secure methodology

Cybersecurity Workforce Retention: Keep Top Talent with the Secure Methodology

cybersecurity jobsFinding qualified and skilled talent has been a struggle in cybersecurity for years. According to data, that’s only getting harder. Exasperating the cybersecurity workforce shortage is the fact that retaining employees is challenging. Cybersecurity workforce retention is as important as your recruitment strategies.

So, how do you keep cyber professionals on the job? It’s not an easy answer, as so many factors impact this. However, you can build a retention plan alongside your recruitment strategy. In this post, we’ll uncover why turnover occurs and how to create a culture and environment that will make them stay.

The Cybersecurity Workforce Retention: State of the Industry

A study from the ISACA found that 60% of cyber leaders said it was difficult to retain cybersecurity professionals, up 7% year-over-year. The survey outlined why it’s happening, with these being the top reasons:

  • Recruited by other companies (59%)
  • Compensation and incentives (48%)
  • Few promotion and development opportunities (47%)
  • The high stress of the job (45%)
  • No management support (34%)

Some of these challenges are easier to combat than others. Currently, cybersecurity jobs are greater than those available to fill them. A study estimated that over 3.4 million cyber jobs are available, which will only increase. As a result, other companies will try to lure away your employees, even if they aren’t actively looking for another job. How they respond to this will depend on how they feel about working for you in terms of money, autonomy, support, and satisfaction.

Compensation is another tricky area. Competitors may be offering more money. While that’s a critical part of why people work, money may not be the top factor in retention. Regardless, depending on their experience, role, and market, you should pay your team a fair wage. With the cost of living increasing, you must keep up with this.

Next is development, which is something you can control. Continuing to train and upskill your team shows you’re investing in them and their future. You should also be clear with them about the opportunities to advance.

Stress is inevitable in almost any job. Cybersecurity is a dynamic industry with fire drills all the time. Focusing on ways to destress workers should be part of your culture. It could be rewarding your team with social or team-building activities. Having an open door for employees to share their experiences with you and their stress can also be helpful.

Finally, you have complete purview over management support. As a leader, you have to earn and keep the respect of your team. Being a great leader requires you to communicate honestly, listen intently, acknowledge their work, and support them in any way you can.

Addressing these common reasons for turnover is critical for your organization because its impact is considerable.

The Impact of Turnover

An inability to retain staff affects many aspects of operations. Being understaffed creates more risk because everyone’s stretched thin. It’s easy to miss key things when someone is overwhelmed. Turnover also prevents your ability to be more strategic because you’re in a reactive mode versus a proactive one. Productivity suffers as well.

Turnover also costs you money. The average cost of hire is $4,700 and could be even greater considering how in demand these roles are. It’s in your best interest to retain your technical folks, which isn’t easy. You may be looking at many methods to decrease turnover, including increasing wages and benefits, allowing for flexible work, asking for feedback from your team to propel improvement, and providing the right tools to do the job.

Those are all good things to have, but retention has much to do with engagement, satisfaction, feeling valued, and having respect for leadership. These things can mean more than money, which is why applying the Secure Methodology™ to cybersecurity workforce retention makes sense. It’s a seven-step guide that defines a roadmap to transform technical people into highly communicative and collaborative professionals.

Let’s see how each step can support retention.

Applying the Secure Methodology to Cybersecurity Workforce Retention

With every step of the Secure Methodology, there are lessons to learn that impact retention. Here’s how to use these in your organization.

Step One: Awareness

Tapping into awareness is an important attribute to have in life and work. We all have blind spots, but some are bigger than others. Without being aware of these, there are consequences. It negatively impacts relationships and erodes trust. Without being aware, your team doesn’t realize how their behavior affects others and the environment. Things can become toxic very fast. If those things are lacking, it’s easy to see why some would want to leave.

Awareness means being cognizant of your blind spots and working to address them. A more aware team will be more collaborative and communicative. Here are some ways that this can support retention:


Coaching is vital to broadening awareness. If you can open the eyes of your team in a conducive way, they may have “aha” moments. Shifting their stance from being self-centered allows people to get a better perspective.


Using specific, relatable language helps technical people better understand expectations and culture. When there’s no confusion about where everyone should focus, they will likely feel more empowered.


Understanding motivations is critical to unlocking awareness. Tapping into what makes them tick helps strip away some of the technical posturing cyber professionals often do. Knowing their motivations allows you to personalize how you support and coach them.

Step Two: Mindset

There are two types of mindsets — fixed and open. Many technical folks have fixed mindsets with no desire to change, learn, or grow. However, it doesn’t mean they have to stay that way. Fixed mindsets are poisonous to retention. Even if one in the group is this way, it can taint it for others. When we’re fixed, we refuse to move.

A growth mindset is freeing and enables people to be flexible and adaptable, which is necessary for cybersecurity. Evolving a fixed mindset to a growth one is possible, but it requires commitment from you and the employee.

Some key results of a fixed mindset include:

  • The ability to reflect on situations and understand how to handle it differently.
  • Healthier and consistent communication.
  • A culture that welcomes growth personally and professionally.
  • Growth mindsets can be a significant reason employees stay with your organization.

Step Three: Acknowledgment

Acknowledgment is scarce in technical fields. Yet, it’s so crucial to retention. Your employees want appreciation for the work they do. Its absence is because most cyber leaders only respond to things when they go wrong. The small wins everyday matter so much to your people, so you must become vigilant about feedback.

Your approach to acknowledgment should include:

  • Being positive by looking at what went right first
  • Specificity in your feedback
  • Immediately offering feedback in the moment
  • Praise in public and relay ways to improve in private
  • Consistency in how you address acknowledgment

Lack of appreciation and lack of feeling valued are two primary reasons why people leave their jobs. If your people don’t receive acknowledgment, they’ll actively seek another job.

Step Four: Communication

Communication is part of every step in the Secure Methodology, along with having its own step. It is, without a doubt, the most critical part of a thriving culture and support to retention. You probably know there are communication issues among your technical folks. It doesn’t mean they aren’t articulate. Rather, their communication styles are often too aggressive, overly complicated with geek speak, and always on the defense. They also suck at listening, the other component of communication.

This storm of dysfunction will have people, often your best, running away from your organization. Thus, it’s critical to make communication the foundation of your culture and retention strategy. Here’s how to use it:

  • Be honest and transparent as a leader.
  • Move away from overly technical language and simplify the message.
  • Encourage open discussion and dialogue that’s respectful.
  • Praise your people when they make adjustments in communication.
  • Practice active listening in exercises, so they grasp how crucial it is.

If you can lay out these tenets, your people will likely see the value and follow you. If some still don’t realize it, they may be dragging others down. In some cases, you may have to let those folks go, so they don’t make it unbearable for everyone else.

Step Five: Monotasking

Monotasking is focusing on one thing, the opposite of multitasking. Many describe multitasking as an excellent quality, but it can actually hamper productivity. Forcing multitasking can make your people feel pulled in many directions. Those feelings create animosity and dissatisfaction. So, remove this pressure and instead recommend blocking time for specific tasks, meetings without distractions, and saying “no” to some things that aren’t urgent.

Step Six: Empathy

Empathy is a valuable quality to have. In terms of cybersecurity, cognitive empathy is essential for a healthy environment. It means that others can understand the feelings and perspectives of others. Without it, you have no team or human connection, and you need those to retain your people. All the things you put in place to get to this step support the building of empathy. Developing this in your team enables a trust factor and creates more satisfaction.

Step Seven: Kaizen

The final step is kaizen, which is a Japanese term. When translated into English, it means “continuous improvement.” So, this step isn’t an end to the journey; it’s how to sustain it. If your team believes in this process, they’ll want to continue identifying ways to improve and follow through with them. When kaizen is part of your cybersecurity culture, your technical folks will evolve and realize that this is where they can continue learning and growing.

Retaining your workforce won’t be easy. With the Secure Methodology, you have a framework. You can go more in-depth by reading my book, The Smartest Person in the Room, and viewing the Secure Methodology course.

The Secure Methodology™ Step Six: Empathy

Empathy - Christian EspinosaEmpathy in the professional world isn’t a new concept, but its adoption is lagging. Look no further than the Great Resignation as proof that how companies treat people must change. Many people have readjusted their beliefs about work and life in the past few years, so empathy’s importance is greater than ever and has a pivotal role to play in cybersecurity.

Empathy is a key component in winning the cybersecurity war. As such, it’s the sixth step in the Secure Methodology, which is a guide of seven steps that helps cyber leaders transform their employees into high-functioning communicators and collaborators. It builds on the five preceding steps: awarenessmindsetacknowledgmentcommunication, and monotasking.

Let’s dive into empathy and why it’s a critical aspect of cybersecurity.

Empathy Is Hard to Find These Days

While empathy is critically absent in many technical folks, the rest of the world isn’t demonstrating it much, either. It doesn’t mean that people are naturally unkind; instead, their concept of doing things to support others and the greater good gets canceled by their focus on differences.

It’s easy to ground a worldview in differences and an us-versus-them mentality. If we don’t feel personally impacted by something, we’re glad to look the other way. If “others” are different, then many of us can feel it’s none of our concern.

Except, at the end of the day, we have so much more in common. First, we’re all humans and face many of the same challenges. There’s a microcosm of this happening in your cyber team, especially in their beliefs about others. They typically see nontechnical roles as “others” who could never understand what they do, which creates a wall for communication and collaboration.

Everyone will always have specific roles, but when they become the foundation of how you react to others, it’s not serving anyone. For example, saying, “Oh, he’s a salesperson and can’t understand security risk,” means someone’s already discounting them and looking at them like a caricature.

This initial premise creates an empathy void, which has consequences for cybersecurity.

The Impact of the Absence of Empathy on Cybersecurity

So, how does a lack of empathy affect cybersecurity? It can cause a lot of problems, which can have a devastating impact on risk.

Technical Folks Can Be Intellectual Bullies

Bullying in the workplace is just as common as in the schoolyard. When people cannot see the perspective of others, they tend to act condescending and be defensive in every conversation. They use their intellect to belittle others, which fosters distrust and resentment. Unfortunately, bullying is often part of cybersecurity culture and goes unchecked.

Ego Cripples Empathy

These bullies often only have concerns for themselves. They have a narrow view that doesn’t include the needs of others. It’s especially detrimental when managers have egos that stunt the growth of others. It’s toxic and hampers the capabilities of a team.

Without Empathy, You Can’t Have a Team

The basic principle of a team is a group of people working together to accomplish a goal or solve a problem. Empathy is a prerequisite for this. When it’s missing, you can’t have a team.

On the one hand, we all have some type of belief about our inabilities. You would think this would encourage us all to be more empathetic. The challenge for many technical people is that they want to cover up insecurities and reject empathy for themselves and others. As a result, the foundational trust of being teammates isn’t there.

Empathy Emptiness Is More Than an Internal Problem

A cyber team that doesn’t prioritize empathy also hurts the relationships it has with others, whether they are an internal or external client. Technical people are responsible for security, but not in a vacuum. They must work with others to understand the objectives and concerns of these parties. When they don’t, they create a greater divide and overcomplicate situations, which causes further ostracization.

The stakeholders want to be involved and understand threats and risks. Just because they aren’t technical people doesn’t mean they can’t understand these things. However, if cyber professionals keep them in the dark, it only helps cyber criminals.

The Real Empathy Struggle for Technical People Is a Human Connection Problem

In my career and experiences, I’ve learned that human connection is the root of the empathy struggle for technical folks. Obviously, connection is essential to empathy in any capacity. If we’re all lone wolves and only focus on ourselves, there’s no connection.

Striving to build a human connection is an asset anyone can appreciate. It improves communication, collaboration, and perspective. Those things make people better at their job and happier in life in general.

So, how do you break people out of their one-track minds and cultivate a cybersecurity culture built on empathy?

How to Develop Empathy in Your Cyber Staff

You may think that developing empathy in technical professionals is beyond impossible. You’re already ready to skip to the next step and leave this one out because empathy is too emotional. Fair enough, but I wouldn’t have included it in the Secure Methodology without a plan. It’s an entire chapter in my book, The Smartest Person in the Room, and these are some excerpts that can help you find success.

The Framework Starts With Cognitive Empathy

There is more than one kind of empathy, and the focus here is cognitive empathy, which is the ability to understand someone else’s feelings and perspective. It’s somewhat different from its emotional counterpart, affective empathy, but it still has the same roots.

Additionally, you must frame your approach to differentiate between empathy and sympathy. They are quite different. Empathy describes the choice to connect with someone and accept their perspective. Sympathy doesn’t require the perspective aspect. Rather, it’s merely the ability to feel sorrow for how someone else feels.

People can be sympathetic but not empathetic. It’s a good trait to have, but empathy is what can drive organizational change and success.

Understanding Motivation

Motivation is a recurring theme in the Secure Methodology and applies to empathy. Grasping what motivates an employee is a key to helping them become more empathetic. Their motivation ties to the role they play in cybersecurity and supports a perception of a team working together. If they get this, they’ll want to grow their empathy.

Acknowledging Accomplishments

When you recognize the hard work of your staff, you create positive connections with them. In turn, it becomes a way to foster empathy. In addition to acknowledging achievements, you should also highlight similarities, struggles, and perspectives. This can create further connections between teammates and enrich trust.

Adapting Communication

It starts with you and your communication if you want your people to exemplify cognitive empathy. You have to be an example through how you communicate, which means admitting uncertainty and not always having an answer. They may be more likely to do the same if you can do this. Adapting your communication is critical and includes:

  • Avoid the word “why” because it triggers defensive responses.
  • Try making statements to uncover information, such as “Tell me what your plan is for this.”
  • Include the perspectives of others in how you communicate to demonstrate that the topic impacts many people.
  • Encourage people to explain those impacts on others when working through a cybersecurity challenge.
  • Continue to impress upon your team that listening is just as vital in communication as speaking.

Putting the Target Back on the Actual Enemy

It may seem apparent, but the enemy in the cybersecurity ware is the hackers. Yet, the “otherism” I defined earlier pits cyber professionals against colleagues. For those people who are stuck in the mindset of us versus them, they forget who the actual bad guys are. In fact, they’re helping the bad guys by functioning without empathy.

Staff too busy trying to stay in control of every cyber discussion and decision refuse to let the needs and perspectives of others have a place. As a result, cybercriminals win because team cohesion is absent. This is the most dangerous environment to operate in and will likely end in a breach or incident.

In working toward greater empathy, you must be clear about who the adversary is and that it’s nobody in the room. Connection within your team and with clients is critical to being proactive and prepared for cyberattacks. You can outmaneuver the hackers if you consistently focus on this and encourage empathetic capabilities.

Trust in Empathy to Revolutionize Your Cyber Culture

All the work from the previous Secure Methodology steps will put you in a position to develop empathy with your technical people. Having this new approach should also help you make better hiring decisions in the future. The bottom line is that empathy isn’t an innate human quality. We have to learn it, and you’re in a position to help people do this. That’s good for them personally and professionally. Get more tips on empathy and exercises by reading The Smartest Person in the Room.

Why Organizations Should Pivot to DevSecOps

DevSecOpsThe first iteration of making development and operations a tandem was DevOps. The strategy married the two in a practical and tactical mode and cultural philosophy. The objective was to automate and integrate software development and IT. However, it left out a fundamental principle — security. That was rectified with the origination of DevSecOps — the trifecta of development, security, and operations.

Security was previously an isolated segment of the process, coming at the end. Except that wasn’t very effective. Leaving security as an afterthought meant delays in new iterations and lots of rework, which was expensive. There was a realization that security shouldn’t be the red-headed stepchild but deserved a full seat at the table. Collaboration among all three can lead to many benefits, so why hasn’t every organization pivoted? And why should they now?

Secure by Design

The underlying foundation of DevSecOps is to be secure by design. Security is a consideration at the conception of the project, not an afterthought. Even in rapid deployment, which is part of today’s digital transformation schematic, security must be part of the concept.

DevSecOps and its importance to cybersecurity is that notion of everything developed and operated has consistency in security and that it’s scalable. The biggest clash in DevSecOps may be between your security experts and those who see security as a hindrance. This hurdle can seem insurmountable, and as a cyber leader, you may have to put yourself in a position to evangelize that security doesn’t have to impact agility.

Creating a Balance: Security and Agility

Business leaders in your organization demand velocity in development and operations. The reasons are apparent — greater efficiency, reduced costs, and more revenue opportunities. Those priorities may not be yours. You can understand the need for faster development to support these business objectives. Still, you’re also keenly aware that your company won’t meet its goals without security in applications and operations.

The question then becomes, how do you balance security and agility? From your perspective, you know that security and agility aren’t mutually exclusive. Security doesn’t halt agility and can support it. The misconception that security is a barrier to innovation isn’t new, yet it persists. It may even be present in your cyber team. As a result, you must make a case for security, knowing that your security mindset narrowly focuses on risk in a way that development and operations cannot.

Now, you’re at a crossroads of convincing technical and business stakeholders that all three can work harmoniously. There are plenty of guides to building DevSecOps, and I’m not going to rehash those. Rather, I want to show you how the Secure Methodology™ and DevSecOps have much in common.

Applying Secure Methodology Lessons to DevSecOps

As a refresher, the Secure Methodology is a seven-step framework that helps cybersecurity leaders transform their staff into effective communicators and collaborators. It’s a pathway to take technically adept folks who lack the foundational skills to be curious, innovative, and welcome growth. In a way, the Secure Methodology has many things in common with DevOps and DevSecOps cultures. In all three concepts, there are synergies, including:

  • Collaboration and shared responsibility
  • Accountability in every aspect of the cyber landscape
  • Standardization around cybersecurity practices
  • Aligning security with business objectives
  • Increased transparency and communication
  • Continuous learning and improvement
  • High empathy and trust

These are all cornerstones of the Secure Methodology and DevSecOps. Next, we’ll go through the seven steps and how they can help you pivot your organization to a DevSecOps framework and culture.

Step One: Awareness

Awareness is the first step because you can’t move any further without it. It’s about being aware of yourself and the behaviors you can control. Additionally, there is the awareness of others. To be a successful professional and person, you have to have both.

When awareness is missing, it causes issues, including inadequate communication, resentment, animosity, competition, and many other things that detract from security.

Awareness is a key component of DevSecOps from the position that all three parties must be aware of one another in such a framework. Development cannot move to operations without security, for example.

Using the tools of the Awareness step could help bridge the gaps between these groups and break them from their silos. The critical areas of focus should be:

  • Perspective beyond a person’s limited view
  • Respectful and transparent communication

Both things feed into the next step, Mindset.

Step Two: Mindset

Mindset impacts everything we do. When it’s one of growth, we see opportunities, encourage feedback, and embrace uncertainty. When it’s fixed, we do the opposite. A growth mindset is the goal. Without it, you’ll never achieve security by design because there’s no ownership and accountability.

The problem with technical (and nontechnical) people is that they run from the truth and feel comfortable only with what they know. That’s risky behavior in the realm of cybersecurity. Moving mindsets is really hard. Not all will be able to hack it, but if it becomes part of your cyberculture, it’s ideal for a shift to DevSecOps, which is all about transparency and honesty.

There are some exercises to help with transformation as part of the Secure Methodology that can help with this. Another thing to note is that you have to talk about mindset in general when you have development, operations, and security staff together. You are outlining how each person needs to adapt their mindset for everyone to find success.

Step Three: Acknowledgment

Next is Acknowledgment, and it’s a big challenge for cybersecurity teams. There is a general lack of appreciation from supervisors to employees happening in every organization worldwide. The nature of cybersecurity is to focus on what went wrong because something always will. I’m asking you to refocus on all the things that go right every day.

Acknowledgment is all about feedback, which is critical in DevSecOps too. Not all feedback will be positive, but when it’s not, it should be constructive so that people learn from what occurred instead of being humiliated. Such actions lead to resentment, disengagement, and turnover, and that’s not good for any company or its security posture.

The act of acknowledging others makes people better at what they do. It builds their confidence and helps them grow their skills and be better collaborators and communicators, and every DevSecOps culture needs that to thrive.

Step Four: Communication

Communication is the most important step. It will make or break any team or company. Without consistent and transparent communication, you’ll never achieve DevSecOps, even if everyone’s on board. It simply just doesn’t work.

Communication is about more than words. It’s how they are said and the nonverbal elements as well. The biggest communication barrier is often geek speak. Security, development, and operations may all have their own versions of this. They believe it makes them superior. In reality, it causes confusion, frustration, and distrust, which aren’t the kind of emotions you want in any room.

You and your entire organization must make improving communication a priority. You have to create an environment that appreciates clear and positive communication. I recommend looking at the exercises in my book for more details on this so that communication becomes an asset, not a weakness.

Step Five: Monotasking

Monotasking means concentrating on one task at a time, which is crucial in cybersecurity. The problem is that society, in general, discounts it as not being flexible or able to juggle multiple things. We’ve been conditioned to believe we should be multitasking. So, you have the challenging job or rewiring brains to understand that multitasking causes risk!

Well, it may not solely be on your shoulders because DevSecOps and its proponents will agree. While it’s the convergence of three areas, DevSecOps appreciates workflows and processes that build on each other. You don’t move to the next one until you finish the first one. If you can retrain your team to focus deeply on specific tasks without distractions, velocity and productivity will actually soar.

Step Six: Empathy

You may be wondering what empathy has to do with cybersecurity and DevSecOps. Except we’ve been building up to this with discussion around awareness, acknowledgment, and communication.

Empathy makes us human in many ways, but it’s become something lacking in the world and at work. At the end of the day, we’re all human, and if we can appreciate the perspective of others, we can be better problem-solvers and collaborators. It easily applies to DevSecOps because three independent groups have to empathize with the others and understand their position for it to work.

If you can build empathy in these teams, you can move to the final step, Kaizen.

Step Seven: Kaizen

Kaizen is a Japanese term meaning “continuous improvement.” As people and professionals, we always want to be improving. We want the same for our development, operations, and security. It’s all about progress, no matter how small, as long as it’s constant.

It’s the ideal ending of the process, but not one that ever ends. It’s the same for DevSecOps. It’s a circle, not a line, after all.

You can learn more about the Secure Methodology and how it aligns with DevSecOps by reading my book, The Smartest Person in the RoomCheck out my Secure Methodology course too.

How to Create a Culture of Innovation in Cybersecurity

Cybersecurity CultureCreating a cybersecurity culture isn’t a novel idea. It’s one that’s been around for some time, as the field and organizations realized that cybersecurity isn’t just about tools, protocols, and technical aptitude. Culture is much more about the people and, as a result, makes it much harder to build and sustain. People are unpredictable and don’t always have the skillsets to participate in culture. There’s an additional component of cultural manifestation, and it revolves around innovation. So, how do you develop a cybersecurity culture of innovation?

If it’s not a question you’re asking yourself as a cybersecurity leader, I would suggest you should. Innovation is the enemy of complacency. However, it requires cyber teams to look beyond their technical aptitude and leverage soft skills, which they may not have. It can seem like an uphill battle, but it’s worth considering the benefits it can bring your staff and business. Those advantages include satisfied employees, mitigation of risk, and the ability to meet continuous improvement goals.

So, let’s talk about fostering innovation in your cybersecurity culture.

What Is a Cybersecurity Culture of Innovation?

At the foundation of culture are people and behaviors. If those whose job is to protect data and networks have a closed mindset, fail to evolve their conceptions, or believe they are the smartest people in the room, culture will always be toxic. In these cases, risks become greater, turnover is high, and communication is nonexistent.

Conversely, a healthy culture has open-minded participants that want to work together effectively and continuously learn. That is an environment where innovation can thrive. It’s a place that welcomes new ideas, which can lead to a better security posture, engaged employees, and greater productivity. In this scenario, everyone benefits.

As you assess your current culture, you probably have gaps, some more than others. Filling those gaps aligns really well with the Secure Methodology™, so I’ll be referring to that as I describe the steps to take. The Secure Methodology is a seven-step guide for cybersecurity leaders to leverage to develop the people skills of technical folks. These steps don’t focus on cyber skills but rather interpersonal ones, which is the core of culture.

Building a Culture of Innovation

No matter where you’re starting in the culture journey, these pivotal elements will be necessary to propel your organization into one that’s agile, forward-thinking, and connected. Here are the areas to help you formulate a plan.

Cybersecurity Culture Involves Three Different Levels

When considering any culture configuration, there are always three levels to consider, from the top to the individual. While they have different roles in the organization and responsibilities around cybersecurity, they must work together to maintain a culture.


This segment is the c-suite, including the CEO and CISO. They must lead by example if they want the culture to permeate. They are top-level decision-makers, but those don’t happen in a vacuum. They need to understand risk and how cyber operations work, which requires clear, consistent communication from cyber teams and individuals. Unfortunately, communication is often the skill most lacking in technical employees. If those that set the strategy and budgets are only fed geek speak, culture leadership is working with a handicap.

Communication, of course, goes both ways. When leaders set a precedent on how they expect communication to flow, it can break down some barriers. In the end, the c-suite needs communication development, as well. It’s especially true regarding what questions they ask, which should be more granular than they might currently be.


Your cyber team comprises people with various skill sets, experience, and expertise. If they can build a coalition that taps into this, they’ll be at a good place regarding culture. However, we’re talking about behavior, communication, and cooperation. Those things are usually the Achilles’ heel of any cyber team.

The team dynamic and evolving it is a big part of the Secure Methodology. Its guidance takes into account the typical lack of people skills and how that impacts cybersecurity culture. Too often, your team operates in silos and wants to continue in this way. Many times, it’s about a fear that others will find out they don’t know everything. Except that’s precisely the kind of mindset you need to innovate!

When working on culture at this level, the Secure Methodology is an excellent framework that you can use to cultivate communication skills, awareness, empathy, and more.


The last layer of culture is the individual. What applies here is similar to the team level with caveats. The biggest of those is motivation, as each person has their own. At this level, as the leader, you must make specific connections to understand that individual’s capacity to change and grow. It’s the most challenging part of cultural shifts, and not every person on your team will be ready for this.

The Secure Methodology includes exercises throughout the seven steps to assist with this. How each person reacts to these will determine their long-term cultural fit.

Now that we’ve looked at each level of culture, here are some more tips you can use to further the pursuit of innovation.

Find Cultural Evangelists

Within your cyber staff, you’ll find those that are all-in on cementing culture as innovative. These people already have a good base of people skills and will prosper in this new dynamic. Assign those employees to be cultural evangelists. They can work together to develop training and upskilling opportunities. Since it’s coming from their peers, others may find this more inviting and appealing.

Define the Language of Innovation

Earlier I discussed the issues in communication among cyber professionals and mentioned their love of geek speak. Many use this language because they don’t want to reveal their weaknesses or limitations. It’s your job to banish this language and identify what the tenets of communication should be, which can include:

  • Eliminating jargon that has no purpose
  • Encouraging and promoting active listening skills, which are just as important as language
  • Using inclusive language so that those individuals outside of cyber teams would understand
  • Reframing communication as a way to reach a result that technical people can relate to
  • Simplifying messaging
  • Praising positive communication moments to reinforce the value of it
  • Outlining how clear communication leads to innovation

Transform Fixed Mindsets into Growth Mindsets

Mindset is the second step in the Secure Methodology, and it is critical to culture. People either have a fixed mindset or a growth mindset. You, of course, want professionals with the latter. That doesn’t mean those with fixed ones can’t evolve and grow, but it does take work.

A fixed mindset hampers your organization’s ability to be proactive in security and forward-thinking. These folks don’t want to innovate around this because it’s too unknown and uncertain. It will also erode culture. Here are some key steps to transform mindsets:

  • Coaching and reflection: When communicating with a fixed mindset, asking the right questions matters. You need to take them back to a moment when their fixed mindset was a barrier. Such a moment could instigate reflection and more awareness of their behaviors.
  • Asking why: Again, questions posed to these folks can create aha moments. There’s an exercise called the 7 Levels Deep Exercise, which I recommend. It will help uncover motivations.
  • Praising mindset changes: The third thing to do is to acknowledge and recognize when you see mindset shifts from fixed to growth. Something as simple as this can make a significant impact on future behavior.

To round out this discussion, I want to leave you with some additional insights into innovation and security.

Innovation and Security Aren’t Foes

One of the biggest misconceptions in the cyber world is that security is a barrier to innovation. Such a perspective is dangerous to your culture and ability to defend data and networks in the cyber war. Security does not impede innovation. In fact, they work together very well with the proper perspective.

It’s not unlike the principles of DevSecOps, where development, security, and operations convene. In this strategy, security is part of the conversation from the beginning. It has equal weight with development and procedures, as it should. You cannot have innovation without security. Innovation, at its core, is about devising solutions that enable better results. If security is outside the innovation bubble, you may have a good idea, but it won’t come to fruition. It won’t be deployable and scalable.

So, you must build the case that they both can coexist harmoniously and should always have a link. Otherwise, you’ll waste time, money, and resources. If you leverage the tips and ideas from this post, you can easily demonstrate how vital security is to innovation.

If you’re ready to build your culture of innovation, you should learn more about the Secure Methodology, which you can find in my book, The Smartest Person in the Room. Additionally, I have a Secure Methodology course, which delves further into the seven steps. Check them both out today.

The Secure Methodology™ Step Four: Communication

cybersecurity communicationCommunication is the core of any organization, department, or process. It’s a topic I talk about extensively in the world of cybersecurity. That’s why it’s step four of the Secure Methodology and why it’s a critical aspect of every effort.

In this post, we’ll go in-depth on step four. You can read up on the first three: awarenessmindset, and acknowledgment. We’ll start with a recap of the Secure Methodology.

The Secure Methodology: Turning Technical People Into Solid Communicators and Collaborators

Before we jump into communication, here’s a recap on the Secure Methodology. It’s a seven-step process I developed as part of my book, The Smartest Person in the Room. I designed it as a guide for cybersecurity leaders to help improve interpersonal and people skills so that they can work together to combat cybercrime. It’s not about technical aptitude but rather empowering cyber professionals to look beyond the ones and zeroes by being honest communicators. It’s a reframing of cybersecurity culture to be collective and collaborative in solving challenges.

So, let’s dive into step four.

Technical Staff Aren’t the Best Communicators

It’s a total stereotype that logical thinkers are bad communicators. Except, in this case, it’s mostly true. I’m not making a blank assertion, but I’ve been in the business for a long time and witnessed this to be accurate time and time again.

When I talk about poor communication, it’s not that someone isn’t articulate or functions with a limited vocabulary. It also has nothing to do with intelligence. The problem is that there’s a communication gap between technical people and company leadership. It’s so bad that they might as well be speaking another language, and they kind of are with geek speak and jargon.

Why do they do this? Well, it helps them validate to themselves that only they know about the technical world. Those who are outside of it couldn’t dare understand what they do. It keeps them in a place of feeling superior. They’re in this club, and no outsiders are allowed. Except those outsiders are running the company and hold all the budget dollars. When technical workers fail to communicate effectively, they alienate their internal or external customers.

Keeping Geek Speak Alive Assuages Insecurity

At the core of geek speak is insecurity. Most technical people believe they hold the title of the smartest person in the room. If they have this “coded” language, few can make sense of it, so there’s less chance that someone will push back. Speaking in normal terms could expose the fact that they aren’t sure, which would be the worst thing for these people. They never want to admit that they don’t know.

Different stakeholders may request that they simplify the message around cybersecurity because it impacts more than just IT. Cyber attacks are considered a primary risk for any business, so their management and impact are enterprise-wide. All tech people will take away from this is that they need to dumb it down.

Another issue is that cybersecurity training and certification reinforce this by providing pages and pages of acronyms to memorize. Every industry has its shorthand, but this is taking it to a new level that’s not consequential to their ability to be equipped cybersecurity professionals.

Communication also has much to do with listening, just as much as talking. Most technical people don’t score well here, either.

Poor Communicators Are Poor Listeners

Being an effective communicator isn’t just about what you say and how you say it. It’s also about listening! In a fast-paced, dynamic world, attention is fleeting, and the consequence is people who don’t pay attention. It can be hard to stay present and observant.

In addition, many people only listen for agreement or rebuttal. They aren’t taking in what someone is expressing and are simply waiting to give their response either in agreeance or to dispute and argue.

Without active listening in cybersecurity, we can’t fully understand the problem. That creates massive challenges in the field.

Dysfunctional Communication Has a Major Impact on Cybersecurity

As I’ve said, we (the good guys) are losing the cybersecurity war. The defeat isn’t because technical skills, innovation, or tools are subpar. I’d argue it has more to do with the fact that communication is in a state of brokenness. It goes back to the gap referenced above.

If technical people aren’t more inclusive with language to decision-makers, they aren’t likely to get the responses they expect or need. The excuse of “they just don’t get it” isn’t helping matters. They have to get it. If they don’t, then risk increases and resources decrease. That’s the crux of the communication gap between technical people and company leaders — they need to speak about cybersecurity in terms of risk to the business.

Leaders want to protect data and networks. They realize the threat landscape is widening with cyber-attacks in the daily headlines. This group knows that if it happens to them, it will cost them a lot of money and harm their reputation. They are hungry for the facts but not in sentences that don’t sound human. It’s the responsibility of technical teams to express risk and threats in a way that makes sense to anyone and what steps need to be taken to mitigate them.

That becomes the hardest part — getting technical people to first realize their communication is ineffective and then get them on board to make changes.

Why Technical Employees Struggle to Evolve Communication Styles

As noted, the jargon and tech speak are a place of comfort for cyber professionals. They act as a veil over uncertainty. They are also logical creatures that see their work as black and white, so they immediately think they don’t need to improve communication or people skills. They know what’s best, and all the non-technical folks can’t grasp the fundamentals.

Continued thinking in this way will only lead to failures and mistakes. To be a great communicator, you have to be flexible, which seems foreign or negative to them. It’s very uncomfortable for them to be vulnerable in their communication because it might reveal that they don’t know everything. Of course, they don’t because no one does, but change is even more challenging if people can’t see this as a possibility.

So, what can you do in a leadership position to incite people to embrace transforming their communication styles?

How to Support Technical People on a Journey to Being Better Communicators

If your technical team improves its communication skills, it can be the best weapon you have in the cybersecurity war. It’s more potent than new technology or the highest technical aptitude. Here are some key things that can make a difference.

Remember Awareness

Awareness is the first step of the Secure Methodology and is something to revisit. Communication isn’t effective without listening. But you can’t do that until you have a level of awareness, which requires putting yourself in the shoes of others. So, encourage them to practice awareness with communication.

Reframe Objectives

Communication is effective based on the result. The point of communicating something is to receive a response. When you reframe the concept for technical people in this way, they can have an “aha moment” as they understand the results and objectives.

Simplify the Message

There is always a way to simplify the point. Technical people don’t need the comfort of their acronyms to emphasize what matters. Instead, urge them to consider who they are discussing subjects with and how to express things in a way that translates to the non-technical people of the world. They need to refrain from going into cyber talk because they aren’t going to get the result they need or expect.

Bring it back to the purpose and the idea of building rapport with others. Remind that listening for insight helps everybody. The bad guys aren’t sitting in the room with them — the people who can help them are.

Foster a Culture That Appreciates Communication and Sharing

Another part of improving communication is ensuring you create a culture that welcomes it. Your people need to know that if they are trying to share information effectively, you will support them. They’ll certainly make mistakes and revert to old habits, so you’ll want to remember acknowledgment factors — praise them when they communicate well. When they don’t, speak to them privately.

If you create a team that is certain you welcome change, they may be more apt to try harder. Remember, these people don’t like to fail and crave certainty. Of course, change disrupts these patterns, but they’ll do much better if they feel you have their backs.

Moving Forward: Communication Is the Center Point for Cyber Success

Communication is really part of every step of the Secure Methodology. It’s that essential, and it will come up again and again. By focusing on it, your technical people can make great strides in their journey to be better at their jobs and life. You can find more strategies along with exercises to build communication skills in my book, The Smartest Person in the Room, available now, or in my People Skills for Smart People course.

What Is Total Intelligence, and How To Build a Cyber Team to Lead with It

total intelligence - christian espinosaWhen making any decision, intelligence certainly plays a key role. However, often it’s only the logical, rational side of intelligence that people rely on, especially in worlds like cybersecurity. It’s a field that’s ones and zeroes, so many would think there’s no heart involved. Except those on the other side of the battle are using all their intelligence, something I call total intelligence.

The concept of total intelligence and applying it well as a decision-maker and leader have much to do with cybersecurity. It’s a term that I repeatedly use in my book, The Smartest Person in the Room.

You’re probably wondering what total intelligence is, so that’s where we’ll start.

What Is Total Intelligence?

My definition of total intelligence involves your body, heart, and head. It’s all the information you gain from experiences, training, education, and life. It’s the ability to lead with all of these aspects. Another way to think about it is what many call a “gut feeling.”

Being a cybersecurity leader requires total intelligence in every part of the job. However, you’ll find it challenging to get technical people into this mindset because it’s not all logical, and that’s where those folks like to stay.

Technical People Trust Their Head

Most of those in technical roles are creatures of logic and habit. They lead and interact with others using their heads. They have a skewed worldview, believing that everyone else thinks just as they do. Of course, they would think this because they always think they have the best approach — possibly the only approach.

They trust their head. It’s what comes naturally, and it doesn’t cause friction. They disregard feelings or instincts because they don’t trust them. This limited view isn’t good for any area of life and causes many problems in cybersecurity. This desire to be right and the smartest person in the room seems logical to them. It may seem like posturing, bullying, and a lack of cooperation to others. It hinders communication and actually prevents problem-solving.

Using only the mind part of total intelligence does not result in an environment where incidents and failures don’t occur. Technical people may argue that intelligence’s heart and body parts are unnecessary and have no place in cybersecurity. They are wrong! Cybersecurity is not black and white; it’s a field of gray.

So, how do you get these people to turn on other areas of their intelligence?

Driving Toward Total Intelligence Requires Self-Awareness

To empower technical teams to lead with total intelligence, they must be self-aware. Awareness is the first step in the Secure Methodology, a framework that I developed and is the focus of my book. It’s a guide with seven steps and a collection of strategies to transform technical teams into excellent communicators and collaborators. It’s the best way to convert those that live in very fixed mindsets.

The path to awareness isn’t easy for technical people or anyone else. A good starting point is assessment tests. They are not free of gaps, but they can lay the groundwork, informing takers on who they are, how they see themselves, and how others perceive them.

The test I’ve found to be useful is the Enneagram test. It embodies all the elements of total intelligence:

  • Instincts (body)
  • Feeling (heart)
  • Thinking (head)

The findings can benefit those who want to journey further into self-awareness. I highly recommend it to you and your team, as it can uncover fascinating and accurate information. I also share my results in the book.

Total intelligence becomes a greater possibility if you can move people toward self-awareness. But should total intelligence always be a guiding force? Like everything, its application varies.

Total Intelligence Changes Thought Patterns and Perspectives

The starting point of total intelligence is self-awareness, which changes how you think and, ideally, feel in any situation. It gradually happens as people adjust. They’ll find themselves running through scenarios in more than a logical mindset. It can open up a lot of self-discovery, and that’s a good thing.

Self-awareness can benefit your employees in every facet of their life. One thing it does is really provide people with a “why.” That’s their primary reason for doing what they do. It could be for financial reasons only, and that doesn’t discount someone from reaching total intelligence.

Having a passion beyond this sets your organization up to be on par with those of hackers. The hackers have a “why,” and many times, it’s stronger than those on the right (good) side. There is a lot of emotion behind the actions of most cyber-criminals. Understanding that helps everyone realize how crucial it is to think not based on logic alone.

Total intelligence also brings a team together, creating powerful connections.

Total Intelligence Connects You to Others

One of the most critical elements of attaining total intelligence is having open conversations that are vulnerable and uncomfortable. You have empathy and compassion for others when you’re leading with your body, heart, and head. You can stand in their shoes and see their perspective.

Those people skills gained with total intelligence are a changemaker in cybersecurity. Total intelligence opens you up to possibilities beyond that black-and-white world. You can see the fault in your logic and learn from others. With a team leading in this manner, you can mitigate all the failures created by poor communication and contrariness.

Great Leaders Have Total Intelligence and Understand the Balance

Many very smart and successful people say that you shouldn’t make business decisions with your heart, which is a bit ironic in a few ways.

First, most had to have the passion and connection to achieve what they have. Aside from those born lucky, entrepreneurs who have made a mark on the world did so by using their hearts, minds, and bodies.

Second, we live in a world where emotion is the key driver in buying decisions. There’s lots of data to back this up — studies from neuroscientists. There are experts on the subject, like Harvard professor Gerald Zaltman, who asserted that 95% of purchasing decisions are subconscious. To link this back to cybersecurity, consider that purchasing decisions are a big part of any business and who and what they involve in their technical needs. So, I’d draw a correlation that emotion backs many more business decisions than most people would attribute.

Emotion is essential, but the total intelligent leader knows they shouldn’t solely be led by their heart. They need all three elements to make decisions in the best way for the team and the company. If your people stay trapped in logic, they’ll make bad choices. They may not be bad today or tomorrow, but eventually, it will bite them.

In leading with total intelligence, there is a way to go through all three areas to come to a conclusion.

What Leading with Total Intelligence Looks Like

I try hard to be in a space where total intelligence guides me. I start with logic, but I listen to my heart and body. If those two are strongly opposed, I take that into consideration. I don’t ignore what’s happening outside my head.

As I describe it, the process may sound easy. Maybe you go through the outcomes, ask questions, and bounce around ideas. For a technical person, this is not a simple task. Adapting to this requires practice. Total intelligence is at the top of the people skills triangle. Your people will need:

  • Heightened awareness
  • A growth mindset
  • The right language
  • Hyperfocus
  • Empathy
  • A desire to keep improving

That’s a long list, and it will take time and effort to develop these skills. It’s a journey, and the route to take is the Secure Methodology. All seven steps work to build total intelligence. You’ll find many exercises and strategies in my book for each step. Doing these activities is key to building communication and other people skills.

The moment that everything clicks together for your team comes is when they allow emotion and instinct to complement logic. In practice, this looks like using logic as the first rung on the ladder. Emotion and instinct are next, and people achieve this by seeing problems through the eyes of the client. With all three applied, the solutions proposed are better.

Achieve Total Intelligence to Win the Cyber War

Your technical employees may seem resistant to change. The Secure Methodology takes that into account. Not everyone will make it through the steps, and it’s okay to conclude that some aren’t right for your team. If the goal is for everyone to make decisions based on the heart, body, and mind, you don’t want to devote too much time and energy to the “never-changers.” Concentrate on those people who want to evolve and can commit to the journey.

It all begins by reading the book and applying the Secure Methodology. Get your copy of The Smartest Person in the Room today.

Check Out The Smartest Person in The Room