Focus on People to Improve Cybersecurity

BOTTOM LINE UP FRONT:

• Success in cybersecurity lies in our people; we can't "tool" our way to success.
• Success stems from team members' leadership skills, synergy, and risk-centered mindset.
• The "Peter Principle" (the idea we progress through positions until we're no longer competent) can be anticipated and defeated.

Information technology (IT) is first and foremost a human endeavor. It’s a tool, one created by humans, run by humans, and that supports human needs. For the cybersecurity community, focusing on the basics means putting the human at the center of the solution. The basics we need to focus on are:

1. Developing complete, balanced, growth-oriented leaders throughout the cyber organization, from executives to individual contributors.
2. Achieving not just coordination or collaboration but synergy.
3. Infecting the culture with a risk-centered mindset.

Leadership

We are in a leadership crisis throughout American society.

My late father-in-law worked for IBM for decades. When the late 1980s hit, companies like IBM who groomed you for a lifelong career faced new realities. Many flattened and entered our current world of a rotating workforce. Before this change, he said, companies would develop their employees, an investment in their future labor force. When the new realities hit, he said, much of that development was jettisoned.

Today, much of organizations’ training focuses on short-term necessities, like properly filling out your time card. The kinds of development training my father-in-law talked about are now provided via online courses that you can take when your really important work is finished, that is, almost never. Development is relegated to perfunctory quarterly reviews and annual appraisals, usually tied to the end of the fiscal year.

Yet, almost everyone can readily pick out an example of someone they know who was in over their head. In 1969, Dr. Laurence J. Peter and Raymond Hill wrote a book called “The Peter Principle”. The principle held that in everyone’s career, they progress through positions in which they are entirely competent, moving from one rung of the ladder to the next, until one day...they’re not competent. They have reached their point of “final placement”.

With less workforce development across organizations, the Peter Principle is becoming increasingly common.

Over my three-decade career of leading in the military, government, academia, and private sector, there are two things I have observed:

• First, this "final placement" did not come about all at once. The grooming to prepare them simply didn’t happen.
• Second, even after they reached that “final placement”, the vast majority could have been saved but weren’t.

As Peter describes, higher leaders either looked away to avoid embarrassment, “kicked them upstairs” exacerbating the situation, or simply kicked the person to the curb, often with the obligatory “performance improvement plan”.

When a key person in the organization struggles, it affects all those around them, both directly and indirectly.

• The result is lost productivity, less agility and innovation, and a miserable, unproductive workforce.
• In this world of hyper-competitiveness, we simply do not have that luxury, regardless of the organization.
• In cybersecurity, it means unprepared defenses and missed intrusions.

Every member of the cybersecurity team must be a self-contained individual, versed not only in technical skills, and abilities, but personal and professional attributes, as well. An individual contributor must be a leader even if they are only leading themselves, mentoring others, leading incident response or heading up ad-hoc work groups. The importance of informal leadership quality and buy-in can’t be understated, especially when things inevitably change.

As Peter Drucker once said, “Culture eats strategy for breakfast.” Changes in culture require the buy-in of informal leaders.

As the cybersecurity professional moves into higher roles, they must understand where they now fit in to the organization, and the leadership and managerial levers available to them at that new level. A supervisor must not only ensure their people can employ their technologies, but that their professional development and basic life support are taken care of.

As Sir Richard Branson once said, “Train people well enough so they can leave. Treat them well enough so they don’t want to.”

Synergy

The American Heritage Dictionary of the English Language says synergy is “the interaction of two or more agents or forces so that their combined effect is greater than the sum of their individual effects”.

The cybersecurity organization is more than the analyst in the security operations center (SOC) staring at the monitor on the wall. Those in other parts of the organization must set the stage for the SOC to prevail at the point of attack. When attackers gain a foothold, a synergistic, combined effort limits the damage and enables the organization to recover gracefully.

In fact, while the attacker initiates the attack, the organization controls the engagement area. They get to prepare. If the U.S. Army were to prepare the defense of a piece of terrain, engineers would emplace obstacles like tank traps and concertina wire, artillery would decide ahead of time where they target their weapons, and the area would be subject to aerial and ground surveillance and reconnaissance. If prepared well, like Harry and Marv in Home Alone, the attacker would have to play the defender’s game. This kind of cross-functional effort is synergy.

• Not only do security governance personnel need to understand the frameworks that determine whether their network and organization are compliant, they need understand applying that framework in the real world to maximize the effectiveness of resources.
• Threat intelligence personnel need to not only understand threat actors and their attack patterns, but what is being protected so they deliver the “so what”, the most impactful intelligence information.
• IT operations needs to not only understand how to architect the network to make it functional, but how to ensure the organization’s key systems and data, the crown jewels, are not exposed any more than absolutely necessary.

This requires not only technical but social skills, like emotional intelligence, and an environment of trust. As groups in the cyber organization interact, friction will occur. Conflict must be managed and reduced. As Daniel Goleman pointed out in his Harvard Business Review article, “What Makes a Leader”, key attributes like self-awareness, self-regulation, and communication are critical to achieve synergy.

We simply aren’t talking about these skills in our field today.

Risk-Centered Mindset

Risk management is determining who or what may do something bad, what weaknesses may enable them to do it, and the potential bad results to the organization's mission. Then it's about doing something about it...pragmatically, rationally, within resources limits.

Sun Tzu said, “To be prepared everywhere is to be strong nowhere."

Each member of the organization has about 1,900 hours a year of work time.

• Should security engineering continue maintaining the current firewall, or should money be spent to replace it with the latest technology?
• Is writing a security policy enough, or should we actually configure the network to prevent the risky behavior? And what business functions would suffer if we did?

We can’t eliminate all cybersecurity risks. Acculturating a risk-management mindset throughout the organization empowers each team member to make effective trade-offs within their scope of responsibility. When we prioritize synergy, there is a general consensus of risk leading to better prioritization, and the mutual trust to act upon those priorities. Now cybersecurity is not such an intractable problem, but an elephant that can be eaten one bite at a time, mitigating the most severe risks first within the resources available.

Wrapping Up

• We must start with the basics, the first principles. Those basics are centered on our people.
• Cybersecurity is not an isolated function, but rather the result of committed professionals putting their best foot forward in harmony with others to ensure their organizations are successful. However, this requires a mindset change in our profession.
• Attackers will specialize, collaborate, and change their approach to maximize the damage they inflict. If we focus on our people, we can ensure the attacker's job is not as easy as they’d like.

Read the other installments in this series at The Cyber Success Vector™ Article Series.

© 2024 GrayVector LLC, all rights reserved.

The preceding work contains the opinions of the author, and do not represent those of any other person or organization.

References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by GrayVector, LLC, or the author.

NO WARRANTY. THIS MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. GRAYVECTOR, LLC, AND THE AUTHOR MAKE NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. GRAYVECTOR, LLC, AND THE THE AUTHOR DO NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.