
Treat the interview as a conversation. You want to learn about the candidate, and they need to find out about the organization. Making these interactions rigid and controlled is a disservice. That’s not how things play out in the real world, so don’t treat this like an inquisition.
Don’t sell your organization short by filling the chair with anyone. A chair occupied by a paper tiger could cause more chaos than harmony. Don’t rush the hiring process because of these feelings. It’s always better to wait for the right person than make do with someone who isn’t.
Be sure the candidate fits your culture. When there’s misalignment here, the hire often becomes turnover. Talk about the culture of the organization and your department to discern how they’ll fit in with your organization. The assessment discussed earlier can help you determine this, too.
Be wary of job-hoppers. I typically screen these people out, but it’s not a rule without exceptions. They may have shorter tenures because of things outside of their control (e.g., layoffs, relocations, etc.). For anyone who’s trying to hire cybersecurity professionals, you know job-hopping is rampant. Consider the circumstances and context, then exclude anyone that looks like a risky hire.
Remember that people skills are teachable, and you can help your team develop them. That’s the sentiment behind the Secure Methodology, a seven-step guide to advancing technical folks from two-dimensional stereotypes to fully engaged and highly communicative team members. Of course, your staff has to be open to change and growth for this to work, which is one more reason to look for those with high potential for people skills in the hiring process.

Get more tips and strategies on how to build a team of cybersecurity professionals to help you win the cybersecurity war by reading my book, The Smartest Person in the Room.