fbpx

secure methodology

Why Organizations Should Pivot to DevSecOps

DevSecOpsThe first iteration of making development and operations a tandem was DevOps. The strategy married the two in a practical and tactical mode and cultural philosophy. The objective was to automate and integrate software development and IT. However, it left out a fundamental principle — security. That was rectified with the origination of DevSecOps — the trifecta of development, security, and operations.

Security was previously an isolated segment of the process, coming at the end. Except that wasn’t very effective. Leaving security as an afterthought meant delays in new iterations and lots of rework, which was expensive. There was a realization that security shouldn’t be the red-headed stepchild but deserved a full seat at the table. Collaboration among all three can lead to many benefits, so why hasn’t every organization pivoted? And why should they now?

Secure by Design

The underlying foundation of DevSecOps is to be secure by design. Security is a consideration at the conception of the project, not an afterthought. Even in rapid deployment, which is part of today’s digital transformation schematic, security must be part of the concept.

DevSecOps and its importance to cybersecurity is that notion of everything developed and operated has consistency in security and that it’s scalable. The biggest clash in DevSecOps may be between your security experts and those who see security as a hindrance. This hurdle can seem insurmountable, and as a cyber leader, you may have to put yourself in a position to evangelize that security doesn’t have to impact agility.

Creating a Balance: Security and Agility

Business leaders in your organization demand velocity in development and operations. The reasons are apparent — greater efficiency, reduced costs, and more revenue opportunities. Those priorities may not be yours. You can understand the need for faster development to support these business objectives. Still, you’re also keenly aware that your company won’t meet its goals without security in applications and operations.

The question then becomes, how do you balance security and agility? From your perspective, you know that security and agility aren’t mutually exclusive. Security doesn’t halt agility and can support it. The misconception that security is a barrier to innovation isn’t new, yet it persists. It may even be present in your cyber team. As a result, you must make a case for security, knowing that your security mindset narrowly focuses on risk in a way that development and operations cannot.

Now, you’re at a crossroads of convincing technical and business stakeholders that all three can work harmoniously. There are plenty of guides to building DevSecOps, and I’m not going to rehash those. Rather, I want to show you how the Secure Methodology™ and DevSecOps have much in common.

Applying Secure Methodology Lessons to DevSecOps

As a refresher, the Secure Methodology is a seven-step framework that helps cybersecurity leaders transform their staff into effective communicators and collaborators. It’s a pathway to take technically adept folks who lack the foundational skills to be curious, innovative, and welcome growth. In a way, the Secure Methodology has many things in common with DevOps and DevSecOps cultures. In all three concepts, there are synergies, including:

  • Collaboration and shared responsibility
  • Accountability in every aspect of the cyber landscape
  • Standardization around cybersecurity practices
  • Aligning security with business objectives
  • Increased transparency and communication
  • Continuous learning and improvement
  • High empathy and trust

These are all cornerstones of the Secure Methodology and DevSecOps. Next, we’ll go through the seven steps and how they can help you pivot your organization to a DevSecOps framework and culture.

Step One: Awareness

Awareness is the first step because you can’t move any further without it. It’s about being aware of yourself and the behaviors you can control. Additionally, there is the awareness of others. To be a successful professional and person, you have to have both.

When awareness is missing, it causes issues, including inadequate communication, resentment, animosity, competition, and many other things that detract from security.

Awareness is a key component of DevSecOps from the position that all three parties must be aware of one another in such a framework. Development cannot move to operations without security, for example.

Using the tools of the Awareness step could help bridge the gaps between these groups and break them from their silos. The critical areas of focus should be:

  • Perspective beyond a person’s limited view
  • Respectful and transparent communication

Both things feed into the next step, Mindset.

Step Two: Mindset

Mindset impacts everything we do. When it’s one of growth, we see opportunities, encourage feedback, and embrace uncertainty. When it’s fixed, we do the opposite. A growth mindset is the goal. Without it, you’ll never achieve security by design because there’s no ownership and accountability.

The problem with technical (and nontechnical) people is that they run from the truth and feel comfortable only with what they know. That’s risky behavior in the realm of cybersecurity. Moving mindsets is really hard. Not all will be able to hack it, but if it becomes part of your cyberculture, it’s ideal for a shift to DevSecOps, which is all about transparency and honesty.

There are some exercises to help with transformation as part of the Secure Methodology that can help with this. Another thing to note is that you have to talk about mindset in general when you have development, operations, and security staff together. You are outlining how each person needs to adapt their mindset for everyone to find success.

Step Three: Acknowledgment

Next is Acknowledgment, and it’s a big challenge for cybersecurity teams. There is a general lack of appreciation from supervisors to employees happening in every organization worldwide. The nature of cybersecurity is to focus on what went wrong because something always will. I’m asking you to refocus on all the things that go right every day.

Acknowledgment is all about feedback, which is critical in DevSecOps too. Not all feedback will be positive, but when it’s not, it should be constructive so that people learn from what occurred instead of being humiliated. Such actions lead to resentment, disengagement, and turnover, and that’s not good for any company or its security posture.

The act of acknowledging others makes people better at what they do. It builds their confidence and helps them grow their skills and be better collaborators and communicators, and every DevSecOps culture needs that to thrive.

Step Four: Communication

Communication is the most important step. It will make or break any team or company. Without consistent and transparent communication, you’ll never achieve DevSecOps, even if everyone’s on board. It simply just doesn’t work.

Communication is about more than words. It’s how they are said and the nonverbal elements as well. The biggest communication barrier is often geek speak. Security, development, and operations may all have their own versions of this. They believe it makes them superior. In reality, it causes confusion, frustration, and distrust, which aren’t the kind of emotions you want in any room.

You and your entire organization must make improving communication a priority. You have to create an environment that appreciates clear and positive communication. I recommend looking at the exercises in my book for more details on this so that communication becomes an asset, not a weakness.

Step Five: Monotasking

Monotasking means concentrating on one task at a time, which is crucial in cybersecurity. The problem is that society, in general, discounts it as not being flexible or able to juggle multiple things. We’ve been conditioned to believe we should be multitasking. So, you have the challenging job or rewiring brains to understand that multitasking causes risk!

Well, it may not solely be on your shoulders because DevSecOps and its proponents will agree. While it’s the convergence of three areas, DevSecOps appreciates workflows and processes that build on each other. You don’t move to the next one until you finish the first one. If you can retrain your team to focus deeply on specific tasks without distractions, velocity and productivity will actually soar.

Step Six: Empathy

You may be wondering what empathy has to do with cybersecurity and DevSecOps. Except we’ve been building up to this with discussion around awareness, acknowledgment, and communication.

Empathy makes us human in many ways, but it’s become something lacking in the world and at work. At the end of the day, we’re all human, and if we can appreciate the perspective of others, we can be better problem-solvers and collaborators. It easily applies to DevSecOps because three independent groups have to empathize with the others and understand their position for it to work.

If you can build empathy in these teams, you can move to the final step, Kaizen.

Step Seven: Kaizen

Kaizen is a Japanese term meaning “continuous improvement.” As people and professionals, we always want to be improving. We want the same for our development, operations, and security. It’s all about progress, no matter how small, as long as it’s constant.

It’s the ideal ending of the process, but not one that ever ends. It’s the same for DevSecOps. It’s a circle, not a line, after all.

You can learn more about the Secure Methodology and how it aligns with DevSecOps by reading my book, The Smartest Person in the RoomCheck out my Secure Methodology course too.

How to Create a Culture of Innovation in Cybersecurity

Cybersecurity CultureCreating a cybersecurity culture isn’t a novel idea. It’s one that’s been around for some time, as the field and organizations realized that cybersecurity isn’t just about tools, protocols, and technical aptitude. Culture is much more about the people and, as a result, makes it much harder to build and sustain. People are unpredictable and don’t always have the skillsets to participate in culture. There’s an additional component of cultural manifestation, and it revolves around innovation. So, how do you develop a cybersecurity culture of innovation?

If it’s not a question you’re asking yourself as a cybersecurity leader, I would suggest you should. Innovation is the enemy of complacency. However, it requires cyber teams to look beyond their technical aptitude and leverage soft skills, which they may not have. It can seem like an uphill battle, but it’s worth considering the benefits it can bring your staff and business. Those advantages include satisfied employees, mitigation of risk, and the ability to meet continuous improvement goals.

So, let’s talk about fostering innovation in your cybersecurity culture.

What Is a Cybersecurity Culture of Innovation?

At the foundation of culture are people and behaviors. If those whose job is to protect data and networks have a closed mindset, fail to evolve their conceptions, or believe they are the smartest people in the room, culture will always be toxic. In these cases, risks become greater, turnover is high, and communication is nonexistent.

Conversely, a healthy culture has open-minded participants that want to work together effectively and continuously learn. That is an environment where innovation can thrive. It’s a place that welcomes new ideas, which can lead to a better security posture, engaged employees, and greater productivity. In this scenario, everyone benefits.

As you assess your current culture, you probably have gaps, some more than others. Filling those gaps aligns really well with the Secure Methodology™, so I’ll be referring to that as I describe the steps to take. The Secure Methodology is a seven-step guide for cybersecurity leaders to leverage to develop the people skills of technical folks. These steps don’t focus on cyber skills but rather interpersonal ones, which is the core of culture.

Building a Culture of Innovation

No matter where you’re starting in the culture journey, these pivotal elements will be necessary to propel your organization into one that’s agile, forward-thinking, and connected. Here are the areas to help you formulate a plan.

Cybersecurity Culture Involves Three Different Levels

When considering any culture configuration, there are always three levels to consider, from the top to the individual. While they have different roles in the organization and responsibilities around cybersecurity, they must work together to maintain a culture.

Leadership

This segment is the c-suite, including the CEO and CISO. They must lead by example if they want the culture to permeate. They are top-level decision-makers, but those don’t happen in a vacuum. They need to understand risk and how cyber operations work, which requires clear, consistent communication from cyber teams and individuals. Unfortunately, communication is often the skill most lacking in technical employees. If those that set the strategy and budgets are only fed geek speak, culture leadership is working with a handicap.

Communication, of course, goes both ways. When leaders set a precedent on how they expect communication to flow, it can break down some barriers. In the end, the c-suite needs communication development, as well. It’s especially true regarding what questions they ask, which should be more granular than they might currently be.

Team

Your cyber team comprises people with various skill sets, experience, and expertise. If they can build a coalition that taps into this, they’ll be at a good place regarding culture. However, we’re talking about behavior, communication, and cooperation. Those things are usually the Achilles’ heel of any cyber team.

The team dynamic and evolving it is a big part of the Secure Methodology. Its guidance takes into account the typical lack of people skills and how that impacts cybersecurity culture. Too often, your team operates in silos and wants to continue in this way. Many times, it’s about a fear that others will find out they don’t know everything. Except that’s precisely the kind of mindset you need to innovate!

When working on culture at this level, the Secure Methodology is an excellent framework that you can use to cultivate communication skills, awareness, empathy, and more.

Individuals

The last layer of culture is the individual. What applies here is similar to the team level with caveats. The biggest of those is motivation, as each person has their own. At this level, as the leader, you must make specific connections to understand that individual’s capacity to change and grow. It’s the most challenging part of cultural shifts, and not every person on your team will be ready for this.

The Secure Methodology includes exercises throughout the seven steps to assist with this. How each person reacts to these will determine their long-term cultural fit.

Now that we’ve looked at each level of culture, here are some more tips you can use to further the pursuit of innovation.

Find Cultural Evangelists

Within your cyber staff, you’ll find those that are all-in on cementing culture as innovative. These people already have a good base of people skills and will prosper in this new dynamic. Assign those employees to be cultural evangelists. They can work together to develop training and upskilling opportunities. Since it’s coming from their peers, others may find this more inviting and appealing.

Define the Language of Innovation

Earlier I discussed the issues in communication among cyber professionals and mentioned their love of geek speak. Many use this language because they don’t want to reveal their weaknesses or limitations. It’s your job to banish this language and identify what the tenets of communication should be, which can include:

  • Eliminating jargon that has no purpose
  • Encouraging and promoting active listening skills, which are just as important as language
  • Using inclusive language so that those individuals outside of cyber teams would understand
  • Reframing communication as a way to reach a result that technical people can relate to
  • Simplifying messaging
  • Praising positive communication moments to reinforce the value of it
  • Outlining how clear communication leads to innovation

Transform Fixed Mindsets into Growth Mindsets

Mindset is the second step in the Secure Methodology, and it is critical to culture. People either have a fixed mindset or a growth mindset. You, of course, want professionals with the latter. That doesn’t mean those with fixed ones can’t evolve and grow, but it does take work.

A fixed mindset hampers your organization’s ability to be proactive in security and forward-thinking. These folks don’t want to innovate around this because it’s too unknown and uncertain. It will also erode culture. Here are some key steps to transform mindsets:

  • Coaching and reflection: When communicating with a fixed mindset, asking the right questions matters. You need to take them back to a moment when their fixed mindset was a barrier. Such a moment could instigate reflection and more awareness of their behaviors.
  • Asking why: Again, questions posed to these folks can create aha moments. There’s an exercise called the 7 Levels Deep Exercise, which I recommend. It will help uncover motivations.
  • Praising mindset changes: The third thing to do is to acknowledge and recognize when you see mindset shifts from fixed to growth. Something as simple as this can make a significant impact on future behavior.

To round out this discussion, I want to leave you with some additional insights into innovation and security.

Innovation and Security Aren’t Foes

One of the biggest misconceptions in the cyber world is that security is a barrier to innovation. Such a perspective is dangerous to your culture and ability to defend data and networks in the cyber war. Security does not impede innovation. In fact, they work together very well with the proper perspective.

It’s not unlike the principles of DevSecOps, where development, security, and operations convene. In this strategy, security is part of the conversation from the beginning. It has equal weight with development and procedures, as it should. You cannot have innovation without security. Innovation, at its core, is about devising solutions that enable better results. If security is outside the innovation bubble, you may have a good idea, but it won’t come to fruition. It won’t be deployable and scalable.

So, you must build the case that they both can coexist harmoniously and should always have a link. Otherwise, you’ll waste time, money, and resources. If you leverage the tips and ideas from this post, you can easily demonstrate how vital security is to innovation.

If you’re ready to build your culture of innovation, you should learn more about the Secure Methodology, which you can find in my book, The Smartest Person in the Room. Additionally, I have a Secure Methodology course, which delves further into the seven steps. Check them both out today.

The Secure Methodology™ Step Four: Communication

cybersecurity communicationCommunication is the core of any organization, department, or process. It’s a topic I talk about extensively in the world of cybersecurity. That’s why it’s step four of the Secure Methodology and why it’s a critical aspect of every effort.

In this post, we’ll go in-depth on step four. You can read up on the first three: awarenessmindset, and acknowledgment. We’ll start with a recap of the Secure Methodology.

The Secure Methodology: Turning Technical People Into Solid Communicators and Collaborators

Before we jump into communication, here’s a recap on the Secure Methodology. It’s a seven-step process I developed as part of my book, The Smartest Person in the Room. I designed it as a guide for cybersecurity leaders to help improve interpersonal and people skills so that they can work together to combat cybercrime. It’s not about technical aptitude but rather empowering cyber professionals to look beyond the ones and zeroes by being honest communicators. It’s a reframing of cybersecurity culture to be collective and collaborative in solving challenges.

So, let’s dive into step four.

Technical Staff Aren’t the Best Communicators

It’s a total stereotype that logical thinkers are bad communicators. Except, in this case, it’s mostly true. I’m not making a blank assertion, but I’ve been in the business for a long time and witnessed this to be accurate time and time again.

When I talk about poor communication, it’s not that someone isn’t articulate or functions with a limited vocabulary. It also has nothing to do with intelligence. The problem is that there’s a communication gap between technical people and company leadership. It’s so bad that they might as well be speaking another language, and they kind of are with geek speak and jargon.

Why do they do this? Well, it helps them validate to themselves that only they know about the technical world. Those who are outside of it couldn’t dare understand what they do. It keeps them in a place of feeling superior. They’re in this club, and no outsiders are allowed. Except those outsiders are running the company and hold all the budget dollars. When technical workers fail to communicate effectively, they alienate their internal or external customers.

Keeping Geek Speak Alive Assuages Insecurity

At the core of geek speak is insecurity. Most technical people believe they hold the title of the smartest person in the room. If they have this “coded” language, few can make sense of it, so there’s less chance that someone will push back. Speaking in normal terms could expose the fact that they aren’t sure, which would be the worst thing for these people. They never want to admit that they don’t know.

Different stakeholders may request that they simplify the message around cybersecurity because it impacts more than just IT. Cyber attacks are considered a primary risk for any business, so their management and impact are enterprise-wide. All tech people will take away from this is that they need to dumb it down.

Another issue is that cybersecurity training and certification reinforce this by providing pages and pages of acronyms to memorize. Every industry has its shorthand, but this is taking it to a new level that’s not consequential to their ability to be equipped cybersecurity professionals.

Communication also has much to do with listening, just as much as talking. Most technical people don’t score well here, either.

Poor Communicators Are Poor Listeners

Being an effective communicator isn’t just about what you say and how you say it. It’s also about listening! In a fast-paced, dynamic world, attention is fleeting, and the consequence is people who don’t pay attention. It can be hard to stay present and observant.

In addition, many people only listen for agreement or rebuttal. They aren’t taking in what someone is expressing and are simply waiting to give their response either in agreeance or to dispute and argue.

Without active listening in cybersecurity, we can’t fully understand the problem. That creates massive challenges in the field.

Dysfunctional Communication Has a Major Impact on Cybersecurity

As I’ve said, we (the good guys) are losing the cybersecurity war. The defeat isn’t because technical skills, innovation, or tools are subpar. I’d argue it has more to do with the fact that communication is in a state of brokenness. It goes back to the gap referenced above.

If technical people aren’t more inclusive with language to decision-makers, they aren’t likely to get the responses they expect or need. The excuse of “they just don’t get it” isn’t helping matters. They have to get it. If they don’t, then risk increases and resources decrease. That’s the crux of the communication gap between technical people and company leaders — they need to speak about cybersecurity in terms of risk to the business.

Leaders want to protect data and networks. They realize the threat landscape is widening with cyber-attacks in the daily headlines. This group knows that if it happens to them, it will cost them a lot of money and harm their reputation. They are hungry for the facts but not in sentences that don’t sound human. It’s the responsibility of technical teams to express risk and threats in a way that makes sense to anyone and what steps need to be taken to mitigate them.

That becomes the hardest part — getting technical people to first realize their communication is ineffective and then get them on board to make changes.

Why Technical Employees Struggle to Evolve Communication Styles

As noted, the jargon and tech speak are a place of comfort for cyber professionals. They act as a veil over uncertainty. They are also logical creatures that see their work as black and white, so they immediately think they don’t need to improve communication or people skills. They know what’s best, and all the non-technical folks can’t grasp the fundamentals.

Continued thinking in this way will only lead to failures and mistakes. To be a great communicator, you have to be flexible, which seems foreign or negative to them. It’s very uncomfortable for them to be vulnerable in their communication because it might reveal that they don’t know everything. Of course, they don’t because no one does, but change is even more challenging if people can’t see this as a possibility.

So, what can you do in a leadership position to incite people to embrace transforming their communication styles?

How to Support Technical People on a Journey to Being Better Communicators

If your technical team improves its communication skills, it can be the best weapon you have in the cybersecurity war. It’s more potent than new technology or the highest technical aptitude. Here are some key things that can make a difference.

Remember Awareness

Awareness is the first step of the Secure Methodology and is something to revisit. Communication isn’t effective without listening. But you can’t do that until you have a level of awareness, which requires putting yourself in the shoes of others. So, encourage them to practice awareness with communication.

Reframe Objectives

Communication is effective based on the result. The point of communicating something is to receive a response. When you reframe the concept for technical people in this way, they can have an “aha moment” as they understand the results and objectives.

Simplify the Message

There is always a way to simplify the point. Technical people don’t need the comfort of their acronyms to emphasize what matters. Instead, urge them to consider who they are discussing subjects with and how to express things in a way that translates to the non-technical people of the world. They need to refrain from going into cyber talk because they aren’t going to get the result they need or expect.

Bring it back to the purpose and the idea of building rapport with others. Remind that listening for insight helps everybody. The bad guys aren’t sitting in the room with them — the people who can help them are.

Foster a Culture That Appreciates Communication and Sharing

Another part of improving communication is ensuring you create a culture that welcomes it. Your people need to know that if they are trying to share information effectively, you will support them. They’ll certainly make mistakes and revert to old habits, so you’ll want to remember acknowledgment factors — praise them when they communicate well. When they don’t, speak to them privately.

If you create a team that is certain you welcome change, they may be more apt to try harder. Remember, these people don’t like to fail and crave certainty. Of course, change disrupts these patterns, but they’ll do much better if they feel you have their backs.

Moving Forward: Communication Is the Center Point for Cyber Success

Communication is really part of every step of the Secure Methodology. It’s that essential, and it will come up again and again. By focusing on it, your technical people can make great strides in their journey to be better at their jobs and life. You can find more strategies along with exercises to build communication skills in my book, The Smartest Person in the Room, available now, or in my People Skills for Smart People course.

What Is Total Intelligence, and How To Build a Cyber Team to Lead with It

total intelligence - christian espinosaWhen making any decision, intelligence certainly plays a key role. However, often it’s only the logical, rational side of intelligence that people rely on, especially in worlds like cybersecurity. It’s a field that’s ones and zeroes, so many would think there’s no heart involved. Except those on the other side of the battle are using all their intelligence, something I call total intelligence.

The concept of total intelligence and applying it well as a decision-maker and leader have much to do with cybersecurity. It’s a term that I repeatedly use in my book, The Smartest Person in the Room.

You’re probably wondering what total intelligence is, so that’s where we’ll start.

What Is Total Intelligence?

My definition of total intelligence involves your body, heart, and head. It’s all the information you gain from experiences, training, education, and life. It’s the ability to lead with all of these aspects. Another way to think about it is what many call a “gut feeling.”

Being a cybersecurity leader requires total intelligence in every part of the job. However, you’ll find it challenging to get technical people into this mindset because it’s not all logical, and that’s where those folks like to stay.

Technical People Trust Their Head

Most of those in technical roles are creatures of logic and habit. They lead and interact with others using their heads. They have a skewed worldview, believing that everyone else thinks just as they do. Of course, they would think this because they always think they have the best approach — possibly the only approach.

They trust their head. It’s what comes naturally, and it doesn’t cause friction. They disregard feelings or instincts because they don’t trust them. This limited view isn’t good for any area of life and causes many problems in cybersecurity. This desire to be right and the smartest person in the room seems logical to them. It may seem like posturing, bullying, and a lack of cooperation to others. It hinders communication and actually prevents problem-solving.

Using only the mind part of total intelligence does not result in an environment where incidents and failures don’t occur. Technical people may argue that intelligence’s heart and body parts are unnecessary and have no place in cybersecurity. They are wrong! Cybersecurity is not black and white; it’s a field of gray.

So, how do you get these people to turn on other areas of their intelligence?

Driving Toward Total Intelligence Requires Self-Awareness

To empower technical teams to lead with total intelligence, they must be self-aware. Awareness is the first step in the Secure Methodology, a framework that I developed and is the focus of my book. It’s a guide with seven steps and a collection of strategies to transform technical teams into excellent communicators and collaborators. It’s the best way to convert those that live in very fixed mindsets.

The path to awareness isn’t easy for technical people or anyone else. A good starting point is assessment tests. They are not free of gaps, but they can lay the groundwork, informing takers on who they are, how they see themselves, and how others perceive them.

The test I’ve found to be useful is the Enneagram test. It embodies all the elements of total intelligence:

  • Instincts (body)
  • Feeling (heart)
  • Thinking (head)

The findings can benefit those who want to journey further into self-awareness. I highly recommend it to you and your team, as it can uncover fascinating and accurate information. I also share my results in the book.

Total intelligence becomes a greater possibility if you can move people toward self-awareness. But should total intelligence always be a guiding force? Like everything, its application varies.

Total Intelligence Changes Thought Patterns and Perspectives

The starting point of total intelligence is self-awareness, which changes how you think and, ideally, feel in any situation. It gradually happens as people adjust. They’ll find themselves running through scenarios in more than a logical mindset. It can open up a lot of self-discovery, and that’s a good thing.

Self-awareness can benefit your employees in every facet of their life. One thing it does is really provide people with a “why.” That’s their primary reason for doing what they do. It could be for financial reasons only, and that doesn’t discount someone from reaching total intelligence.

Having a passion beyond this sets your organization up to be on par with those of hackers. The hackers have a “why,” and many times, it’s stronger than those on the right (good) side. There is a lot of emotion behind the actions of most cyber-criminals. Understanding that helps everyone realize how crucial it is to think not based on logic alone.

Total intelligence also brings a team together, creating powerful connections.

Total Intelligence Connects You to Others

One of the most critical elements of attaining total intelligence is having open conversations that are vulnerable and uncomfortable. You have empathy and compassion for others when you’re leading with your body, heart, and head. You can stand in their shoes and see their perspective.

Those people skills gained with total intelligence are a changemaker in cybersecurity. Total intelligence opens you up to possibilities beyond that black-and-white world. You can see the fault in your logic and learn from others. With a team leading in this manner, you can mitigate all the failures created by poor communication and contrariness.

Great Leaders Have Total Intelligence and Understand the Balance

Many very smart and successful people say that you shouldn’t make business decisions with your heart, which is a bit ironic in a few ways.

First, most had to have the passion and connection to achieve what they have. Aside from those born lucky, entrepreneurs who have made a mark on the world did so by using their hearts, minds, and bodies.

Second, we live in a world where emotion is the key driver in buying decisions. There’s lots of data to back this up — studies from neuroscientists. There are experts on the subject, like Harvard professor Gerald Zaltman, who asserted that 95% of purchasing decisions are subconscious. To link this back to cybersecurity, consider that purchasing decisions are a big part of any business and who and what they involve in their technical needs. So, I’d draw a correlation that emotion backs many more business decisions than most people would attribute.

Emotion is essential, but the total intelligent leader knows they shouldn’t solely be led by their heart. They need all three elements to make decisions in the best way for the team and the company. If your people stay trapped in logic, they’ll make bad choices. They may not be bad today or tomorrow, but eventually, it will bite them.

In leading with total intelligence, there is a way to go through all three areas to come to a conclusion.

What Leading with Total Intelligence Looks Like

I try hard to be in a space where total intelligence guides me. I start with logic, but I listen to my heart and body. If those two are strongly opposed, I take that into consideration. I don’t ignore what’s happening outside my head.

As I describe it, the process may sound easy. Maybe you go through the outcomes, ask questions, and bounce around ideas. For a technical person, this is not a simple task. Adapting to this requires practice. Total intelligence is at the top of the people skills triangle. Your people will need:

  • Heightened awareness
  • A growth mindset
  • The right language
  • Hyperfocus
  • Empathy
  • A desire to keep improving

That’s a long list, and it will take time and effort to develop these skills. It’s a journey, and the route to take is the Secure Methodology. All seven steps work to build total intelligence. You’ll find many exercises and strategies in my book for each step. Doing these activities is key to building communication and other people skills.

The moment that everything clicks together for your team comes is when they allow emotion and instinct to complement logic. In practice, this looks like using logic as the first rung on the ladder. Emotion and instinct are next, and people achieve this by seeing problems through the eyes of the client. With all three applied, the solutions proposed are better.

Achieve Total Intelligence to Win the Cyber War

Your technical employees may seem resistant to change. The Secure Methodology takes that into account. Not everyone will make it through the steps, and it’s okay to conclude that some aren’t right for your team. If the goal is for everyone to make decisions based on the heart, body, and mind, you don’t want to devote too much time and energy to the “never-changers.” Concentrate on those people who want to evolve and can commit to the journey.

It all begins by reading the book and applying the Secure Methodology. Get your copy of The Smartest Person in the Room today.

Check Out The Smartest Person in The Room

The Secure Methodology™ Step Two: Mindset

fixed vs growth mindsetMindset impacts everything we do. It’s the one thing someone can control in most situations. When your mindset is broad, overcoming challenges seems possible. Since cybersecurity is really a discipline riddled with challenges, you can see why mindset is so important. That’s why it’s the second step in the Secure Methodology. It builds on what you learned in step one awareness.

What Is the Secure Methodology?

First, here’s a refresher on the framework of the Secure Methodology. It’s a guide with seven steps featured in my book, The Smartest Person in the Room. Its purpose is to help organizations transform their technical teams into excellent communicators. It provides tools to think outside of ones and zeroes or black-and-white thinking.

Using the Secure Methodology can build a more collaborative group and enhance their people skills. As a result, your cybersecurity will be more adept at preventing and responding to threats.

In this article, I’ll briefly summarize the elements of step two mindset with a glimpse at what you can learn in the book that can impact your cyber professionals.

Two Dimensions of Mindset: Fixed and Growth

The idea of two different mindsets — fixed and growth — isn’t new, but it still provides the foundation for how to evolve it. First is the growth mindset. In this condition, people believe they are in charge of their own life. You realize you are the cause, not the effect.

Those with a growth mindset have no doubts that they can overcome challenges. They see possibilities where others don’t. They are willing to try new things and have curious nature that loves to learn. These people are solution-centric and have a passion for solving problems.

A fixed mindset is much the opposite. Those in this category think everything is set in stone, and they have zero control. They believe they are the effect, not the cause. In most cases, they are closed-minded and have no desire to learn and change. These beliefs limit everything they do. They are confined by them and stay stuck.

A growth mindset is what you’d like to see in all your cyber professionals. However, you’re probably already aware that’s not the case. So, why is a growth mindset so critical in these settings?

Without a Growth Mindset, There’s No Ownership of Actions

A growth mindset is flexible and adaptable. Those with it own their actions and can learn from them. Without this accountability, failure would always be the fault of someone or something else.

The willingness to lean into mistakes and grow from them is a skill that helps anyone in business and life. Because cybersecurity is a big puzzle with new pieces appearing constantly, a growth mindset allows people to adjust to this environment. Those with a fixed one won’t thrive. They just want to go through the motions, and that’s a big threat to your organization’s security.

Mindset’s Impact on Cybersecurity

The most vital aspect of mindset in cybersecurity is facing the truth. That means complete transparency around the threats posed every day and the weaknesses and vulnerabilities of a network. Growth mindsets can handle the truth; fixed mindsets are always running from it.

Lack of an open mind keeps people in the same routine of going through the motions of cybersecurity. They approach every project the same, overcomplicating it so they look like the smartest person in the room. These individuals have very narrow blinders on and simply recite the processes like it’s a monologue in a Shakespeare play.

Fixed mindsets can’t accept anything new, including solutions that are a good match for the issue at hand. If you have a team walking around not facing the truth, your organization could be in serious cyber trouble.

How Fixed Mindsets Bungle Cybersecurity

So, what does fear of the truth and an inflexible mindset look like in cybersecurity? Lots of examples are happening all around you. Here are some scenarios.

Password Vulnerabilities

Penetration testing is a normal part of keeping an application secure. One can reveal many cracks in the security walls. Often, passwords and algorithms that generate them can have flaws.

Correcting for this doesn’t have to be overly complex. Yet, time and time again, I’ve seen cyber leaders do just that. Rolling out complicated authentication systems gives the illusion of better security. It can also be expensive.

When cyber professionals are too focused on their one way to solve a concern, they see no other alternatives. As a result, it makes things less secure.

Communication Breakdowns

Another example is simple communication within a team. It can be regarding a major project, a cyber rule, or another exchange. For example, you could be debriefing an incident, and fixed mindset people will communicate in a manner that deflects blame and offers no insight.

They cannot accept the truth of the situation and feel it was unavoidable because they did the things they’ve always done. That type of thinking will sink cyber initiatives and strategies. You’ve got too many people in the boat unwilling to paddle.

So, is mindset changeable? Can you put a fixed mindset through experiences that help them break free from it? First, people need to have the right commitment.

Commitment Is Crucial

A growth mindset is the first building block, but your team has to do more. They must commit to this mindset. In doing so, there’s no friction or barrier to trying a new approach to an old problem. So, it’s not enough to be in a place of growth; they also have to commit to evolving.

The commitment goes beyond that of change. Your team also needs to commit to cybersecurity. Without this, winning the war against cyber criminals is a losing proposition.

They also need to be dedicated for the right reasons. Cyber professionals that only see dollar signs won’t hack it. Cybersecurity is a hard industry. There’s a lot at stake. The pressure is palpable, and it’s constantly changing. A committed growth mindset enables professionals to be nimble and creative.

Transforming Mindsets of Your Cyber Team

Change, in any situation, is hard. It’s much easier to keep going on the same track and not deviate. However, that’s a one-way street to failure. So, you’ll need a solid approach to change these minds and hearts.

If there’s potential for a growth mindset and a commitment to cybersecurity, there are ways to support transformation. Here are some of the best tips for this.

Encourage Reflection

By asking the right questions, you can take a person back to a moment to consider how they might do things differently. Be specific in the questions by asking for two or more things they would do to improve the situation.

Based on their responses, there are coaching opportunities. Reflection looks back, but you want them to take what they learn and move forward.

It may be difficult to pull out these reflections from people not used to doing this. You don’t want it to feel stressful or overwhelming because your mindset closes up when this occurs. The alternative is to recommend that they write about it for at least five minutes. This can be cathartic and move them toward opening up their minds.

Ask Why

Another method to use for mindset is asking why in the 7 Levels Deep Exercise. This is because it takes the average person seven questions to crack into their “why.” You’re peeling back the layers to determine true motivation by going through this exercise.

You can’t move forward with mindset change unless you know the person’s motivation. Not all motivations will align with an open mindset. If those reveal themselves, and there seems nowhere to go, those people may not be the best fit for your cyber team.

Acknowledge Small and Big Shifts in Mindset

Your mantra as a cyber leader in terms of mindset is that a growing one helps people succeed. When you see shifts in this, whether big or small, you should acknowledge them. It doesn’t have to be anything big but an appreciation of the evolving mindset patterns.

For example, your team could be discussing the latest phishing scams that are causing chaos. You have a protocol and strategy around phishing that combines technology tools and training. So, a fixed mindset would follow the same trail. If one of your employees speaks up about adjusting it to account for something new based on past learnings, that’s a growth mindset. This is an opportunity to reinforce this type of thinking. Share with your team why this response is what will assist them in winning the cybersecurity war.

Learn More About Mindset in the Secure Methodology

Find more insights, explanations, tips, and exercises on impacting mindset in The Smartest Person in the Room. With this information, you can develop your staff and help them evolve toward a growth mindset. You’ll also find all the steps of the Secure Methodology and how to integrate them into your cybersecurity operations. Get your copy today.

Check Out The Smartest Person in The Room

The Secure Methodology™ Step One: Awareness

awarenessHow engaged are your cybersecurity employees? It might not be something you even think about because you categorize these people as purely technical. They do a job based on tasks, and that’s the end of the story. However, that’s not the reality of cybersecurity operations. To thwart cyber-attacks, your team needs to improve interpersonal skills, and they can achieve this with the Secure Methodology.

The Secure Methodology includes seven steps, and in this post, we’ll be covering step one, Awareness.

What Is the Secure Methodology?

The Secure Methodology is a step-by-step guide I developed in my book, The Smartest Person in the Room. I created it as a framework for building better communication skills and understanding.

When applied effectively, it can enhance teamwork within cybersecurity. It’s a reframing of how organizations approach cybersecurity, realizing that it’s not a world of ones and zeroes. The Secure Methodology has a key objective: to outmaneuver cyber criminals by installing skills in staff. Those honed skills leverage logic, emotion, and instinct in equal parts.

The Secure Methodology Considers Cultural Fit, Not Just Technical Aptitude

In my book, I share stories about working with cybersecurity professionals. In many instances, these folks were really smart and had a high technical aptitude. Of course, I would hire them, as any other cybersecurity leader would.

Except these attributes don’t always mean success. In my experience, these technical experts significantly lacked communication and interpersonal abilities. When trying to hold someone accountable for actions that impact staff, they quit. They were completely unwilling to change their narrow view of the world. In the end, those people weren’t a cultural fit. They were not agile or flexible, and those are things that a cybersecurity professional must be!

As a result of these interactions and failures, I developed the Secure Methodology.

It all begins with awareness!

We All Have Behavior Patterns We’re Not Aware Of

People are complex, and our behaviors demonstrate this repeatedly. We’re human and, therefore, not always susceptible to how we behave and its impact. These blind spots are actually programmed in the unconscious mind, which is why we lack awareness of them.

As a result of this programming, we develop bad habits. So, can we identify these blind spots? Absolutely, and doing so is critical. It’s not an easy road and requires work. The first step is observing our reactions to experiences or conversations. That includes verbal responses and nonverbal ones.

After recognition comes the point of determining if we need to change them. Many of these blind spots are much harder to eliminate than others. If they are intrinsic to a person’s view of the world, deprogramming them can be arduous. Making changes related to your attitude, which is what you can control in situations, isn’t for the faint of heart.

So, what does this have to do with cybersecurity?

Lack of Awareness and Its Impact on Cybersecurity

When cybersecurity professionals lack awareness and have no insights into their blind spots, we lose the battle. These technical people often don’t understand the behavior and how it affects their environment.

If you have a team of unaware staff, you can expect cybersecurity initiatives won’t thrive, increasing risks. Here are the key areas of how being unaware causes this.

Relationships Suffer

Cybersecurity must be a team sport. Individual contributors must work in concert, and that’s impossible when a lack of awareness is prevalent. Individuals that don’t understand their behavior sew seeds of resentment and animosity. In turn, communication breaks down, and trust erodes.

Bad Communication Comes Off as Aggressive and Rude

You know those who say, “I’m a straight shooter.” They mean they are blunt and straightforward and seem proud of this. No one expects you to sugarcoat everything, but the way cybersecurity professionals communicate with clients, whether internal or external, matters.

Those that have no self-awareness are often too direct. Their communication style is aggressive and sometimes offensive. It can also have an air of condescension. If this persists, your team’s egos will triumph over collaboration and respect.

If these scenarios feel too close to home, the next question is, “How can you improve awareness?”

Improving Awareness with the Secure Methodology

The absence of awareness puts people in a state of uninformed optimism. Without reaching a level of understanding, we can’t correct them. What you want to transition to is informed realism. In this state, awareness has arrived, and we can work toward a solution. As much as people resist change, we all know it’s possible.

What’s tough about this is that most people avoid the truth about themselves. So, how do you help your staff evolve?

Coaching Encourages Broadening Awareness

One of the most important ways to improve awareness is through coaching. In coaching, people get outside of their narrow view of themselves. It’s not about pointing out flaws or being degrading. Instead, it’s about helping people recognize their blind spots and encouraging them to make healthy, positive changes.

In the coaching paradigm, I offer two key focuses: perspective and state of mind.

Perspective

People are innately self-centered. They can develop greater empathy for seeing other perspectives if they become more aware.

There are some specific questions you can ask in coaching to open up perspective. The way you ask them matters! You have to reframe interactions by asking questions that change the view.

Don’t ask: Can you put yourself in that person’s shoes?

Do ask: If that person were in your shoes, what would that look like?

Don’t ask: How can you be more aware of what’s happening in your team?

Do ask: How would you speak to your manager about being more aware of what’s happening on your team?

These are simple changes in communication, but they work in the context of reframing. Word choice and syntax impact your employees and their journey for better awareness. These may seem like nuances, and they are. They are also something to pay attention to and practice. You may get responses that open up the conversation and the employee’s eyes.

As they say, ask better questions, and you’ll get better answers.

State of Mind

A person’s mindset and awareness of it shape interactions. State of mind is something a person can control. It impacts decision-making, so if it’s negative, that will play out. Coaching others to be aware of this can influence how they interact with others.

Improving How You Communicate with Employees Influences Awareness

The next aspect of broadening awareness is communication. In exchanges with staff, asking the right questions expands their awareness.

When conversing with technical people, be specific and prescriptive. Spouting off jargon and terms that have no significance to them won’t engage them. They, of course, won’t tell you that, which feeds into the cycle of detachment.

Here are some communication tips.

Be specific and relatable.

Communicating in this manner can break through those with uninformed optimism. This unawareness causes people to act and communicate in ways that are self-serving. They ignore the reality of others or the impact of things. If people don’t tune into messaging, it’s because they can’t relate to it, or it’s so high-level that they can’t comprehend the implications.

If your communication of goals, strategies, and needs is specific and relatable, people can move toward a state of informed realism. They connect the dots and become fully aware of the situation, what it means to them, and the bigger picture.

Understand the employee’s motivation.

Every person has different motivations. If you want your employees to broaden their awareness, you’ll need to know what motivates them. With this knowledge, you’ll be able to position communication more effectively.

Create perspective outside of the person’s current view.

How we perceive the world depends on our image of reality. Each person’s perception is unique, based on their experiences. It influences everything they do. It’s a concept called territory maps, which I explain in the book.

For a high-level explanation, these maps are models of reality. Using them in coaching can be beneficial. They often hold the key to discerning motivation.

High-Level Takeaways on Awareness

In review of the Awareness step of the Secure Methodology, here are key takeaways:

  • Awareness includes self-awareness and awareness of others.
  • Blind spots cause bad behaviors, and addressing these requires deep introspection.
  • Becoming aware is challenging for any person, possibly more so for technical folks.
  • Lack of awareness harms cybersecurity, specifically in relationships, communication, and understanding.
  • Broadening awareness requires strategies, such as coaching, communication approaches, and more tactics.
  • Communication should include being specific and relatable, understanding motivation, and creating perspective beyond a person’s limited view.
  • People skills are just as valuable as technical ones for cybersecurity professionals.

Learn More About Awareness in the Secure Methodology

In the book, The Smartest Person in the Room, you’ll find even more insights into the awareness quandary. Going deep into the phase is vital to moving to the next one. The book includes an exercise to try with your team to broaden awareness. Get the details by getting your copy today.

Check Out The Smartest Person in The Room