Threat intelligence offers a unique approach to cybersecurity in the 21st century. It provides visibility and helps eliminate blind spots across the threat landscape. Cyber professionals still have to wear their “detective” hats to pull together insights, but they now have a better map to use.

You’ll be able to observe cybercriminals and understand their attack strategies with this clear understanding of their capabilities. That’s the opportunity, but you may not be getting the full value of threat intelligence in your organization. Its outcomes range, with some businesses heralding it while others feel overwhelmed by it.

In this post, we’ll review what threat intelligence is, its current impact, and what it all means to your cyber team.

What Is Threat Intelligence?

Threat intelligence describes the activities of collecting, processing, and analyzing data to understand a cyber criminal’s motives, targets, and attack behaviors. It should empower an organization to make quicker, more informed, data-driven security decisions. It can also help change your position to be more proactive than reactive.

There are three areas of threat intelligence:

• Tactical: This segment focuses on malware analysis and enrichment and examines threat indicators around your cyber defenses.
• Operational: This category covers understanding the capabilities, infrastructure, and techniques of threat actors and leveraging them to conduct more targeted cyber operations.
• Strategic: This classification involves a high-level understanding of trends and motives and then using it to improve your strategy and decision-making.

Why Does Threat Intelligence Matter?

Cyberattacks are constant and unrelenting. They are always in a state of growth and flux, with new attack methods springing up every day. Your good guys are constantly at war with hackers, and threat intelligence gives you an edge.

It can play an essential role in cybersecurity, including:

• Offering information on the unknown, which much of the cyber landscape is, to support better decisions
• Empowering cyber stakeholders to uncover the motives of threat actors and the tactics, techniques, and procedures they use
• Ensuring cyber professionals are aware of the perspective and motivations behind hacker decision-making
• Providing essential information to the business side of a company, so they invest in cybersecurity and mitigate risk

When you use threat intelligence, you can tailor your defenses, which builds cyber resilience. While many see its value, it’s not as easy to realize it. Most cyber teams are still at the basic level, such as integrating data feeds related to threats into existing networks, firewalls, IPS (intrusion prevention systems), and SIEM (security information and event management).

What do those using it actually experience?

How Are Organizations Using Threat Intelligence?

In a recent cyber risk survey, professionals had differing views of threat intelligence. Many stated it’s a significant support for cyber resilience, enabling them to be more proactive. Its other positive reviews include its ability to deliver insights and visibility. It allows greater awareness of the mind of a hacker, enabling cyber professionals to know what to look for in the threat landscape.

This sentiment wasn’t echoed by everyone. Other companies said it overwhelmed their team with all the alerts. Some also indicated that it produced failures in managing third-party risk.

Overall, a thread throughout respondents was that adapting is key to outmaneuvering threat actors. This approach requires several things, including:

• Automating some parts of threat detection
• Collecting more data about threats for human analysis
• Investing in tools and technology to support threat intelligence and integrating them into the enterprise
• Improving the soft skills of cyber professionals so they can effectively communicate the intelligence and act on it

These varied viewpoints put into focus where the opportunities and challenges are.

The Opportunities and Challenges of Threat Intelligence

In evaluating the current use cases and value of threat intelligence, you have to account for the possibilities and the problems. Let’s look at those:

How You Use Data Determines Its Value

Most threat intelligence data comes from internal network traffic, not external sources like the dark web. As a result, its value often aligns with two areas of cybersecurity — improving incident response and internal awareness.

Those are critical areas of your strategy and demonstrate the ability to be proactive. Enhancing your plans for reacting to threats fits in this category. The actual response is not, so the benefit is being more prepared.

With internal awareness, you are using the data to predict where threat actors will attack. How your technical folks use it could be the problem. In general terms, those in the field lack awareness of themselves and others. They have narrow perspectives and think in ones and zeros. The most technically adept cyber professional can still falter here because they aren’t adapting their mindset to align with what hackers are doing right now. Thus, you have to help them develop awareness for this intelligence to be actionable.

Automating Threat Intelligence Reduces Manual Work, But Human Analysis Is Still Necessary

There are lots of great systems that can automate threat detection and respond to it. It’s an early warning tool that puts less strain on your team, which may already be short-staffed. These tools are helpful and practical, but you still need human intelligence for analysis and improvement of strategies.

This is going to require communication and collaboration inside your team and with other parties. For the analysis to be valuable, people have to think critically and creatively about the threat landscape. It’s not just a technical assessment of the information.

Threat Intelligence Offers a Better Way to Update Your Playbook

The policies, protocols, and strategies of cybersecurity reside in your playbook. It’s a fluid document that evolves as threats and risks do. What you learn from threat intelligence has a big impact on this playbook.

When your playbook goes through these updates, you also have to change the behavior of your people in relation to them. Change is hard for anyone or any organization. It may be even more difficult for technical folks. They like to keep things the same because it’s comfortable and gives them a better sense of control. Mindsets like these don’t help you manage risks and threats, so more development needs to happen in your people to align with what you get from threat intelligence.

In reviewing these components, you can see that threat intelligence is more than data, monitoring, and analysis. The human element is critical for it to really move your cyber operations forward. Developing specific attributes and abilities in the realm of people skills is just as necessary as implementing tools and technology.

As a result of this complex ecosystem, you can improve on the people part with the Secure Methodology. It’s a seven-step program I developed to help cyber leaders do just that.

Threat Intelligence and the Secure Methodology

Having more data and information in cybersecurity doesn’t automatically mean it’s usable, practical, or seen as valuable. Technical people don’t deny data and its insights, but they can overlook them based on their own biases and fears. The Secure Methodology offers a way to overcome those. Here’s a quick introduction to the seven steps, which are the central theme in my book, The Smartest Person in the Room:

• Awareness: I mentioned awareness earlier and its importance in threat intelligence. It’s where the Secure Methodology begins, with the objective of opening people up to new perspectives, including those of cybercriminals. You can do this by coaching your people in a personalized way by understanding their motivations.
• Mindset: Next is mindset, which is also very critical. You want to assist people in expanding their mindset from one that’s fixed to one that’s growing. Your people have to break outside of the black-and-white thinking that doesn’t allow for new ideas. The Secure Methodology offers exercises on reflection and accountability to foster this shift.
• Acknowledgment: In this phase, you must rethink how you acknowledge the work of your team (or start if you don’t do it at all). When you do this outwardly in response to how someone took intelligence and made a difference, it demonstrates to everyone that this is a means to an end. It also builds rapport and trust.
• Communication: Transforming technical people into better communicators isn’t easy, but it is always necessary. Open and transparent communication regarding threat intelligence is essential for it to be usable to deter hackers and thwart attacks.
• Monotasking: We are an industry of multitasking, but it’s not always a great way to be productive. Instead, encourage team members that while they are assessing threat intelligence, they should do only that and not be distracted, which triggers more critical thinking.
• Empathy: Step six refers to others being able to put themselves in the place of others. It aligns with all the stages before it and is crucial in deciphering and acting on threat intelligence. Your people have to think like hackers.
• Kaizen: The final stage is a Japanese term that translates to “continuous improvement.” It’s a step that never ends because cybersecurity will always need to evolve, and threat intelligence is a key driver for continuous adaptation.

By applying the Secure Methodology, your organization can derive more value from threat intelligence, leading to better defenses. Get started today by reading my book and exploring the Secure Methodology course.

The post What Is Threat Intelligence, and Why Is It Important in Supporting Your Cyber Team? appeared first on Christian Espinosa.

The cybersecurity workforce landscape is at a serious threat level. Millions of jobs are unfilled, and most companies state they can’t find qualified cybersecurity job candidates. If we continue on this trajectory, risks will rise and jeopardize the data and networks of thousands of businesses.

As an industry, we must change how we hire, recruit, and develop cybersecurity talent. Expanding how you consider someone qualified is a necessary step. Seeing the potential in someone who doesn’t necessarily check all the boxes is one way to address the shortage. For this to work long-term, upskilling must be a part of your employee development strategy.

This upskilling includes hard and soft skills because cyber job candidates need both to thrive. Let’s review the current cybersecurity workforce challenges, the facts about the skills gap, and how to upskill new hires.

Cybersecurity Workforce Challenges

Cybersecurity job growth is a bright spot in the tech industry, with many opportunities for someone to have a career that pays a good wage and is in demand. However, the field is currently experiencing significant shortages.

According to the (ISC)2 2022 Cybersecurity Workforce Study, the global cybersecurity workforce grew to over 4.6 million, which is an 11.1% year-over-year increase. Unfortunately, 3.4 million jobs remain empty. As a result, many companies and cyber firms are operating without enough people, which can directly impact risk.

So, why is the industry struggling with recruitment and retention? It’s a complicated ecosystem, so there’s no easy answer. The cybersecurity workforce shortage is the result of several trends and occurrences, including:

• The cyber threat landscape is rapidly expanding, driving the demand for cyber professionals in all industries and businesses. In part, this is a supply and demand issue.
• People leave the industry due to burnout. It’s a common problem in a high-stress environment, and most organizations aren’t doing enough to mitigate this. Without proper staffing, people have to do more work, which increases the feeling of burnout.
• Younger generations aren’t choosing cybersecurity as a career. Only 12% of the cybersecurity workforce is 34 or younger. The industry needs to find ways to connect with students to attract new people into the field.
• Many organizations place too much emphasis on degrees and certifications, which often don’t correlate to having the right abilities, aptitudes, and attitudes. As a result, companies reject those who could be a better fit but need some upskilling.

If the industry remains on this path, the shortages will only worsen. Intervention is necessary for the entire community. What you can do to ensure your data and networks remain under protection is to focus back on skills-based hiring.

The Cybersecurity Skills Gap

We can’t talk about the labor shortage without addressing the cybersecurity skills gap. It would be great if every cybersecurity job candidate had years of experience and an array of skills. However, cyber leaders agree that a skills gap exists. According to the same workforce study cited above, 55% of hiring managers say applicants don’t meet the criteria of being qualified. The deficit here includes:

• Hands-on training and experience
• Credentials
• Degrees
• Recommendations

These things don’t always indicate that the person can do the job. The same study also looked at specific skills with gaps, which are the ones that matter in terms of upskilling. The skills in demand and often lacking are:

• Soft skills (e.g., communication, leadership, adaptability)
• Cloud computing
• Security controls (e.g., network, application, endpoint, implementation)
• Coding skills
• Software development-related topics (e.g., machine code, testing, languages, deployment)
• Data-related topics (e.g., characteristics, collection, classification, processing, structure)
• Network-related topics (e.g., architecture, networking components)
• Pattern analysis
• System hardening
• Computing devices (e.g., software, hardware, file systems)

It’s a mix of soft and hard skills, but the latter was at the top of the list. It’s possible to develop both of these in an individual who has the desire to learn and evolve. Those abilities aren’t always apparent in technical folks. However, if they are willing and have a good foundation to start from, upskilling can be the key to keeping great people long-term and continuously improving.

So, what’s the upskilling plan?

Building an Upskilling Plan for Cybersecurity Job Candidates

The first part of the plan should start with a clean slate of qualifications. Define what is imperative and what someone can learn over time. Get to the root of what makes someone a good cyber professional and what attributes they should possess.

In upskilling, you’ll have two paths — technical and soft skill development.

Addressing Technical Upskilling

In looking back at the list of skills above, those in the technical category are pretty standard. That’s a good starting point, but you should also consider the future and add training around AI tools and use cases. The curriculum will evolve as the threat landscape does.

How will they learn these skills? You need to create a learning environment for employees. This can include hands-on training internally, certification classes that you determine as high-quality, and other resources. Making continuing skill development part of your recruitment and retention strategy can attract people to your company and ensure you keep high-performers.

The other part of this is soft skills, and the plan to develop these in technical folks can be more demanding and challenging.

Improving Soft Skills in Cybersecurity

Soft skill development is a path that requires commitment and consistency. It’s about behavior change, and there can be many growing pains. First and foremost, you want to find cybersecurity job candidates who are open to this. Sometimes that might not be obvious until you have a few conversations and try to understand what motivates them and if they can handle flexibility.

Transforming anyone into a better communicator and collaborator isn’t easy. With technical folks, it can be harder, as they often have fixed mindsets, see things as black-and-white, and believe they know all the answers. These people could have impressive technical prowess, but these attitudes won’t fit into a healthy culture where everyone is open and transparent. Are they lost causes? No, but again, they must want to change.

You can drive this change with guidance from the Secure Methodology. It’s a seven-step process that I developed because of the soft skill deficiency and recognizing its value in creating and maintaining a strong cybersecurity posture.

The Secure Methodology: The Framework for Soft Upskilling

Here’s a preview of each step and how you can leverage it to improve the soft skills of technical people:

Awareness

The guide starts with awareness, with the objective of being mindful of the self and others. When this is missing, people don’t see or understand how their behavior affects others. If this is rampant in a culture, conflict and resentment build. With exercises on reflection and perspective, people can get to a state of awareness that improves how they interact with others.

Mindset

Mindset is crucial in soft skills, and every person on your team needs an open one. A person cannot change without it. Key to this is defining someone’s motivations and why they respond as they do. In this step, the 7 Levels Deep Exercise is a good foundation.

Acknowledgment

The third step is acknowledgment. There are several layers to this step. First, it encompasses feedback and its value to cyber professionals. Your staff wants to hear from you about accomplishments and how they are helping the organization. Not all feedback will be positive, and accountability matters, but you should do this in one-on-one conversations. Ensuring that your team feels appreciated and valued will prompt them to adapt with less friction.

Second is acknowledging that cybersecurity is difficult and filled with uncertainty. You set the tone of the culture, and if you do this well, your team will follow, enhancing their people skills.

Communication

Communication is the fourth step and the most essential soft skill for anyone. It’s never a bad investment to develop someone’s communication skills. Just be clear on what this means. Being a good communicator and articulate aren’t the same thing. Yes, what we say matters, but most communication isn’t verbal.

An excellent communicator is clear, concise, and transparent. They also recognize the needs of the audience and listen to them fully. Assessing candidates based on communication skills can involve prompting them to share real-life stories about how they used it to overcome challenges.

Listen for their use of geek speak or overly technical terms. This could be a red flag if they aren’t willing to drop the posturing.

Monotasking

Next is monotasking; it’s a soft skill you don’t hear much about. Most technical people have been doing the opposite — multitasking. Many believe this is a valuable trait. It is important to be able to juggle priorities, but blocking off specific time to concentrate on one task can make people more productive and eliminate feelings of being in fight-or-flight mode all the time. They will need to act quickly at times and move around priorities, but encouraging monotasking lets people think more critically and problem-solve more effectively.

Empathy

In the Secure Methodology, cognitive empathy is the sixth step. This type of empathy is the ability to understand another’s feelings and perspectives. It’s crucial to a person’s ability to be a great communicator and collaborator. Much of this relates to stripping down egos and dynamics of “me vs. them.” You can’t have a successful cybersecurity strategy and team without empathy.

Human connection is vital in cybersecurity, and in this phase, you support people to become more empathetic.

Kaizen

The last step is kaizen. It’s a Japanese term meaning “continuous improvement.” It’s the step that never ends and focuses on adaptability and flexibility. When you reach this phase, your staff should be in a state where they want to continue to develop their soft skills and transfer them to others.

Upskill Cybersecurity Job Candidates with the Secure Methodology

The Secure Methodology provides a framework and tools to transform candidates lacking skills. It’s a proven way to change behavior, with benefits for the person and the organization.

Get more insights on each step by reading my book, The Smartest Person in the Room. You can also explore how to apply it in the Secure Methodology course.

The post How to Upskill Cybersecurity Job Candidates to Transform Them Into High-Performers and Excellent Communicators appeared first on Christian Espinosa.

Building a cybersecurity team comes with many challenges. So many factors are impacting the ability to do this effectively and efficiently. The cybersecurity workforce shortage means more competition for talent, but you can’t be confident all those vying for positions have the hard and soft skills to succeed and thrive. On top of all this, the threat landscape keeps expanding as cybercriminals develop new tools and strategies to exploit weaknesses.

So, what can you do as a cybersecurity leader? As someone who’s been in the position, I have some insights to share on how to accomplish this. Keep reading for strategies, tips, and info about the Secure Methodology as a framework for constructing a cybersecurity team.

Steps to Take to Build a Sustainable Cybersecurity Team

Where should you start on this journey? Should you jump right into recruiting and hiring? I would urge you to first develop a strategy, define the tools you need, and create some principles for the culture you hope to cultivate.

To do this, follow these steps:

Acknowledge that cybersecurity is a people problem and let that guide your strategy.

It’s easy to blame the breaches and attacks in the cyber world on technology. Without it, there wouldn’t be an issue, but categorizing it only this way is a fallacy. Behind every attack is a person. Every defense also has human intelligence executing it, and most causes of cyber incidents relate to errors, mistakes, or intentions of someone.

It’s very much a people problem, and that fundamental principle should guide your team-building strategy. Yes, there are lots of great cyber tools out there that are leveraging AI and enabling automation. You need those, but the people charged with managing them need knowledge and skills to do so. Those skills must include soft ones, as the human issue in cybersecurity won’t find a resolution without staff that cannot communicate or collaborate.

There is a current soft skills gap in every industry, including cybersecurity. The people who are a good fit for your roles may not possess these. If they are curious to learn and motivated to evolve, they can be great additions to your team.

Ensure the bad guys are cybercriminals, not internal.

Another element of creating a cybersecurity team is to eliminate the “us vs. them” mentality that often happens between technical and business folks. You’re all on the same side, but much of that can get lost in translation. The business side may not take cybersecurity as seriously as they should, frustrating cyber professionals. There’s animosity on your side, too, as your team may resent others, especially when they have questions and challenges.

It’s critical to put the target back on the real enemy’s head. There must be balance and cooperation between business and technical groups. You don’t want to bring someone on who fails to understand the perspective of others. Employees like this will degrade the trust and credibility of your team and do anything to avoid being wrong. You can spot this in how they respond to queries about collaborating and if they do a lot of posturing.

Look for a wide range of skills.

You have to define the requirements you want in your team, which should include various abilities and aptitudes. In doing so, you have to shift your definition of qualified. The majority of cyber leaders believe applicants don’t have the right qualifications, according to the State of Cybersecurity 2022 report. What they say people lack includes hands-on experience and training along with credentials and degrees.

The hands-on part makes sense because you want people to have real-world interactions. One cannot get this without opportunity. It’s especially true for younger generations, who we need to join the field. These people could be bright and eager to learn, making them excellent hires.

Credentials and degrees can demonstrate skill sets but not always. Often, people look great on paper because of these achievements but lack the knowledge to apply what they learned in classes. The learning may also be insufficient, especially for courses that validate aptitude based on multiple-choice tests. You can only be confident in one thing for those passing these — they can memorize answers. Beware of these “paper tigers.”

Instead, use skills-based hiring models. This approach focuses on a candidate with specific competencies that directly relate to the work. It involves soft and hard skills.

Develop your recruitment strategy on skills-based hiring.

Building a strong, multi-dimensional team requires a mix of people. Not everyone has to be strong in everything. You can create a staff who can learn from each other and you.

With skills-based hiring, you can:

• Identify people with abundant soft skills and a desire to improve their technical skills.
• Find candidates who have familiarity in all areas of cybersecurity but don’t have real-world experience yet and develop them.
• Attract people newly entering the workforce and those starting over, which can help you build that right mix.
• Assess people holistically instead of only looking at their technical aptitude.
• Reduce barriers for people getting a shot at a cyber career who didn’t attend college.

Putting together a team of cyber professionals in this manner can lead to a strong and healthy culture. It can also decrease risk and ensure that cybersecurity has a seat at the table to influence business decisions. You simply won’t be able to do that if you hire with bias found in the old ideals of “qualified.”

All these ideas and opportunities align directly with the Secure Methodology, which is a seven-step process of transforming people with purely technical and closed mindsets into great communicators and partners.

The Secure Methodology and Building Your Cybersecurity Team

The Secure Methodology is the foundation for creating and maintaining a team that thrives and is adaptable. I based it on my own experiences and observations of what was going wrong in cybersecurity, which is a people problem.

Here’s a glimpse of each step and how it can support your hiring strategy:

Awareness

The process kicks off with awareness. It pertains to both self and others. Without it, people don’t understand the impact of their behavior on relationships and communication. It’s about opening up people’s blind spots.

Will every candidate already have awareness? And how do you evaluate this? Most people lack awareness to some extent, so it often requires development. You can assess someone’s state of awareness or willingness to get there by asking them to reflect and tell you about a challenging time and how they handled their interactions with others.

Mindset

Mindset is critical for anyone’s ability to grow and evolve. Those with a fixed mindset will resist any type of change. It’s a problem for technical people because they desire absolutes, but cybersecurity is a dynamic and volatile field! It’s kind of a paradox, so be observant of how people communicate about themselves and their experiences. This can give you a good idea of how open their mindset is and if they’ll be a good fit for your team.

Acknowledgment

Next is acknowledgment, which you’ll want to make a pillar of your culture. Technical employees crave feedback and understanding of their place in the business. Of course, they must also be receptive to it because it won’t always be positive. You also want to know if someone can acknowledge the work and contributions of others within the group or outside of it.

Communication

The fourth step is communication, and it’s the most important concept when creating a team. We can’t do anything well without honest, transparent, and consistent communication.

Being a good communicator doesn’t just mean being articulate. In the world of cybersecurity, your team must be clear about what they need, the challenges they face, and what’s really happening in the threat landscape. They also have to be active listeners to be good collaborators.

You can likely assess someone’s communication skills within the context of your conversations. Look for those who can clearly express big ideas and don’t use geek speak. If they show signs of this and seem to be listening to you, it’s a good sign, and you can continue to help them master this skill.

Monotasking

Monotasking is the fifth step, and it means concentrating on one task or project at a time without disruptions. It’s hard to find anyone who monotasks much in the workforce, where we seem always to be doing five things at once.

You can talk about monotasking in interviews to see someone’s reaction to it. Do they think it’s bad for productivity or impossible? Emphasize that you believe it to be a critical component of the workday because it enables critical thinking and problem solving, which are two huge assets in cybersecurity.

Empathy

Empathy is the sixth step, and in this connotation, it means the ability to understand someone’s perspective and feelings. It’s one of the hardest things for anyone to build, and yes, we must learn it. We are not innately empathetic. Achieving this can help with stress, burnout, and frustration toward others.

In speaking with prospective hires, ask them about a time when empathy would have been a good response to a problem. The answers they give can reveal a lot about their inner workings.

Kaizen

The last step is Kaizen. It’s a Japanese term that means “change for the better.” It never ends because continuous improvement is forever. When hiring, you want to put people on your team who believes in this approach to work.

Ready to learn more about the Secure Methodology? Start by reading The Smartest Person in the Room and explore the Secure Methodology course.

The post How to Build a Cybersecurity Team from Scratch Using the Secure Methodology™ appeared first on Christian Espinosa.

Silos are a common theme in many businesses. It can occur in any industry, department, or team. The reasons this is all too prevalent are many, from cultural issues to not sharing data to a lack of communication. Silos undermine an organization’s ability to be proactive and agile, weakening its cybersecurity posture.

So, how did cybersecurity become so siloed? And what can you do to break silos down?

Why Silos Exist in Cybersecurity

Cybersecurity often sits in a walled garden, with little interaction with the business side of an organization. There have been some shifts to bring it into the fold, with CISOs (chief information security officers) now having a seat at the table with the C-suite.

This demonstrates the process, but the silos have stood for a long time, so they are very much a current problem. There are several reasons why they exist, including:

• Businesses believing cybersecurity impedes innovation and growth and intentionally wanting to keep it separate
• The increased number of attacks and threats cybersecurity teams must defend against, which keeps them in a reactive mode instead of a proactive one
• Failures in communication that leave cybersecurity and other parts of the company unaware of the landscape and its evolution
• No shared accountability for cybersecurity throughout the organization, which leaves cybersecurity on an island when it comes to security and resilience
• Company leadership not treating cybersecurity as a business enabler, which can impact budgets, staff numbers, and resource allocation
• No initiatives to build partnerships across the organization between cybersecurity and other teams

All these reasons have a foundation in disconnection. When cybersecurity isn’t a critical part of an organization, it’s easy for silos to stay in place.

Those silos can exist within teams as well.

Cybersecurity Silos Are Present Within Technical Teams

It’s not just the enterprise-wide silos you have to worry about. Chances are they are also creating walls within your people. These may be even harder to conquer because of the nature of the job and the characteristics of individuals.

Silos within cybersecurity occur primarily because cyber professionals never want to be wrong. They concentrate on always being the smartest person in the room. When others question their stance, internally or externally, they find solace in silos where they have all the control.

If this sounds familiar, you’re not alone. It’s all too common in the cybersecurity workforce to have people operating independently without much awareness of what others are doing. Furthermore, many don’t care. They have surety in their capabilities and don’t want to share or collaborate because it could lead to them being wrong.

The silo mentality leads to the things that are threatening the cybersecurity workforce — unhealthy cultures, burnout, and an uneven work-life balance. These were all reasons that cyber professionals left jobs, according to the (ISC)2 Cybersecurity Workforce Study.

Dissatisfaction in a cyber job has more to do with organizational issues than the work. Silos are a threat to your team and cybersecurity posture. They breed resentment and disengagement. It’s bad for everyone, but it’s difficult to transform mindsets and perspectives from a silo perspective to a collaborative one. For this shift to occur, you have to focus more on soft skills than technical ones.

Silos Keep People From Adapting and Changing

As noted, silos can seem like safe places for cyber professionals who cling to certainty and believe they don’t need others to do their job well. What it actually does is keep people in a state of stagnation. They won’t grow or change because doing so would mean they have to accept that they don’t know everything. That’s too big of a pill to swallow for many without intervention.

Those who crave the safety of a silo aren’t bad people (usually). It is possible for them to get to a point where they’ll embrace the gray that cybersecurity lives in, moving away from black-and-white thinking.

Cybersecurity is a dynamic industry, indicating that evolving practices and protocols are necessary. Even if you consistently improve your strategies and ways to manage and eliminate threats, that doesn’t mean that silos aren’t still present. They show themselves in many different ways, from how your employees work with other groups, how they handle user interactions, and what happens when a threat becomes a reality.

How Silos Put Your Cybersecurity Posture At Risk

On the threat landscape, there are a million things that increase risk. As networks grow, workers remain remote, and implementations of new technology rise, there’s risk everywhere. You have to defend against phishing, malware, and ransomware, which requires a united front and effort. Silos make this harder.

When silos exist within the department or in the company, the ability of a cyber team to be proactive against these threats becomes very difficult. Being proactive requires everyone to work together from a defined strategy. It involves a lot of communication and movement across the organization to establish and maintain your “protective shield” against attacks.

Attempting to reduce or eliminate risk is a journey that never ends or stays the same. Doing this well really means working as a team. Even if you have lots of protocols and tools in place, a silo doesn’t crack so easily. And often, people can do just enough to collaborate but true transparency is still missing.

As a result, errors and mistakes occur. Assumptions about who’s doing what and when are usually wrong, and gaps in your cybersecurity posture widen. It gives hackers an opportunity to exploit these weaknesses, so having silos is a helping hand to cybercriminals. If you want to prepare your organization to be cyber-resilient, you have to focus on growing your team’s people skills.

Development of People Skills Is a Silo Breaker

When individuals improve their people skills, they see the value in working together. They understand that silos are holding them back and want to work in a culture that thrives in teamwork.

It would be great if people could come to this realization on their own. Some never will, but many are willing to commit to developing their soft skills, especially when they realize it can decrease risk. Ultimately, most cyber professionals got into this field because they are passionate about security. If they know that their behaviors and actions have impacted their cybersecurity posture, they may be even more eager to change and adapt.

So, how does this happen in the real world? It won’t occur without a framework and strategy. You can’t start this journey without a map, and you’ll find one in the Secure Methodology.

The Secure Methodology Transforms Silos

The Secure Methodology is a seven-step guide to transforming technical people into excellent communicators and collaborators. Each step seeks to resolve the major problems that exist in the cybersecurity workforce, supporting people as they pursue a new mindset and perspective. Here’s how each step can knock down those silos for good:

Awareness

The Secure Methodology starts with awareness of self and others. When awareness is lacking, silos flourish because there’s no connection. Technical folks will remain on their own island, causing friction and antipathy.

You can use coaching methods within this step to drive people to open their eyes and realize the detriment of silos. You can also learn about their motivations, which will be vital in changing behavior.

Mindset

Next is mindset, and it’s a key contributor to silos. When people have a fixed mindset, they have tunnel vision and no desire to change. This step is about helping them open it, which can occur with reflection, asking questions, and working as a team in decision-making.

Acknowledgment

Acknowledgment is the third step, and the lack of it is another cause of silos. Acknowledgment means recognizing people for their efforts regularly. They want and need praise to feel part of something, which is critical to breaking down silos. Part of this is also acknowledging that no one can know everything about cybersecurity but that collectively, we all have a better shot at defending against threats.

Communication

Communication is the fourth step but crucial in all the others too. Communication is the single biggest tool you have to remove silos. Consistent, transparent, and clear communication within your team and outside of it ensures that silos don’t form or stay.

Working on communication isn’t easy. It takes a lot of practice and learning new ways to share information and listen.

Monotasking

Next is monotasking, which means workers focus only on one task. It’s the opposite of multitasking, which often leads to sloppy work. Yet, people receive praise for multitasking, but it’s a problem in cybersecurity.

In terms of silos, if you encourage people to block time to work on specific things without distraction, they can use critical thinking skills and balance their workload. Gaining these things supports a collaborative workforce where there’s even distribution of work and team support.

Empathy

Empathy is an essential soft skill that we have to learn and develop. Silos can’t function in an empathetic culture because people can see the perspective of others. When they do, there’s no longer a “me vs. them” mentality. This step includes exercises to help people foster this skill.

Kaizen

The last step is kaizen, which is a Japanese term meaning “continuous improvement.” It’s a stage that never ends with an emphasis on root cause analysis. If your team can embody this, silos won’t have fertile ground.

Using the Secure Methodology is a proven path for transformation and removing silos. You can learn more about it in my book, The Smartest Person in the Room, and in the course.

The post Silos Weaken Your Cybersecurity Posture, Collaboration Makes It Stronger appeared first on Christian Espinosa.

The cyber workforce shortage has been the talk of the industry for the past few years. Many jobs remain unfilled, and experts predict that will only grow. The reason for this gap is the result of many different factors. At the heart of the problem are root causes. The field can attract and retain workers by identifying these and working to overcome them.

In this post, we’ll look at the data, diagnose the root causes, and define how to close the gap.

The Data on the Cyber Workforce Shortage

There is a lot of data on the cybersecurity workforce landscape. It’s a pervasive issue, so developing reports and surveys is in high demand to uncover the why. We’ll look at the ISC 2022 Cybersecurity Workforce Study and the ISACA State of Cybersecurity 2022 Report.

The workforce study detailed that the global cybersecurity workforce grew to over 4.6 million, which was an 11% year-over-year increase. Even with this increase, there are still 3.4 million jobs that are vacant. It’s something that’s keeping cyber leaders up at night. Survey respondents had this to say:

• Organizations with a significant staff shortage had more concerns about risk, with 74% stating it was extreme or moderate.
• 60% of organizations said they are struggling to keep up with turnover.
• 70% of companies have challenges with retention.
• It takes, on average, three to six months to fill an empty role.
• There is a correlation between cyber professionals not feeling their input is welcome and valued and low employee experience ratings.
• Younger generations have new expectations in work, with this group more concerned about emotional health, Diversity, Equity, and Inclusion (DEI), and having a voice.

What Conclusions About the Workforce Gap Can We Make Based on the Data?

So, why does this gap exist? It’s complicated, and many things driving it are outside your control. We can draw some conclusions from the data that diagnose what’s happening.

More Threats Drive Demand for Cyber Professionals

First, the demand for more cyber professionals would, of course, increase as cyber threats do. Cybersecurity is about identifying and mitigating risk, so it doesn’t exist without the threat landscape. It keeps us all gainfully employed but consider how much it has evolved in the past few years.

Ransomware is more prevalent than ever. The means to carry these out have become much more sophisticated. It’s a favorite tactic for hackers, mainly involving financial gain as the desired outcome. Cybercriminals are using old and new weaknesses to attempt to seize control of applications, data, and systems.

Cybercrime-as-a-service enables a new group of criminals to hire hackers on the dark web to do their bidding. You can now choose from a “menu” of attacks, from phishing to ransomware to AI-enabled cybercrimes. No one has to be a cyber genius to launch these attacks. Hacking is now more accessible—a commodity even. As a result, the threat landscape broadens.

Hacktivism is another emerging trend that’s increasing risk. For the first half of 2022, DDoS (distributed denial of service) attacks increased by 203% over 2021, with many of these fitting the hacktivism label. It’s a different motivation for these cyber criminals and impacts businesses even if they don’t have social or political ties.

Then you have all the advancements that AI brings to the hacker toolbox. It enables them to improve phishing campaigns and send them out more quickly. It can help them gather data for attacks, create deepfakes, hide malware, and break passwords and CAPTCHAs.

These are just some highlights, but they represent all the risks and threats that cyber professionals must defend against every day. For organizations, it’s a driving need to hire more people and keep them.

Retention Is a Concern, and Burnout Plays a Role

The job of a cyber professional can have moments of high pressure and stress. Without a healthy culture to balance this and consistent communication, this can lead to burnout. If you don’t have enough people, then those you do have to end up with more and more on their plate. Many technical folks further disconnect from the job, considering it their biggest stressor. Being overwhelmed in this manner often ends in attrition.

Without focusing on evening workload, communication, collaboration, and a healthy culture, burnout will grow and play out repeatedly.

Burnout isn’t the only cause of poor retention. It’s also the environment. If it’s toxic, more people will leave. They have options with so many jobs available. Other things that contribute to this are compensation that’s not competitive, lack of promotion opportunities, no management support, and inflexible work policies. Regarding financial incentives, only 31% of organizations said they pay a competitive wage.

In short, you can’t attract or keep good employees if you don’t address burnout and retention.

Cyber Professionals Need More Acknowledgement and Connectedness

Your current and future employees have a lot of knowledge and expertise. Failure to acknowledge this or ask for their contributions to a challenge creates low morale. It isolates people who are often introverts worried about saying the wrong thing. If they keep this close to the vest, you also can’t understand their motivations and what they need to succeed.

The Workforce Study found that lack of support from leadership contributed to a lower employee experience. Improving this is something within your control. When workers feel valued for their input and part of something bigger, they are more engaged and open to learning and growing. Creating such a culture ensures that you can attract and retain great workers.

Younger Generations Have Apprehension About the Industry

Cybersecurity has a branding problem, as younger generations have new expectations about work and for whom they work. Currently, only 12% of the cyber workforce is 34 or younger. It’s one of the most consequential drivers for the cybersecurity workforce shortage.

Cybersecurity needs a rebrand to attract these people. It should include things like improving culture, eliminating gatekeeping and blustering, being more communicative, embracing diversity, valuing the employee voice, and helping them grow professionally and personally.

One of the best ways to do this is with the Secure Methodology. It’s a seven-step guide to transforming technical folks into excellent communicators and collaborators. It can be a key way to address many of the challenges related to the workforce gap.

Using the Secure Methodology to Improve the Cybersecurity Workforce Shortage

Here’s a preview of each step of the Secure Methodology, which I defined and designed in my book, The Smartest Person in the Room. The title refers to how many cybersecurity professionals see themselves and how that can be a downfall.

Awareness

In this first step, people become aware of themselves and others. Through the exercises in the book, technical people can begin to understand their behavior and its effect on others. It can be a struggle for anyone, especially cyber professionals. Once they achieve awareness, they can let go of fears about uncertainty and their place in the organization, which can counter burnout and improve the employee experience.

Mindset

Individuals have a growth or fixed mindset. When it’s fixed, they do not change. They accept their perspective and won’t work to evolve it. It’s a problem that will hamper recruitment, retention, and job satisfaction. If your culture presents a place to grow and adapt through a broader mindset, you can attract and keep people on staff.

Acknowledgment

We talked about acknowledgment earlier and how it feeds into the employee experience. By practicing acknowledgment, your team understands their importance and gets the feedback they crave. Involving your people in big decisions is another form of acknowledgment, and it can go a long way in positioning your company as a great place to work and thrive.

Communication

The fourth step is communication, and it’s really the core of the Secure Methodology. We cannot fix the workforce shortage issue without clear, consistent, and meaningful communication. Communication starts in the recruitment phase with being transparent and open about cybersecurity. It also has to be a central part of everything you do with employees.

When it’s part of your culture, you’re building a collaborative and cooperative team. They’ll be able to engage better with each other and the business side. As a result, everyone can be on the same page and reduce the ambiguity that drives dissatisfaction and churn.

Monotasking

Monotasking is essential to supporting the overworked, which cyber professionals tend to be. It’s even more so with so many companies short-staffed. It’s the principle of concentrating on one task without any disruptions. It gives them time to focus and use critical thinking and problem-solving skills. The result of this could include improving stress levels and people being more comfortable in asking for help.

Empathy

Empathy within your cybersecurity culture means the ability to understand another’s perspectives and feelings. Developing this skill in technical people can encourage them to feel less frustrated with their customers (users). With attention toward empathy, people can learn to let go of blame and resentment, which often festers and creates burnout and attrition.

Kaizen

The last step is Kaizen, which means “change for the better.” It’s the ultimate objective of the Secure Methodology. It’s all about continuous improvement. A culture that embraces this will attract excellent candidates and keep them. There is no perfect in Kaizen, which the smartest people in the room are attempting to achieve. There is only the motto of constant improvement.

You can learn more about each step and how to use it to transform your organization and solve the workforce shortage problem by reading my book. Check out the Secure Methodology course, too.

The post Diagnosing the Root Causes of the Cyber Workforce Shortage appeared first on Christian Espinosa.

Everybody in cybersecurity has funny and unbelievable stories of users gone wrong. On the other side of the equation, users have their own stories that paint technical folks as rude and unhelpful. In either case, there’s a lot of stereotyping going on, but some of it is, well, true. What it amounts to is cyber teams having a “bad” reputation. Many consider technical folks to be arrogant, hostile, and condescending. If that’s the culture in your organization, it’s no wonder that people have little respect for them. In fact, they’ll do anything to avoid interaction with them, which often increases risk.

So, what can you do as a cybersecurity leader to broker peace between the two? While users certainly have some blame for the dynamic, much of it comes down to a lack of soft skills, causing friction and undermining relationships.

Why Your Cyber Team Has a “Bad” Reputation

One of the biggest reasons that cyber professionals earn their reputation is that many consider them a bottleneck. That’s because security must be a part of any major IT development or implementation. Often, the barrier they create isn’t their fault. Sometimes, cybersecurity isn’t in the initial plans, and then you get involved. To avoid such an impasse, your organizational culture regarding security has to, as well.

Security can’t be an afterthought. It needs to be a forethought, so you have to express this with the C-suite and leadership. When given a chance to have a seat at the table, your people must engage with the business side in a way that’s outside of their comfort zone. They have to be inclusive in their communication and explanation. Otherwise, they’ll posture and use jargon, making them seem like jerks and continuing the belief cycle that technical people are difficult.

A team’s reluctance to collaborate effectively is also a common problem. Cyber strategies and decisions don’t reside only with your team. You need input and support from others. As a result, cyber professionals must be cooperative when it comes time for new implementations and approaches to combat risk.

Key to this is their ability to define risk clearly with other stakeholders who aren’t experts. Your people are, and they have great technical knowledge. This intelligence often creates the desire to be the smartest person in the room. They may be, technically speaking. However, they have to be able to work with others to establish new strategies to protect the company.

While your people often don’t do themselves any favors in being likable, it’s not all their fault. Cybersecurity can be a scapegoat for missed implementation dates, backlogs, and failed digital transformation objectives. It’s easy for others to blame your team, believing them to be against innovation. They may hold some responsibility, but it goes back to cultural foundation issues about how the organization prioritizes and empowers a cyber team.

You have some control over how the company looks at cybersecurity, but you have even more so over your team. For the sun to set on the stereotype of cyber professionals being obstinate, your people must develop people skills.

Why Are Cyber Professionals “Bad” at Soft Skills?

So, why exactly do technical people often have gaps in soft skills? Is it something innate and unfixable? Absolutely not, and it’s a symptom of something bigger. There are many bright, highly communicative, and adaptable people in the field. Some require a nudge toward the right direction to be vulnerable and ready for change.

If you look at the industry and consider where the struggles exist in people skills, you can come to these conclusions:

• They often think in black and white, while most everything lives in gray. When they lock into a mindset that there’s one right answer and many wrong ones, it impacts their perspective. So, they stick to the script even when factors change.
• Technical folks often have insecurities and fears that they want to keep hidden. They believe not knowing everything is a weakness, but how could you possibly know everything? These feelings keep them from asking questions and engaging in dialogue with others.
• Communication isn’t easy for them, especially if they can’t posture and use jargon. When they do, they alienate others quickly and live up to their reputation. Communication is the single most important skill a cyber professional can possess.
• Cyber professionals also may lack awareness of themselves and others. They don’t see how their tendency to be aloof and overly technical prevents trust and cooperation. They also have a hard time understanding the perspectives of the business side. Without this awareness, they’ll continue to be outsiders.

Helping your team work through these flawed behaviors won’t be easy, but there is a way to do it with the Secure Methodology. It’s a seven-step guide for cyber leaders to leverage to transform technical minds into ones with strong soft skills.

How the Secure Methodology Can Improve the Reputation of Cybersecurity

The Secure Methodology is a proven framework to cultivate technical folks into excellent communicators and collaborators. Next, we’ll review all seven steps with an introduction to how the lessons of each phase develop people skills.

Step One: Awareness

The first step is Awareness, which I mentioned earlier as a reason technical people can’t connect with others or themselves. When they lack Awareness, it creates a lot of blind spots, which impact communication and set the stage for more technical posturing.

Technical people have to be willing to open themselves up to new perspectives. You can foster this with coaching around communication and understanding their motivations. In this step, you’ll have access to exercises that move people outside of their comfort zone, opening their eyes to a wider world.

Step Two: Mindset

Mindset is next and builds on learnings from Awareness. Right now, many of your people likely have a fixed mindset, which keeps them from growing and evolving. Shifting to a growth mindset is what you want to accomplish. They have to open their minds to more possibilities beyond black-and-white thinking. This step features approaches to help people with reflection and accountability.

Step Three: Acknowledgment

Acknowledgment is a critical aspect of any department or industry. When there’s little positive acknowledgment, employees can become disengaged and resentful. In cybersecurity, the most common acknowledgment is negative. So, it’s this cycle of being fearful of any error, causing some to do nothing.

Acknowledgment must start with you. Positive reinforcement is vital, and you should do it publicly. It tells people what they do matters, and ensuring they understand how their contributions help the company can be key to their desire to be better team players. This step has activities to develop this through rapport and trust.

Step Four: Communication

Communication has its own step but is pivotal in every phase. Communication skills are necessary for any job, but cyber professionals have often gotten away with being bad at it. Technical folks need to learn how to communicate better within the team and with others who are technically adept.

Much of this comes down to the simplification of the message. They don’t need to give a monologue to express risks and threats. Coaching exercises in this step will promote creating an inclusive, shared language and active listening. Much of this involves reframing the interactions and reminding your people that others aren’t the enemy. Encourage them to stop hiding behind complex explanations and to strip communication down to informing others and asking questions.

Step Five: Monotasking

Aren’t technical professionals supposed to be great multitaskers? Unfortunately, many people believe this to be true, and multitasking has its place. However, monotasking is a necessity for improving people skills. When someone multitasks, there’s often a feeling of pressure, which can cause more mistakes.

Encourage your people to have specific monotasking periods in their day where they focus all their energy on one task. They’ll find they’re more productive with this kind of schedule. Challenge your team to practice this and block out distractions.

Step Six: Empathy

Empathy is a crucial step to transforming your cyber team. When your employees can put themselves in the shoes of others, the us vs. them mentality can fade away, and that’s necessary to eliminate their “bad” reputation.

Empathy, however, is something to develop. It’s not a natural part of being human. It requires them to care about what they do, the organization, and their colleagues. All the steps leading to this one have set the stage for empathy. If your staff can excel here, they’ll be the collaborators everyone needs them to be.

Step Seven: Kaizen

The final step is kaizen, which is a Japanese term meaning “continuous improvement.” Within the Secure Methodology, it’s the action of analyzing root causes. You can then uncover the real problems and work toward overcoming them. This step doesn’t end, as it’s a continuous state of adapting and evolving.

Rid Your Cyber Team of Their “Bad” Reputation

Now is the time to drive change in your employees so they can contribute more effectively. When they do, it’s good for security and their long-term job satisfaction. Take the first step by checking out the Secure Methodology course.

The post Does Your Cyber Team Have a “Bad” Reputation? Why Their Lack of Soft Skills Causes Friction appeared first on Christian Espinosa.

Finding qualified and skilled talent has been a struggle in cybersecurity for years. According to data, that’s only getting harder. Exasperating the cybersecurity workforce shortage is the fact that retaining employees is challenging. Cybersecurity workforce retention is as important as your recruitment strategies.

So, how do you keep cyber professionals on the job? It’s not an easy answer, as so many factors impact this. However, you can build a retention plan alongside your recruitment strategy. In this post, we’ll uncover why turnover occurs and how to create a culture and environment that will make them stay.

The Cybersecurity Workforce Retention: State of the Industry

A study from the ISACA found that 60% of cyber leaders said it was difficult to retain cybersecurity professionals, up 7% year-over-year. The survey outlined why it’s happening, with these being the top reasons:

• Recruited by other companies (59%)
• Compensation and incentives (48%)
• Few promotion and development opportunities (47%)
• The high stress of the job (45%)
• No management support (34%)

Some of these challenges are easier to combat than others. Currently, cybersecurity jobs are greater than those available to fill them. A study estimated that over 3.4 million cyber jobs are available, which will only increase. As a result, other companies will try to lure away your employees, even if they aren’t actively looking for another job. How they respond to this will depend on how they feel about working for you in terms of money, autonomy, support, and satisfaction.

Compensation is another tricky area. Competitors may be offering more money. While that’s a critical part of why people work, money may not be the top factor in retention. Regardless, depending on their experience, role, and market, you should pay your team a fair wage. With the cost of living increasing, you must keep up with this.

Next is development, which is something you can control. Continuing to train and upskill your team shows you’re investing in them and their future. You should also be clear with them about the opportunities to advance.

Stress is inevitable in almost any job. Cybersecurity is a dynamic industry with fire drills all the time. Focusing on ways to destress workers should be part of your culture. It could be rewarding your team with social or team-building activities. Having an open door for employees to share their experiences with you and their stress can also be helpful.

Finally, you have complete purview over management support. As a leader, you have to earn and keep the respect of your team. Being a great leader requires you to communicate honestly, listen intently, acknowledge their work, and support them in any way you can.

Addressing these common reasons for turnover is critical for your organization because its impact is considerable.

The Impact of Turnover

An inability to retain staff affects many aspects of operations. Being understaffed creates more risk because everyone’s stretched thin. It’s easy to miss key things when someone is overwhelmed. Turnover also prevents your ability to be more strategic because you’re in a reactive mode versus a proactive one. Productivity suffers as well.

Turnover also costs you money. The average cost of hire is $4,700 and could be even greater considering how in demand these roles are. It’s in your best interest to retain your technical folks, which isn’t easy. You may be looking at many methods to decrease turnover, including increasing wages and benefits, allowing for flexible work, asking for feedback from your team to propel improvement, and providing the right tools to do the job.

Those are all good things to have, but retention has much to do with engagement, satisfaction, feeling valued, and having respect for leadership. These things can mean more than money, which is why applying the Secure Methodology to cybersecurity workforce retention makes sense. It’s a seven-step guide that defines a roadmap to transform technical people into highly communicative and collaborative professionals.

Let’s see how each step can support retention.

Applying the Secure Methodology to Cybersecurity Workforce Retention

With every step of the Secure Methodology, there are lessons to learn that impact retention. Here’s how to use these in your organization.

Step One: Awareness

Tapping into awareness is an important attribute to have in life and work. We all have blind spots, but some are bigger than others. Without being aware of these, there are consequences. It negatively impacts relationships and erodes trust. Without being aware, your team doesn’t realize how their behavior affects others and the environment. Things can become toxic very fast. If those things are lacking, it’s easy to see why some would want to leave.

Awareness means being cognizant of your blind spots and working to address them. A more aware team will be more collaborative and communicative. Here are some ways that this can support retention:

Coaching

Coaching is vital to broadening awareness. If you can open the eyes of your team in a conducive way, they may have “aha” moments. Shifting their stance from being self-centered allows people to get a better perspective.

Language

Using specific, relatable language helps technical people better understand expectations and culture. When there’s no confusion about where everyone should focus, they will likely feel more empowered.

Motivation

Understanding motivations is critical to unlocking awareness. Tapping into what makes them tick helps strip away some of the technical posturing cyber professionals often do. Knowing their motivations allows you to personalize how you support and coach them.

Step Two: Mindset

There are two types of mindsets — fixed and open. Many technical folks have fixed mindsets with no desire to change, learn, or grow. However, it doesn’t mean they have to stay that way. Fixed mindsets are poisonous to retention. Even if one in the group is this way, it can taint it for others. When we’re fixed, we refuse to move.

A growth mindset is freeing and enables people to be flexible and adaptable, which is necessary for cybersecurity. Evolving a fixed mindset to a growth one is possible, but it requires commitment from you and the employee.

Some key results of a fixed mindset include:

• The ability to reflect on situations and understand how to handle it differently.
• Healthier and consistent communication.
• A culture that welcomes growth personally and professionally.
• Growth mindsets can be a significant reason employees stay with your organization.

Step Three: Acknowledgment

Acknowledgment is scarce in technical fields. Yet, it’s so crucial to retention. Your employees want appreciation for the work they do. Its absence is because most cyber leaders only respond to things when they go wrong. The small wins everyday matter so much to your people, so you must become vigilant about feedback.

Your approach to acknowledgment should include:

• Being positive by looking at what went right first
• Specificity in your feedback
• Immediately offering feedback in the moment
• Praise in public and relay ways to improve in private
• Consistency in how you address acknowledgment

Lack of appreciation and lack of feeling valued are two primary reasons why people leave their jobs. If your people don’t receive acknowledgment, they’ll actively seek another job.

Step Four: Communication

Communication is part of every step in the Secure Methodology, along with having its own step. It is, without a doubt, the most critical part of a thriving culture and support to retention. You probably know there are communication issues among your technical folks. It doesn’t mean they aren’t articulate. Rather, their communication styles are often too aggressive, overly complicated with geek speak, and always on the defense. They also suck at listening, the other component of communication.

This storm of dysfunction will have people, often your best, running away from your organization. Thus, it’s critical to make communication the foundation of your culture and retention strategy. Here’s how to use it:

• Be honest and transparent as a leader.
• Move away from overly technical language and simplify the message.
• Encourage open discussion and dialogue that’s respectful.
• Praise your people when they make adjustments in communication.
• Practice active listening in exercises, so they grasp how crucial it is.

If you can lay out these tenets, your people will likely see the value and follow you. If some still don’t realize it, they may be dragging others down. In some cases, you may have to let those folks go, so they don’t make it unbearable for everyone else.

Step Five: Monotasking

Monotasking is focusing on one thing, the opposite of multitasking. Many describe multitasking as an excellent quality, but it can actually hamper productivity. Forcing multitasking can make your people feel pulled in many directions. Those feelings create animosity and dissatisfaction. So, remove this pressure and instead recommend blocking time for specific tasks, meetings without distractions, and saying “no” to some things that aren’t urgent.

Step Six: Empathy

Empathy is a valuable quality to have. In terms of cybersecurity, cognitive empathy is essential for a healthy environment. It means that others can understand the feelings and perspectives of others. Without it, you have no team or human connection, and you need those to retain your people. All the things you put in place to get to this step support the building of empathy. Developing this in your team enables a trust factor and creates more satisfaction.

Step Seven: Kaizen

The final step is kaizen, which is a Japanese term. When translated into English, it means “continuous improvement.” So, this step isn’t an end to the journey; it’s how to sustain it. If your team believes in this process, they’ll want to continue identifying ways to improve and follow through with them. When kaizen is part of your cybersecurity culture, your technical folks will evolve and realize that this is where they can continue learning and growing.

Retaining your workforce won’t be easy. With the Secure Methodology, you have a framework. You can go more in-depth by reading my book, The Smartest Person in the Room, and viewing the Secure Methodology course.

The post Cybersecurity Workforce Retention: Keep Top Talent with the Secure Methodology appeared first on Christian Espinosa.

The post The Secure Methodology™ Step Six: Empathy appeared first on Christian Espinosa.

The first iteration of making development and operations a tandem was DevOps. The strategy married the two in a practical and tactical mode and cultural philosophy. The objective was to automate and integrate software development and IT. However, it left out a fundamental principle — security. That was rectified with the origination of DevSecOps — the trifecta of development, security, and operations.

Security was previously an isolated segment of the process, coming at the end. Except that wasn’t very effective. Leaving security as an afterthought meant delays in new iterations and lots of rework, which was expensive. There was a realization that security shouldn’t be the red-headed stepchild but deserved a full seat at the table. Collaboration among all three can lead to many benefits, so why hasn’t every organization pivoted? And why should they now?

Secure by Design

The underlying foundation of DevSecOps is to be secure by design. Security is a consideration at the conception of the project, not an afterthought. Even in rapid deployment, which is part of today’s digital transformation schematic, security must be part of the concept.

DevSecOps and its importance to cybersecurity is that notion of everything developed and operated has consistency in security and that it’s scalable. The biggest clash in DevSecOps may be between your security experts and those who see security as a hindrance. This hurdle can seem insurmountable, and as a cyber leader, you may have to put yourself in a position to evangelize that security doesn’t have to impact agility.

Creating a Balance: Security and Agility

Business leaders in your organization demand velocity in development and operations. The reasons are apparent — greater efficiency, reduced costs, and more revenue opportunities. Those priorities may not be yours. You can understand the need for faster development to support these business objectives. Still, you’re also keenly aware that your company won’t meet its goals without security in applications and operations.

The question then becomes, how do you balance security and agility? From your perspective, you know that security and agility aren’t mutually exclusive. Security doesn’t halt agility and can support it. The misconception that security is a barrier to innovation isn’t new, yet it persists. It may even be present in your cyber team. As a result, you must make a case for security, knowing that your security mindset narrowly focuses on risk in a way that development and operations cannot.

Now, you’re at a crossroads of convincing technical and business stakeholders that all three can work harmoniously. There are plenty of guides to building DevSecOps, and I’m not going to rehash those. Rather, I want to show you how the Secure Methodology and DevSecOps have much in common.

Applying Secure Methodology Lessons to DevSecOps

As a refresher, the Secure Methodology is a seven-step framework that helps cybersecurity leaders transform their staff into effective communicators and collaborators. It’s a pathway to take technically adept folks who lack the foundational skills to be curious, innovative, and welcome growth. In a way, the Secure Methodology has many things in common with DevOps and DevSecOps cultures. In all three concepts, there are synergies, including:

• Collaboration and shared responsibility
• Accountability in every aspect of the cyber landscape
• Standardization around cybersecurity practices
• Aligning security with business objectives
• Increased transparency and communication
• Continuous learning and improvement
• High empathy and trust

These are all cornerstones of the Secure Methodology and DevSecOps. Next, we’ll go through the seven steps and how they can help you pivot your organization to a DevSecOps framework and culture.

Step One: Awareness

Awareness is the first step because you can’t move any further without it. It’s about being aware of yourself and the behaviors you can control. Additionally, there is the awareness of others. To be a successful professional and person, you have to have both.

When awareness is missing, it causes issues, including inadequate communication, resentment, animosity, competition, and many other things that detract from security.

Awareness is a key component of DevSecOps from the position that all three parties must be aware of one another in such a framework. Development cannot move to operations without security, for example.

Using the tools of the Awareness step could help bridge the gaps between these groups and break them from their silos. The critical areas of focus should be:

• Perspective beyond a person’s limited view
• Respectful and transparent communication

Both things feed into the next step, Mindset.

Step Two: Mindset

Mindset impacts everything we do. When it’s one of growth, we see opportunities, encourage feedback, and embrace uncertainty. When it’s fixed, we do the opposite. A growth mindset is the goal. Without it, you’ll never achieve security by design because there’s no ownership and accountability.

The problem with technical (and nontechnical) people is that they run from the truth and feel comfortable only with what they know. That’s risky behavior in the realm of cybersecurity. Moving mindsets is really hard. Not all will be able to hack it, but if it becomes part of your cyberculture, it’s ideal for a shift to DevSecOps, which is all about transparency and honesty.

There are some exercises to help with transformation as part of the Secure Methodology that can help with this. Another thing to note is that you have to talk about mindset in general when you have development, operations, and security staff together. You are outlining how each person needs to adapt their mindset for everyone to find success.

Step Three: Acknowledgment

Next is Acknowledgment, and it’s a big challenge for cybersecurity teams. There is a general lack of appreciation from supervisors to employees happening in every organization worldwide. The nature of cybersecurity is to focus on what went wrong because something always will. I’m asking you to refocus on all the things that go right every day.

Acknowledgment is all about feedback, which is critical in DevSecOps too. Not all feedback will be positive, but when it’s not, it should be constructive so that people learn from what occurred instead of being humiliated. Such actions lead to resentment, disengagement, and turnover, and that’s not good for any company or its security posture.

The act of acknowledging others makes people better at what they do. It builds their confidence and helps them grow their skills and be better collaborators and communicators, and every DevSecOps culture needs that to thrive.

Step Four: Communication

Communication is the most important step. It will make or break any team or company. Without consistent and transparent communication, you’ll never achieve DevSecOps, even if everyone’s on board. It simply just doesn’t work.

Communication is about more than words. It’s how they are said and the nonverbal elements as well. The biggest communication barrier is often geek speak. Security, development, and operations may all have their own versions of this. They believe it makes them superior. In reality, it causes confusion, frustration, and distrust, which aren’t the kind of emotions you want in any room.

You and your entire organization must make improving communication a priority. You have to create an environment that appreciates clear and positive communication. I recommend looking at the exercises in my book for more details on this so that communication becomes an asset, not a weakness.

Step Five: Monotasking

Monotasking means concentrating on one task at a time, which is crucial in cybersecurity. The problem is that society, in general, discounts it as not being flexible or able to juggle multiple things. We’ve been conditioned to believe we should be multitasking. So, you have the challenging job or rewiring brains to understand that multitasking causes risk!

Well, it may not solely be on your shoulders because DevSecOps and its proponents will agree. While it’s the convergence of three areas, DevSecOps appreciates workflows and processes that build on each other. You don’t move to the next one until you finish the first one. If you can retrain your team to focus deeply on specific tasks without distractions, velocity and productivity will actually soar.

Step Six: Empathy

You may be wondering what empathy has to do with cybersecurity and DevSecOps. Except we’ve been building up to this with discussion around awareness, acknowledgment, and communication.

Empathy makes us human in many ways, but it’s become something lacking in the world and at work. At the end of the day, we’re all human, and if we can appreciate the perspective of others, we can be better problem-solvers and collaborators. It easily applies to DevSecOps because three independent groups have to empathize with the others and understand their position for it to work.

If you can build empathy in these teams, you can move to the final step, Kaizen.

Step Seven: Kaizen

Kaizen is a Japanese term meaning “continuous improvement.” As people and professionals, we always want to be improving. We want the same for our development, operations, and security. It’s all about progress, no matter how small, as long as it’s constant.

It’s the ideal ending of the process, but not one that ever ends. It’s the same for DevSecOps. It’s a circle, not a line, after all.

You can learn more about the Secure Methodology and how it aligns with DevSecOps by reading my book, The Smartest Person in the Room. Check out my Secure Methodology course too.

The post Why Organizations Should Pivot to DevSecOps appeared first on Christian Espinosa.

Creating a cybersecurity culture isn’t a novel idea. It’s one that’s been around for some time, as the field and organizations realized that cybersecurity isn’t just about tools, protocols, and technical aptitude. Culture is much more about the people and, as a result, makes it much harder to build and sustain. People are unpredictable and don’t always have the skillsets to participate in culture. There’s an additional component of cultural manifestation, and it revolves around innovation. So, how do you develop a cybersecurity culture of innovation?

If it’s not a question you’re asking yourself as a cybersecurity leader, I would suggest you should. Innovation is the enemy of complacency. However, it requires cyber teams to look beyond their technical aptitude and leverage soft skills, which they may not have. It can seem like an uphill battle, but it’s worth considering the benefits it can bring your staff and business. Those advantages include satisfied employees, mitigation of risk, and the ability to meet continuous improvement goals.

So, let’s talk about fostering innovation in your cybersecurity culture.

What Is a Cybersecurity Culture of Innovation?

At the foundation of culture are people and behaviors. If those whose job is to protect data and networks have a closed mindset, fail to evolve their conceptions, or believe they are the smartest people in the room, culture will always be toxic. In these cases, risks become greater, turnover is high, and communication is nonexistent.

Conversely, a healthy culture has open-minded participants that want to work together effectively and continuously learn. That is an environment where innovation can thrive. It’s a place that welcomes new ideas, which can lead to a better security posture, engaged employees, and greater productivity. In this scenario, everyone benefits.

As you assess your current culture, you probably have gaps, some more than others. Filling those gaps aligns really well with the Secure Methodology, so I’ll be referring to that as I describe the steps to take. The Secure Methodology is a seven-step guide for cybersecurity leaders to leverage to develop the people skills of technical folks. These steps don’t focus on cyber skills but rather interpersonal ones, which is the core of culture.

Building a Culture of Innovation

No matter where you’re starting in the culture journey, these pivotal elements will be necessary to propel your organization into one that’s agile, forward-thinking, and connected. Here are the areas to help you formulate a plan.

Cybersecurity Culture Involves Three Different Levels

When considering any culture configuration, there are always three levels to consider, from the top to the individual. While they have different roles in the organization and responsibilities around cybersecurity, they must work together to maintain a culture.

Leadership

This segment is the c-suite, including the CEO and CISO. They must lead by example if they want the culture to permeate. They are top-level decision-makers, but those don’t happen in a vacuum. They need to understand risk and how cyber operations work, which requires clear, consistent communication from cyber teams and individuals. Unfortunately, communication is often the skill most lacking in technical employees. If those that set the strategy and budgets are only fed geek speak, culture leadership is working with a handicap.

Communication, of course, goes both ways. When leaders set a precedent on how they expect communication to flow, it can break down some barriers. In the end, the c-suite needs communication development, as well. It’s especially true regarding what questions they ask, which should be more granular than they might currently be.

Team

Your cyber team comprises people with various skill sets, experience, and expertise. If they can build a coalition that taps into this, they’ll be at a good place regarding culture. However, we’re talking about behavior, communication, and cooperation. Those things are usually the Achilles’ heel of any cyber team.

The team dynamic and evolving it is a big part of the Secure Methodology. Its guidance takes into account the typical lack of people skills and how that impacts cybersecurity culture. Too often, your team operates in silos and wants to continue in this way. Many times, it’s about a fear that others will find out they don’t know everything. Except that’s precisely the kind of mindset you need to innovate!

When working on culture at this level, the Secure Methodology is an excellent framework that you can use to cultivate communication skills, awareness, empathy, and more.

Individuals

The last layer of culture is the individual. What applies here is similar to the team level with caveats. The biggest of those is motivation, as each person has their own. At this level, as the leader, you must make specific connections to understand that individual’s capacity to change and grow. It’s the most challenging part of cultural shifts, and not every person on your team will be ready for this.

The Secure Methodology includes exercises throughout the seven steps to assist with this. How each person reacts to these will determine their long-term cultural fit.

Now that we’ve looked at each level of culture, here are some more tips you can use to further the pursuit of innovation.

Find Cultural Evangelists

Within your cyber staff, you’ll find those that are all-in on cementing culture as innovative. These people already have a good base of people skills and will prosper in this new dynamic. Assign those employees to be cultural evangelists. They can work together to develop training and upskilling opportunities. Since it’s coming from their peers, others may find this more inviting and appealing.

Define the Language of Innovation

Earlier I discussed the issues in communication among cyber professionals and mentioned their love of geek speak. Many use this language because they don’t want to reveal their weaknesses or limitations. It’s your job to banish this language and identify what the tenets of communication should be, which can include:

• Eliminating jargon that has no purpose
• Encouraging and promoting active listening skills, which are just as important as language
• Using inclusive language so that those individuals outside of cyber teams would understand
• Reframing communication as a way to reach a result that technical people can relate to
• Simplifying messaging
• Praising positive communication moments to reinforce the value of it
• Outlining how clear communication leads to innovation

Transform Fixed Mindsets into Growth Mindsets

Mindset is the second step in the Secure Methodology, and it is critical to culture. People either have a fixed mindset or a growth mindset. You, of course, want professionals with the latter. That doesn’t mean those with fixed ones can’t evolve and grow, but it does take work.

A fixed mindset hampers your organization’s ability to be proactive in security and forward-thinking. These folks don’t want to innovate around this because it’s too unknown and uncertain. It will also erode culture. Here are some key steps to transform mindsets:

• Coaching and reflection: When communicating with a fixed mindset, asking the right questions matters. You need to take them back to a moment when their fixed mindset was a barrier. Such a moment could instigate reflection and more awareness of their behaviors.
• Asking why: Again, questions posed to these folks can create aha moments. There’s an exercise called the 7 Levels Deep Exercise, which I recommend. It will help uncover motivations.
• Praising mindset changes: The third thing to do is to acknowledge and recognize when you see mindset shifts from fixed to growth. Something as simple as this can make a significant impact on future behavior.

To round out this discussion, I want to leave you with some additional insights into innovation and security.

Innovation and Security Aren’t Foes

One of the biggest misconceptions in the cyber world is that security is a barrier to innovation. Such a perspective is dangerous to your culture and ability to defend data and networks in the cyber war. Security does not impede innovation. In fact, they work together very well with the proper perspective.

It’s not unlike the principles of DevSecOps, where development, security, and operations convene. In this strategy, security is part of the conversation from the beginning. It has equal weight with development and procedures, as it should. You cannot have innovation without security. Innovation, at its core, is about devising solutions that enable better results. If security is outside the innovation bubble, you may have a good idea, but it won’t come to fruition. It won’t be deployable and scalable.

So, you must build the case that they both can coexist harmoniously and should always have a link. Otherwise, you’ll waste time, money, and resources. If you leverage the tips and ideas from this post, you can easily demonstrate how vital security is to innovation.

If you’re ready to build your culture of innovation, you should learn more about the Secure Methodology, which you can find in my book, The Smartest Person in the Room. Additionally, I have a Secure Methodology course, which delves further into the seven steps. Check them both out today.

The post How to Create a Culture of Innovation in Cybersecurity appeared first on Christian Espinosa.