Building your cybersecurity team isn’t easy. Recruiting, hiring, and retaining staff is a significant challenge in today’s environment. However, that doesn’t mean you should keep people who aren’t performing well, create toxicity, and collaborate poorly. There are many red flags you should pay attention to concerning your cybersecurity staff. This doesn’t automatically mean you should let them go. If they are willing to grow, change, and adapt, they still have potential.
As you assess the makeup of your team, you have to be aware of their behavior and its impact on risk, culture, and success. In this post, we’ll review the red flags to be on alert for and how to handle them.
5 Red Flags That Signal Trouble in Your Cybersecurity Staff
Before going into this list, there are a few things to discuss. Technical folks often have a bad reputation for being antagonistic and lacking soft skills. In some ways, this is a stereotype that doesn’t always play out in the real world. However, there is some truth in this, as many in the field struggle with communication, collaboration, and change. They crave certainty, but cybersecurity is dynamic and very uncertain much of the time. The nature of the job is also high-stress, and burnout is a pervasive issue.
The reason to acknowledge these things is to give context to the list of red flags. Many of these aren’t necessarily conscious decisions by technical people to be difficult. They are creatures of habit and will tend to keep these patterns unless they become aware of them and see a path to grow and learn. The real problem comes when individuals resist any development of soft skills and can’t take criticism or coaching. Keep these things in mind as we discuss the topic further.
They Mask Insecurity with Posturing
No one wants to admit they feel insecure about anything, least of all cyber professionals regarding their work. They believe that not knowing everything is a weakness, and they need to hide this from everyone. The reality is that no one can know everything about anything. It’s especially true in cybersecurity, where new threats emerge every day, and hackers are hard at work trying to breach your networks.
When posed questions about a risk, threat, or concern, they will posture instead of admitting they aren’t sure what the answer is. It turns into a tirade of geek speak that doesn’t make much sense to those on the business side. When you see these reactions play out, it’s a big red flag. All that posturing and blustering doesn’t help your team or company. It actually creates more risk and continues the stereotype of technical folks being defensive and rude.
As a cyber leader, you have to call this out immediately. You don’t want to be antagonistic in your response, as that’s unlikely to remedy the situation. What you should do is talk about the insecurity they’re obviously feeling and get to the why.
Helping them become aware of their behavior and its impact can drive change if they are willing to be accountable. Encourage them to ask for help, investigate the issue, and communicate with transparency. Give them chances to rework how they approach a problem they don’t know the answer to. They will either appreciate your advice and start working on themselves or revert to what feels comfortable. If they do the latter, they may not be the best fit for your culture.
They Are Black and White Thinkers, and It Hinders Communication and Collaboration
Technical folks are logical, rational thinkers most of the time. It comes in handy in such a high-pressure industry. However, it can make them more prone to only see things as black and white. Cybersecurity is anything but black and white! Most of it lives in the gray because hackers are always trying new approaches to steal your data. They are creative and curious. Your cybersecurity staff should be, too.
A black-and-white thinker has a fixed mindset with only one correct answer. This may sometimes be true in the technical aspect of cybersecurity, but in the big picture, it’s not. What creates the red flag here is when they take this perspective into communication and collaboration. They won’t actively listen or participate in trying to solve the problem other than to give you the one answer they believe to be true.
Addressing this means working on communication and collaboration. Again, they must become aware of their behavior and how it hurts the team. The key is to open their mindset toward change and accept that there are many possible solutions. Finding what will work will require a group effort, so they have to be willing to be part of the effort.
Improving communication skills is hard for anyone. Technical people often have an even harder time, but it’s not impossible. Transforming them into healthy communicators is a critical step in the Secure Methodology™. It’s a seven-step guide for cyber leaders to build teams that focuses on developing soft skills for their teams. Many ways to handle red flags tie back to the Secure Methodology.
They Have Little Regard for Their Clients
As a cyber team, you are either serving the company you work for internally or externally. Either way, they are your clients, and caring about what they care about matters. The key things that cyber professionals should focus on are—what are we trying to protect, and what are the threats to it? It’s a simplification of the cyber world, but it does come down to these things.
If your cyber staff never asks these questions and goes through the motions of cyber defenses, vulnerabilities are exploitable. You’ll never improve the risk posture if they don’t have some degree of consideration for the job they are doing.
Working on this aligns with the awareness step in the Secure Methodology. It’s the first step, and the goal is for the person to become more aware of themselves and others. They have to be willing to see other perspectives from the business side. When they don’t, constant friction and animosity impede any progress you hope to make.
This concern is also associated with empathy, the sixth step of the Secure Methodology. Humans have to learn empathy; it’s not innate. In the business sense, we’re talking about cognitive empathy. It’s the ability to understand another’s feelings and perceptions. It’s not about sympathizing with a person but connecting and accepting their perspective. Helping your team cultivate this skill will go a long way in constructing healthy relationships among the team and with your clients.
They Don’t Want to Learn from Their Mistakes
Every cyber professional will err—sometimes, many times a day or week. It’s not an exact science, and the threat landscape keeps changing. Making mistakes isn’t a red flag; not wanting to learn from them is.
Mistakes can be teachable moments for cybersecurity staff. Huge blunders that happen due to negligence are another category, but most errors are part of the job. When these things happen, you need to acknowledge it privately and see what response you get. If the person is immediately defensive and not accountable, that’s bad news. If they are willing to take responsibility and learn from it, that’s someone you want on your team.
You also have to create a culture where an error isn’t an automatic pink slip. You don’t want people so scared to make one that they do nothing. It comes from being transparent in communication and giving feedback to the group and individuals consistently.
Ultimately, learning is about embracing continuous improvement or “Kaizen,” which is the final step in the Secure Methodology. It’s the never-ending step that guides your cybersecurity staff to welcome change and not fear it.
They Thrive on Negativity
Cyber professionals are often pragmatic and realistic, which aren’t red flags alone. It becomes a problem when they only want to argue and spread negativity. They never have a positive thing to say or offer to the conversation. It’s disruptive and creates resentment. If someone is rude to everyone they engage with at work, it’s not good for your culture, team, or risk.
Their predisposition to be negative can be part of insecurity and posturing. Other times it may be an intentional way to sew chaos. You can try to push them toward working on themselves, but they have to be committed to it and realize the damage they are doing. The step of mindset is the first strategy to try with these folks. Shifting mindset is about being reflective and understanding motivation. Exercises in the book offer a way to navigate this journey for those brave enough to take it.
Tackle Red Flags with the Secure Methodology
These red flags don’t mean that someone isn’t smart or talented. It usually correlates with the other emotions we’ve discussed—insecurity, uncertainty, and fear. There’s no way to banish all these, but you can support your cybersecurity staff in their growth with the Secure Methodology. Explore more about the steps in my book, The Smartest Person in the Room, and in the Secure Methodology course.