Focus on People to Improve Cybersecurity

Information technology (IT) is first and foremost a human endeavor. It’s a tool, one created by humans, run by humans, and that supports human needs. In cyber, we must focus on the basics, putting the human at the center of the solution. Those basics are:

1. Developing complete, balanced, growth-oriented leaders throughout the cyber organization, from executives to individual contributors.

2. Achieving not just coordination or collaboration but synergy.

3. Infecting the culture with a risk-centered mindset.

Leadership

We have a leadership deficit throughout American society. My late father-in-law worked for IBM for decades. When the late 1980s hit, companies like IBM, which had groomed you for a lifelong career, faced new realities. Many had flattened and entered our current world of a rotating workforce. Before this change, he said, companies would develop their employees, an investment in their future labor force. When the new realities hit, he said, much of that development was jettisoned.

Today, much of an organization’s training focuses on short-term necessities, like properly filling out a time card. The kinds of development training my father-in-law talked about are now provided via online courses that you can take when your critical work is finished, that is, almost never. Development is relegated to perfunctory quarterly reviews and annual appraisals, usually tied to the end of the fiscal year.

Yet, almost everyone can readily pick out an example of someone they know who was in over their head. In 1969, Dr. Laurence J. Peter and Raymond Hull wrote a book called “The Peter Principle.” The principle held that in everyone’s career, they progress through positions in which they are entirely competent, moving from one rung of the ladder to the next, until one day...they’re not competent. They have reached their point of “final placement”. 

Over my three-decade career of leading in the military, government, academia, and private sector, there are two things I have observed: 

• First, this “final placement” did not come about all at once. The grooming to prepare them didn’t happen. 

• Second, even after they reached that “final placement”, the vast majority could have been saved but weren’t. 

When a key person in the organization struggles, it affects all those around them, both directly and indirectly. 

• The result is lost productivity, less agility and innovation, and a miserable, unproductive workforce. 

• In this world of hyper-competitiveness, we do not have that luxury, regardless of the organization. 

• In cybersecurity, it means unprepared defenses and missed intrusions.

Every member of the cybersecurity team must be a self-contained individual, versed not only in technical skills and abilities, but also in personal and professional attributes. An individual contributor must be a leader even if they are only leading themselves, mentoring others, leading incident response, or heading up ad-hoc work groups. The importance of informal leadership quality and buy-in can’t be understated, especially when things inevitably change. 

As the cybersecurity professional moves into higher roles, they must understand their new role within the organization and the leadership and managerial levers available to them at that new level. A supervisor must not only ensure that their people can effectively employ their technologies, but also that their professional development and basic life support needs are taken care of. 

Synergy

The American Heritage Dictionary of the English Language says synergy is “the interaction of two or more agents or forces so that their combined effect is greater than the sum of their individual effects”. 

The cybersecurity organization is more than the analyst in the security operations center (SOC) staring at the monitor on the wall. Those in other parts of the organization must set the stage for the SOC to prevail at the point of attack. When attackers gain a foothold, a synergistic, combined effort limits the damage and enables the organization to recover gracefully.

While the attacker initiates the attack, the organization controls the engagement area. They get to prepare. If the U.S. Army were to prepare the defense of a piece of terrain, engineers would emplace obstacles such as tank traps and concertina wire, artillery would determine ahead of time where it would target its weapons, and the area would be subject to both aerial and ground surveillance and reconnaissance. If prepared well, like Harry and Marv in Home Alone, the attacker would have to play the defender’s game. This kind of cross-functional effort is a form of synergy.

• Not only do security governance personnel need to understand the frameworks that determine whether their network and organization are compliant, but they also need to understand how to apply those frameworks in the real world to maximize the effectiveness of their resources. 

• Threat intelligence personnel need to not only understand threat actors and their attack patterns, but also what is being protected, so they deliver the “so what”, the most impactful intelligence information. 

• IT Operations needs not only to understand how to architect the network to make it functional, but also how to ensure that the organization’s key systems and data —the crown jewels —are not exposed any more than absolutely necessary.

This requires not only technical skills but also social skills, such as emotional intelligence, and an environment of trust. As groups within the cyber organization interact, friction is likely to occur. Conflict must be managed and reduced. As Daniel Goleman pointed out in his Harvard Business Review article, “What Makes a Leader,” key attributes such as self-awareness, self-regulation, and effective communication are critical to achieving synergy. 

Risk-Centered Mindset

Risk management involves determining who or what may cause harm, identifying weaknesses that may enable them to do so, and assessing the potential negative consequences to the organization’s mission. Then it’s about doing something about it...pragmatically, rationally, within resource limits.

Each member of the organization has approximately 1,900 hours of work time per year. 

• Should security engineering continue maintaining the current firewall, or should money be spent to replace it with the latest technology? 

• Is writing a security policy enough, or should we actually configure the network to prevent the risky behavior? And what business functions would suffer if we did?

We can’t eliminate all cybersecurity risks. Acculturating a risk-management mindset as a raging contagion throughout the organization empowers each team member to make practical trade-offs within their scope of responsibility. When we prioritize synergy, there is a consensus on risk, leading to better prioritization and mutual trust to act upon those priorities. Now, cybersecurity is not an intractable problem, but rather an elephant that can be eaten one bite at a time, mitigating the most severe risks within the available resources.

Wrapping Up

•  We must start with the basics, the first principles. Those basics are centered on our people. 

• Cybersecurity is not an isolated function, but rather the result of committed professionals putting their best foot forward in harmony with others to ensure their organizations are successful. However, this requires a mindset change in our profession. 

• Attackers will specialize, collaborate, and change their approach to maximize the damage they inflict. If we focus on our people, we can ensure the attacker’s job is not as easy as they’d like.

Order the book, The Total Pro: Future-Ready Cyber Talent Through the Cyber Success Vector™.

Read the other installments in this series at The Cyber Success Vector™ Article Series.

© 2024 GrayVector LLC, all rights reserved.

Cyber Success Vector is a trademark of GrayVector LLC. All rights reserved.

The preceding work contains the opinions of the author and does not represent those of any other person or organization.

References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, do not necessarily constitute or imply its endorsement, recommendation, or favoring by GrayVector, LLC, or the author.

NO WARRANTY. THIS MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. GRAYVECTOR, LLC, AND THE AUTHOR MAKE NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER, INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. GRAYVECTOR, LLC, AND THE AUTHOR DO NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.