growth mindset

The Cyber Threat No One Talks About — the Absence of a Cybersecurity Culture

Cybersecurity Culture - Christian EspinosaIn the conversation regarding cyber threats, the perspective is typically on defeating cybercriminals. The threat lens is from the outside, which is very true. Hackers are motivated and persistent in their pursuit of stealing data, deploying ransomware, and causing havoc.

However, the cyber threat that’s as potent is what’s happening within an organization. A lack of a cybersecurity culture can increase risk exponentially. While the concept of a cybersecurity culture isn’t new, it’s still a challenge for most technical teams. When not present, cyber professionals work in siloes, avoid accountability, communicate ineffectively, and erode collaboration.

If these characteristics seem too familiar, it’s time to address, reimagine, or build a culture that values communication, collaboration, curiosity, awareness, and cooperation. Failure to pivot and adopt such a framework could be the reason that you become a cyber statistic.

What’s the Ideal Cybersecurity Culture?

For the purpose of this discussion, I’m referring to cybersecurity culture as the principles and values of the cyber team, not the enterprise. There is a difference. In the latter, cybersecurity culture describes all stakeholders and employees to understand the threat landscape and work toward adopting best practices to avoid things like phishing attacks.

In terms of your team, cybersecurity culture is the environment in which your technical folks work to prevent attacks, analyze risks, deploy new strategies, and keep the organization as secure as possible.

The ideal culture to aim for includes these ingredients:

  • Consistent and clear communication
  • Awareness around someone’s actions and the perspectives of others
  • A foundation of trust and respect
  • Collaborative interactions that support the organization
  • Championing a growth mindset where individuals can adapt and evolve
  • Empathy and understanding other’s feelings and perceptions

You may find this list overwhelming, but they are the tenets of any effective culture. Each of these elements is necessary to drive progress on the individual and team levels. So, what happens when culture is nonexistent? And what’s the impact of risk?

A Lack of Cybersecurity Culture Compounds Risk

As a cyber professional, your entire view of your actions is measured in risk. Even those businesses with robust cyber controls still have exposure to risk. It’s unavoidable in the modern age. Except that the threat isn’t always outside. Cybercriminals are rightly painted as the enemy, but the absence of a cybersecurity culture makes you more vulnerable. Here’s why.

Shared Responsibility and Accountability Failures

Your cyber team must be one that shares responsibility and takes accountability. There is no leeway on this one. It would seem to be a given that your people must work together in every component of security. Unfortunately, this isn’t happening in most organizations.

The reasons are complex, but ultimately, it comes down to the fact that technical folks have deficiencies in people skills. They are defensive and aggressive with communication and singularly focus on what they believe are the proper practices. Instead of forming a team to defeat the hackers, they often in-fight with one another, each trying to take the title of the smartest person in the room. As with any situation like this, internal animosity gives cybercriminals the edge.

Communication Stalls, Heightening Risk Incrementally

When your people are acting as teams of one, communication is toxic and ineffective. It comes out as snide remarks with an air of condensation in every word. How can a team protect your organization when they can’t even communicate?

You likely recognize the attributes of dysfunctional communication within your team. Although, you might not see it for the risk it truly is. Without a set of rules around discussion and conversation as part of your culture, you will experience greater risk in every area of cybersecurity.

Acknowledgment Gaps Grow Seeds of Disengagement

Another key part of a cybersecurity culture is acknowledgment. All too often, the only acknowledgment teams receive is about what went wrong. You can’t avoid mistakes and errors, but as the cyber leader, you need to make room for acknowledgment of progress and what’s going right.

Your cybersecurity culture has to be a safe place for this to occur so that feedback can be more positive and specific. You can still correct behavior and guide people toward best practices. If this never happens, employees will become disengaged and resentful. They’ll see you or the organization as the enemy, not the hackers.

These challenges are inherent in cybersecurity but not without a solution. Transforming technical professionals into excellent communicators and collaborators is the core of building your culture.

How to Build a Sustainable Cybersecurity Culture

No matter how mature or large your cyber department is, you can construct and foster a sustainable culture that decreases risk. As someone who has years of experience building resilient and adaptable technical teams, it is evident that culture was a people problem.

As a result, I developed strategies and initiatives to correct it in the Secure Methodology™. It’s a seven-step process that helps cyber leaders develop soft skills in their staff with the outcome of a cohesive team ready to protect an organization. Here’s how it applies to culture development.

Employees Need to Know Their Contributions

The seven-step guide touches on how employees see themselves in terms of the enterprise and its impacts. The problems with this are twofold. First, they often believe themselves to be individual contributors because they ascribe to a lot of black-and-white thinking. They want to remain solely in their lane, which causes siloes and fractures in collaboration and communication.

The second part is that they don’t feel valued or appreciated for what they do. As a result, they don’t know that what they do matters, which makes them complacent, elevating risk.

To address this, you need to work on acknowledgment, provide a clear vision of the role cyber teams play in company objectives, and champion constant communication.

A Shift to a Growth Mindset Is Imperative

You can either have a fixed or growth mindset, and cybersecurity culture only flourishes under the latter. When your technical employees are set in how they see cybersecurity and the world, they can’t grow. It’s not about learning new technical skills; they feel comfortable with this. Rather, it’s about changing perspective, which requires hard work.

If you can construct a culture that encourages growth and change, your people may be less afraid to do so. They have the potential to do this. It simply requires commitment.

Communication Is Everything

Communication includes the words we use, how we interact, and our listening ability. A lot of communication is actually nonverbal, and I can’t emphasize enough how crucial it is to understand that.

Typical technical communication is acronyms, jargon, and overcomplicating the simplest explanation. Cyber professionals have been indoctrinated in many ways to communicate in this way. It’s time for you to help them break these bad habits because they’re hurting all parties.

You’ll need to dedicate a lot of soft skill development to communication with exercises and resources. You also must lead by example, ensuring that your message is consistent and instructive. It becomes the bedrock of your cybersecurity culture, enabling your team to work as one.

Communication skills are also always in need of improvement and work. With any change to culture or new risk on the horizon, your team must continue using what they learn. That’s how it becomes culture — through daily use!

Focus and Distractions in a Dynamic Environment

Another component of building a cybersecurity culture is that the environment is so dynamic. As a result, focus can become disrupted, and distractions are plentiful. The best way I know to tackle this is by monotasking.

Monotasking requires concentrated work. It’s not a term that’s celebrated in the business world because it’s the opposition to multitasking. We’re brainwashed to multitask constantly; when we do, our attention strays. In cybersecurity, this becomes a threat.

The demands on cybersecurity never ease and require immediate responses. This paradigm won’t change. However, if your culture encourages monotasking, so that focus on specific tasks is distraction-free, your people will likely be more productive and effective.

Connecting with Others Means Shedding Self-Centered Thinking

A healthy cybersecurity culture focuses on cognitive empathy. It’s the notion of understanding the feelings of others and their perceptions. Empathy is the choice to connect with someone and accept their perspective. When present, it delivers many advantages in how you manage cyber risk because it fuels the belief that change and adaptation are good.

Again, empathy starts with you as a leader. If you demonstrate it regularly, it begins to weave its way into your culture. Making it a priority to educate your people on empathy and how to make it part of their skill set is critical to their remembering who the real enemy is — the hackers.

A Strong Cybersecurity Culture Thwarts Internal Threats

Cultivating a strong cybersecurity culture is something you have control over, which is rare in the field. If you promote one that values communication, collaboration, trust, acknowledgment, and empathy, you have an advantage over external threats. You can learn more about applying the Secure Methodology to culture by reading my book, The Smartest Person in the Room.

The Secure Methodology™ Step Two: Mindset

fixed vs growth mindsetMindset impacts everything we do. It’s the one thing someone can control in most situations. When your mindset is broad, overcoming challenges seems possible. Since cybersecurity is really a discipline riddled with challenges, you can see why mindset is so important. That’s why it’s the second step in the Secure Methodology. It builds on what you learned in step one awareness.

What Is the Secure Methodology?

First, here’s a refresher on the framework of the Secure Methodology. It’s a guide with seven steps featured in my book, The Smartest Person in the Room. Its purpose is to help organizations transform their technical teams into excellent communicators. It provides tools to think outside of ones and zeroes or black-and-white thinking.

Using the Secure Methodology can build a more collaborative group and enhance their people skills. As a result, your cybersecurity will be more adept at preventing and responding to threats.

In this article, I’ll briefly summarize the elements of step two mindset with a glimpse at what you can learn in the book that can impact your cyber professionals.

Two Dimensions of Mindset: Fixed and Growth

The idea of two different mindsets — fixed and growth — isn’t new, but it still provides the foundation for how to evolve it. First is the growth mindset. In this condition, people believe they are in charge of their own life. You realize you are the cause, not the effect.

Those with a growth mindset have no doubts that they can overcome challenges. They see possibilities where others don’t. They are willing to try new things and have curious nature that loves to learn. These people are solution-centric and have a passion for solving problems.

A fixed mindset is much the opposite. Those in this category think everything is set in stone, and they have zero control. They believe they are the effect, not the cause. In most cases, they are closed-minded and have no desire to learn and change. These beliefs limit everything they do. They are confined by them and stay stuck.

A growth mindset is what you’d like to see in all your cyber professionals. However, you’re probably already aware that’s not the case. So, why is a growth mindset so critical in these settings?

Without a Growth Mindset, There’s No Ownership of Actions

A growth mindset is flexible and adaptable. Those with it own their actions and can learn from them. Without this accountability, failure would always be the fault of someone or something else.

The willingness to lean into mistakes and grow from them is a skill that helps anyone in business and life. Because cybersecurity is a big puzzle with new pieces appearing constantly, a growth mindset allows people to adjust to this environment. Those with a fixed one won’t thrive. They just want to go through the motions, and that’s a big threat to your organization’s security.

Mindset’s Impact on Cybersecurity

The most vital aspect of mindset in cybersecurity is facing the truth. That means complete transparency around the threats posed every day and the weaknesses and vulnerabilities of a network. Growth mindsets can handle the truth; fixed mindsets are always running from it.

Lack of an open mind keeps people in the same routine of going through the motions of cybersecurity. They approach every project the same, overcomplicating it so they look like the smartest person in the room. These individuals have very narrow blinders on and simply recite the processes like it’s a monologue in a Shakespeare play.

Fixed mindsets can’t accept anything new, including solutions that are a good match for the issue at hand. If you have a team walking around not facing the truth, your organization could be in serious cyber trouble.

How Fixed Mindsets Bungle Cybersecurity

So, what does fear of the truth and an inflexible mindset look like in cybersecurity? Lots of examples are happening all around you. Here are some scenarios.

Password Vulnerabilities

Penetration testing is a normal part of keeping an application secure. One can reveal many cracks in the security walls. Often, passwords and algorithms that generate them can have flaws.

Correcting for this doesn’t have to be overly complex. Yet, time and time again, I’ve seen cyber leaders do just that. Rolling out complicated authentication systems gives the illusion of better security. It can also be expensive.

When cyber professionals are too focused on their one way to solve a concern, they see no other alternatives. As a result, it makes things less secure.

Communication Breakdowns

Another example is simple communication within a team. It can be regarding a major project, a cyber rule, or another exchange. For example, you could be debriefing an incident, and fixed mindset people will communicate in a manner that deflects blame and offers no insight.

They cannot accept the truth of the situation and feel it was unavoidable because they did the things they’ve always done. That type of thinking will sink cyber initiatives and strategies. You’ve got too many people in the boat unwilling to paddle.

So, is mindset changeable? Can you put a fixed mindset through experiences that help them break free from it? First, people need to have the right commitment.

Commitment Is Crucial

A growth mindset is the first building block, but your team has to do more. They must commit to this mindset. In doing so, there’s no friction or barrier to trying a new approach to an old problem. So, it’s not enough to be in a place of growth; they also have to commit to evolving.

The commitment goes beyond that of change. Your team also needs to commit to cybersecurity. Without this, winning the war against cyber criminals is a losing proposition.

They also need to be dedicated for the right reasons. Cyber professionals that only see dollar signs won’t hack it. Cybersecurity is a hard industry. There’s a lot at stake. The pressure is palpable, and it’s constantly changing. A committed growth mindset enables professionals to be nimble and creative.

Transforming Mindsets of Your Cyber Team

Change, in any situation, is hard. It’s much easier to keep going on the same track and not deviate. However, that’s a one-way street to failure. So, you’ll need a solid approach to change these minds and hearts.

If there’s potential for a growth mindset and a commitment to cybersecurity, there are ways to support transformation. Here are some of the best tips for this.

Encourage Reflection

By asking the right questions, you can take a person back to a moment to consider how they might do things differently. Be specific in the questions by asking for two or more things they would do to improve the situation.

Based on their responses, there are coaching opportunities. Reflection looks back, but you want them to take what they learn and move forward.

It may be difficult to pull out these reflections from people not used to doing this. You don’t want it to feel stressful or overwhelming because your mindset closes up when this occurs. The alternative is to recommend that they write about it for at least five minutes. This can be cathartic and move them toward opening up their minds.

Ask Why

Another method to use for mindset is asking why in the 7 Levels Deep Exercise. This is because it takes the average person seven questions to crack into their “why.” You’re peeling back the layers to determine true motivation by going through this exercise.

You can’t move forward with mindset change unless you know the person’s motivation. Not all motivations will align with an open mindset. If those reveal themselves, and there seems nowhere to go, those people may not be the best fit for your cyber team.

Acknowledge Small and Big Shifts in Mindset

Your mantra as a cyber leader in terms of mindset is that a growing one helps people succeed. When you see shifts in this, whether big or small, you should acknowledge them. It doesn’t have to be anything big but an appreciation of the evolving mindset patterns.

For example, your team could be discussing the latest phishing scams that are causing chaos. You have a protocol and strategy around phishing that combines technology tools and training. So, a fixed mindset would follow the same trail. If one of your employees speaks up about adjusting it to account for something new based on past learnings, that’s a growth mindset. This is an opportunity to reinforce this type of thinking. Share with your team why this response is what will assist them in winning the cybersecurity war.

Learn More About Mindset in the Secure Methodology

Find more insights, explanations, tips, and exercises on impacting mindset in The Smartest Person in the Room. With this information, you can develop your staff and help them evolve toward a growth mindset. You’ll also find all the steps of the Secure Methodology and how to integrate them into your cybersecurity operations. Get your copy today.

Check Out The Smartest Person in The Room