CHAPTER 11
When people are financially invested, they want a return. When people are emotionally invested, they want to contribute.
– Simon Sinek
Opportunity
There is a fundamental difference between leadership and management. Leadership is about getting individuals bought into your strategy and vision so that they are willing to work with you to achieve your goals. Management is more about managing the day-to-day activities required to march toward those goals. Leadership and management are intertwined. Strong leadership without strong management ensures a vision remains a vision and nothing else. Strong management without strong leadership leads to a “master/slave” mentality with low employee buy-in and morale and high employee turnover.
Globalization and digital transformation foster an astonishing pace of change in how businesses operate. Today's workforce puts intrinsic factors, such as personal and professional development and flexibility, above extrinsic factors such as salary and benefits. In other words, a manager is no longer just a supervisor. A Gallup poll finds that managers influence 70% of a team's engagement, and the traditional command-and-control structure is not effective with today's workforce.1 Managers are expected to be more of a coach rather than a boss.
Human Capital Management is a set of practices related to people resource management. These practices are focused on the organizational need to provide specific competencies and are implemented in three categories: workforce acquisition, workforce management, and workforce optimization.2 We covered workforce acquisition in Chapter 10 – Recruiting and Leading High Performing Teams. We tied recruiting and leading together because, without effective recruiting, there is nobody to lead. As Paul Russell, formerly of Google, put it, “Development can help great people be even better – but if I had a dollar to spend, I'd spend 70 cents getting the right person in the door.” In other words, teaching the technology side of cybersecurity is much easier than finding the “A-Players” we described in the previous chapter.
We discuss the importance of Stephen Covey's 8th habit of “Find your voice and inspire others to find theirs” and influence in Chapter 9 – Relationship Management. Exercising the 8th habit requires an understanding of how to lead your workforce by understanding their motivations, strengths, and weaknesses so that you can leverage their skills in an optimized manner to create a high-performing team that meets your organization's goals.
Principle
This chapter will not be an education on traditional human resources and their function. Instead, in this chapter, we will focus on managing and optimizing your workforce through strengths-based leadership, managing a multigenerational workforce, training, and diversity of thought.
Strengths-Based Leadership
Managers are instrumental in maximizing the use of employees' strengths to optimize team performance. Study after study has found that doubling down on employee strengths is more effective than minimizing employee weaknesses. According to Gallup, people who use their strengths every day are six times more likely to be engaged on the job, which leads to more employee engagement, better performance, and lower employee turnover.3
First, as a manager, you must identify strengths. Outside of evaluating an employee's hard skills, determine how they instinctively think, feel, respond to stressful situations, and work within a team. Is the employee a collaborator, or do they prefer to work alone? Does the employee lash out when under stress, or do they defuse stress with an appropriate sense of humor? Several tools are available to help you identify employee strengths and effectively connect your team's work to individual strengths. By the way, these tools are not only for your employees. There should not be any “do as I say, not as I do” attitudes in cybersecurity, so be sure to take some of these tests yourself and openly share the results with your employees and leadership so that you can best understand and leverage your strengths. We will highlight these tools in the following sections, and they include the Kolbe A/B/C Indices, The CliftonStrengths Assessment (StrengthsFinder 2.0), LPI: Leadership Practices Inventory, and Myers-Briggs.
Kolbe A/B/C Indices
(www.kolbe.com)
Kathy Kolbe's father developed the first cognitive assessment used extensively by business and government. Kathy built upon the original assessment and developed the Kolbe indices to understand further the drivers of human performance and built upon her father's research.
The Kolbe A Index aims to reveal natural strengths and intrinsic abilities. Many organizations use it to hire, retain, and organize highly effective teams. It is based on the premise that your mind comprises three distinct parts.
· Affective: Accounts for things like your personality, likes, and dislikes. Other assessments, such as Myers-Briggs (which we will discuss later), also measure this part of the mind.
· Cognitive: The part of your mind responsible for what you know and how you learn. SAT, ACT, or IQ tests attempt to measure your cognitive mind. (If you ever meet Rock, ask him about his ACT story.)
· Conative: This part of your mind is responsible for your human nature and how you naturally solve challenges if you have no constraints. The Kolbe A Index attempts to measure this part of your mind.
The Kolbe A index then divides the results into four action modes:
· Fact Finding: The instinctive need to prove and the way you gather and share information. Do you require a lot of detail and low amounts of uncertainty to start a project, or can you get rolling with minimal details and a high amount of uncertainty? Do you dig into the details, or do you focus more on the big picture?
· Follow Thru: The instinctive need to pattern and the way to organize and design. Are you rigid and structured? How well can you adapt to change in a plan? Can you remain focused while executing the entirety of a project?
· QuickStart: The instinctive need to improvise and the way you deal with risk and uncertainty. Do you like to experiment and “fail fast, fail often”? or would you rather minimize change and the risk that comes with it?
· Implementor: The instinctive need to demonstrate and the way you handle space and tangibles. Do you like to get your hands dirty on a keyboard or dig into the contents of a PCAP, or do you prefer to envision a long-term strategy?
The Kolbe B and C indices are both comparisons against the Kolbe A, so everyone, including you, must take Kolbe A before the others to have an efficient measurement. Kolbe B measures your perception of your own job responsibilities. Comparing Kolbe A and Kolbe B results helps you recognize when you are trying to perform contrary to your natural strengths and abilities.
Kolbe C measures the functional expectations of a specific position (e.g., the supervisor's expectations of a particular job function). Comparing Kolbe A and Kolbe C results helps supervisors and employees see how the employee's strengths line up with the demands and requirements of the job and identify areas of conative stress.
When personal expectations don't match natural abilities, you can adjust the team by redirecting talent and leveraging underutilized talent. The worst and most stressful scenario is when the supervisor's requirements don't match the employee's natural abilities, and employees must work against their natural tendencies. In this case, consider redefining the job requirements or redirecting underutilized talent to fulfill the job requirement.
The CliftonStrengths Assessment
(https://www.gallup.com/cliftonstrengths/en/252137/home.aspx)
Donald C. Clifton invented the CliftonStrengths Assessment, which about 25 million people have completed at the date of this writing.4 After earning the Distinguished Flying Cross in World War II, Clifton taught and researched educational psychology at the University of Nebraska–Lincoln. While there, he studied tutors at the university to determine what differentiated the truly talented ones. Clifton wondered why psychologists traditionally looked at what was wrong with people (e.g., their weaknesses and challenges) and not why they excelled (e.g., their strengths). Through this research, he identified common attributes that successful people had that allowed them to excel at their work. Clifton created the CliftonStrengths Assessment in 1999 as an online tool in the early days of the Internet. CliftonStrengths focuses on 34 themes, grouped into 4 domains, that make up a person's personality (see Figure 11.1).
CliftonStrengths asserts that individuals do not necessarily need to be well-rounded, but teams need to be. Well-rounded teams that include talent from all of the themes often lead to high levels of performance. By understanding our strengths, we can understand the kind of duties in which we are likely to excel and provide the most significant contribution to the team.
As managers, we can use the understanding of strengths within the individuals of our team to match the best person for the task at hand. We can also use this understanding to hire people to fill-in-the gaps in themes where our team is lacking. Understanding our strengths provides insight into working within our given teams and whether we impose too much of our strengths onto how we view and work with others. For instance, are you very logical and analytical and expect all of your security analysts to act in the same way when in reality, abstract thinking can provide complementary benefits in that role? When a person's strengths are particularly dominant in a given domain, it means that an individual's most significant contributions to the team will come from performing the tasks aligned with that domain. Allowing individuals to execute duties aligned to their strengths increases their sense of value to the team and drives employee engagement.
FIGURE 11.1 CliftonStrengths Themes
LPI: Leadership Practices Inventory
(https://www.leadershipchallenge.com/)
The Leadership Practices Inventory (LPI® 360) is based on The Five Practices of Exemplary Leadership created by James M. Kouzes and Barry Z. Posner and highlighted in their book The Leadership Challenge.5 They approach leadership behaviors as measurable, learnable, and teachable. The LPI® 360 involves leaders and observers where observers are anyone who has direct or indirect interactions with the leader, such as a manager, direct report, peer, or other coworkers. The leader takes a self-assessment where the leader records, on a 10-point scale, the frequency they believe they exhibit 30 different behaviors. The leader then moves on to answer a few open-ended essay questions. Observers then do the same for the leader undergoing the assessment.
Kouzes and Posner collected thousands of case studies and interviews to discover traits common to effective leaders. The consistent themes from this initial research now comprise The Five Practices of Exemplary Leadership:
1. Model the Way
· Establish principles concerning the way people should be treated and the way they should pursue goals.
· Create standards of excellence and send an example for others to follow.
· Put up signposts when people feel unsure of where to go or how to get there.
· Leaders create opportunities for victory.
2. Inspire a Shared Vision
· Leaders believe they can make a difference.
· They envision the future and create an ideal and unique image of what the organization can become.
· Through their magnetism and persuasion, leaders enlist others in their dreams.
· They breathe life into their visions and get people to see exciting possibilities for the future.
3. Challenge the Process
· Search for Opportunities to change the status quo.
· Look for innovative ways to improve the organization.
· Experiment and take risks.
· Set interim goals so that people can achieve small wins as they work toward larger objectives.
· Unravel bureaucracy when it impedes action.
· Accept occasional disappointments as opportunities to learn.
4. Enable Others to Act
· Foster collaboration and build spirited teams.
· Actively involve others.
· Understand that mutual respect sustains extraordinary efforts.
· Strive to create an atmosphere of trust and dignity.
· Strengthen others, making each person feel capable and powerful.
5. Encourage the Heart
· Recognize the contributions that individuals make.
· Celebrate accomplishments and make people feel like heroes.
The LPI® 360 offers three (3) types of reports:
1. Individual Feedback Reports
2. Reassessment Reports
3. Group Reports
The Individual Feedback Report is particular to the assessed leader and contains the leader's self-assessment data and feedback from the observers who participated in the assessment. The report breaks down the results through the lens of The Five Practices of Exemplary Leadership, the 30 behavioral statements, a percentile ranking against millions of other respondents, and includes responses for the open-ended essay questions.
The Reassessment Report compares the leader's reassessment with the initial assessment results, where the reassessment is usually completed in 6-to-12-month increments. The reassessment allows the leader to measure their progress and make any needed adjustments to their improvement efforts.
The Group Report presents the entire group's aggregated data (e.g., team, department, or organization) and includes both self-assessment and observer results. This report highlights potential large-scale gaps across the group and allows leaders to focus improvement efforts accordingly.
Myers-Briggs
(http://www.myersbriggs.org)
The Myers-Briggs Personality Type Indicator (MBTI) is a self-assessment to identify personality types, strengths, and preferences. The questions were originally developed during World War II by the daughter-mother duo of Isabel Myers and Katherine Briggs. They wanted to build upon Swiss psychiatrist Carl Jung's persona theory after realizing that understanding individual differences could have real-world applications. They found that a critical real-world application was to help people select occupations best suited to their personality types, leading to increased happiness and satisfaction.
After the assessment, people are identified as having one of 16 personality types. The MBTI's goal is to allow individuals to understand their personalities by evaluating their likes, dislikes, strengths, weaknesses, career preferences, and how they get along with others. The assessment comprises four scales:
· Extraversion (E) – Introversion (I): Describes how people respond and interact with the world around them
· Extraverts tend to be action-oriented and enjoy more frequent social interaction.
· Introverts tend to be thought-oriented and enjoy deep, meaningful, and less-frequent social interactions.
· Sensing (S) – Intuition (N): Evaluates how people gather information from the world around them.
· Sensing individuals tend to focus on reality, facts, and details and enjoy getting hands-on experience and learning from their senses (seeing, hearing, touching, smelling).
· Intuitive individuals tend to enjoy thinking about possibilities, the future, and abstract theories.
· Thinking (T) – Feeling (F): Homes in on how people make decisions based on the information that they gathered from sensing or intuition.
· Thinkers place more value on facts and objective data and tend to be consistent, logical, and detached when weighing a decision.
· Feelers are more likely to consider people and emotions when weighing a decision.
· Judging (J) – Perceiving (P): Describes how people tend to deal with the outside world.
· Judging individuals prefer structure and firm decisions.
· Perceiving individuals prefer more flexibility and adaptability.
Each type is then identified by its four-letter code. Interestingly, the Myers-Briggs company published a study in 2019 that examined the relationship between cybersecurity behavior and personality type, as measured by the MBTI, to develop personality-based cybersecurity guidelines.6 Figure 11.2 outlines each four-letter coded personality type and the percentage of the study respondents classified into each type.
You can probably immediately recognize some of these tendencies in yourself before even taking a formal assessment. It is important to note that these are scales and not a “this or that” evaluation. For example, an individual can exhibit extraversion and introversion, judging and perceiving, etc. The MBTI tries to evaluate one's tendency and preference towards one side of the scale over the other.
FIGURE 11.2 Myers-Briggs and Cybersecurity Personality Types
When working within a team (a group of your peers or a team that you supervise), it is critical to recognize your strengths and understand others' strengths. Doing so allows you to carve up the work based on the individuals' strengths within the group. In case you haven't noticed, allocating tasks based on strengths is a common goal of all of the assessments we have described.
MBTI does differ from the other assessments in that your results are standalone and not compared against any database of other assessment results. The MBTI's goal is not to compare you against others but rather to provide a deeper understanding of your personality and strengths.
You can take one common free version of the MBTI at https://www.16personalities.com/.
Managing a Multigenerational Workforce
Every year, (ISC) conducts a Cybersecurity Workforce Study to assess the size of the current cybersecurity workforce and the existing talent shortage.7 Statista also compiles and publishes the size of the current global workforce.8 Both sources break down the labor composition by generation (see Figure 11.3).
This data shows that Baby Boomers are still prevalent in the workforce, and Generation Z will start hitting the workforce in droves. Generation X and Millennials are not going anywhere anytime soon, either.
Managing cybersecurity across a multigenerational workforce has become quite the challenge. Table 11.1 outlines each generation and their worldview, motivations, and key activities I have learned along the way to interact with each generation. Credit goes to Purdue Global for condensing the attributes for each generation.9
FIGURE 11.3 Global Cybersecurity Workforce Compared to Global Total Workforce
TABLE 11.1 Managing Across Generations. Data sourced from Purdue Global “Generational Differences in Workplace Content”
|
Baby Boomers |
Generation X |
Millennials |
Generation Z |
|
|
Born: |
1946–1964 |
1965–1980 |
1981–1996 |
1997–2012 |
|
Characteristics: |
|
|
|
|
|
Shaped by: |
|
|
|
|
|
Motivated by: |
|
|
|
|
|
Communication Style: |
|
|
|
|
|
Worldview: |
|
|
|
|
|
Key Activities: |
|
|
|
|
Managing human capital is not only about managing your direct reports. It is about managing the people around you. We talk throughout this book about influencing others around you, directly or indirectly. Security awareness training, establishing security champions, and building a successful business case all involve “managing” others somehow. NTT conducted a study outlining how different generations approach cybersecurity.10 The NTT study shows what we have inherently known. There are no “one-size-fits-all” answers when it comes to implementing a sticky security culture across your workforce. The type and age of worker goes a long way toward how they influence cyber risk.
One may think that younger generations being digital natives correlates to increased cyber awareness and hygiene. I often joke that my nieces (Generation Z) do not know a world before smartphones. On the other hand, I do remember a world before music CDs and with 5.25” floppy disks! However, it is wrong to assume that my nieces are natively more “secure.” In fact, they “get” cybersecurity concepts, but they also expect cybersecurity and privacy to be baked into the technology they use with minimal friction (like their iPhones). However, they are naïve to the fact that social media platforms have led our younger generations to believe that sharing tons of private information will have no long-term consequences, but it will, and it has.
In fact, employees over 30 are more likely to be cyber-aware. They have better cybersecurity practices than their younger counterparts who grew up with smartphones, tablets, and the ability to access the entire knowledge base of the human race through a simple web browser, a few keystrokes, and a couple of clicks. Conversely, employees under 30 take a more laissez-faire approach toward cybersecurity. They expect cybersecurity to be flexible, adaptive, and built into their work processes to enhance productivity. This expectation includes the ability to use their own devices, which is why you have seen the enterprise mobility management market take off over the past several years. Considering these multigenerational requirements is paramount when designing and implementing cybersecurity controls.
The study lays out several statistics, but three jump out at me. The first statistic is 39% of employees under 30 are more likely to pay a ransom to recover from a ransomware attack vs. 30% of employees over 30. As the workforce grows younger, it is important to entertain the thought of establishing bitcoin escrow accounts to have in such a “break glass in case of emergency” scenario, but the ultimate decision should be left to organizational leadership. Many cybersecurity insurance providers are now offering this service, along with professional negotiators to help negotiate down the final ransom payment.
The second statistic is 71% of employees under 30, and 79% of employees over 30 believe that using personal devices for work is a potential security risk. While those under 30 are more risk acceptant of using personal devices, the numbers for both groups are still high at above 70%, which is why you will continue to see the proliferation and growth of enterprise mobility management solutions.
The third, and a significant reason we chose to write this book, is that 81% of employees under 30, and 85% of employees over 30 believe cybersecurity is a concern that the boardroom must address.
Training
Do not be the pointy-haired boss from Dilbert! (See Figure 11.4.) Training is often the first to go when budgets get tight. This is the exact wrong thing to do, and we argue that when money is tight and projects are on hold, that is the best time to double down on upskilling your workforce. First of all, they have the time due to a reduced workload. If there is never time due to the number of fires to put out daily, it is likely time to reevaluate and do a complete reset of your cybersecurity program. Second, a downturn in the market usually leads to uncertainty, and uncertainty leads to your employees looking for other opportunities. Training is an excellent way to help retain your best people.
FIGURE 11.4 DILBERT
Source: DILBERT (2009) Scott Adams, Inc. / with permission from Andrews McMeel Syndication
An ESG and ISSA research report concluded that most cybersecurity professionals do not believe their organization provides the right level of cybersecurity training to keep their skills effective and relevant. Based on four years of research, training seems to be perpetually inadequate.11 If cybersecurity professionals are receiving inadequate cybersecurity training, we can conclude that the rest of the workforce is in far worse shape. Attackers like to kick organizations when they are down. Hence, it is more important than ever to ensure that employees' cybersecurity skills remain up to date to deal with the ever-evolving and complex threat landscape.
At the risk of beating a dead horse, cybersecurity is everyone's job; therefore, extend cybersecurity training to everyone in the organization. Upgrade your entire workforce by upgrading your cybersecurity training and tailoring training to each job role. You are likely not going to send an accountant to a training course on penetration testing, but the accountant certainly needs to be aware of how they can help prevent a data breach, how to recognize when they are the target of a cyber-attack, and what to do if they do suspect a data breach. Cybersecurity skills, both hard skills that we learn as cybersecurity professionals and softer skills that we teach to the rest of the organization, are perishable and can become stale if we are not constantly learning and practicing. Doing so improves productivity, reduces the impact and likelihood of a cybersecurity incident, and boosts employee confidence and morale.
Humans are usually the weakest link in your organization's cybersecurity defenses. We can no more go around blaming employees for not noticing a business email compromise attempt or recognizing a threat actor moving laterally throughout the network than a neurosurgeon can blame us for not knowing how to remove a brain tumor. Most employees understand the importance of cybersecurity, regardless of their role, and appreciate the organization's effort to maintain cyber vigilance. Continuing to put in the effort to train employees up-front will help combat issues in the future.
Cybersecurity professionals have a hard time staying abreast of the latest tactics, techniques, and procedures that attackers use, much less the rest of IT and then the rest of the organization. It is crucial that you, as leaders, emphasize the importance of training and outline the appropriate actions employees should take to recognize and react to potential cyber incidents. All employees must realize how important it is to remain knowledgeable and diligent when maintaining the confidentiality, integrity, availability, and sometimes safety of their organization's data and people.
In the Application section of this chapter, we will walk through building a business case for role-based cybersecurity training for the entire workforce.
Diversity of Thought
There is an entire budding movement and industry around diversity, equity, and inclusion (DEI) in technology fields. We do not claim to be DEI experts, but we can certainly agree that there is a DEI gap in our industry, and it must be acknowledged. Neither of us have robust experience within this area, so we will not virtue signal by claiming that you should take some sort of action that we ourselves have not lived and breathed. Books such as Athena Rising: How and Why Men Should Mentor Women by W. Brad Johnson and David Smith, and I Think, You Think, We All Think Differently: Leadership Skills for Millennials & Gen Z by Greg Buschman approach the DEI issue from a perspective of allyship, the ability to acknowledge differences and to promote those differences from the perspective of inclusion versus the perspective of “yeah, but.” Karen Worstell, former CISO for companies such as Microsoft and AT&T Wireless, is doing some excellent work in promoting diversity and allyship in her podcast series, MOJO Maker for Women in Tech Podcast. Other incredible individuals, like Naomi Buckwalter and Tazin Khan Norelius, have written extensively on LinkedIn about DEI and have formed non profits around the importance of diversity efforts in technology and cybersecurity (www.cybersecuritygatebreakers.org and www.cybercollective.org, respectively).
We are writing this book in 2020–2021, just as the global COVID-19 pandemic escalated, eased up, and started escalating again due to the delta variant. Some things as innocuous as perspectives on going to a party or going back to the office have become extremely polarized. The debates around DEI are exponentially heated. While we are not going to claim we have the answers to these challenging questions, we understand that it is critically important to respect the diversity of thought. Even boards of directors are striving to incorporate more diversity in boards by intentionally trying to fill vacancies outside of their networks. The State of California even enacted a law, effective January 1, 2020, that all locally headquartered publicly traded companies must have at least one female director by 2020.13 Diversity is not achieved strictly through gender equality, but it is at least a start.
However, diversity of thought is something we have both strived to build in teams that we have led, so we will focus on diversity in that context in this section. It is vital that the demographics within our teams more closely reflect the demographics in society. Many organizations benchmark their DEI efforts around gender, age, and ethnic diversity. Women and minorities are more prevalent in the workplace today than ever before in our society. We outlined the multigenerational nature of our workforce in a prior section of this chapter. A diverse team brings diverse perspectives to the table. There is always more than one way to tackle a problem, and your way may not be the best. Diversity in brainstorming solutions to problems as complex as gathering cyber intelligence or tracking an attacker's actions is critical in staying ahead of today's threats.
Each of us has cognitive biases. A cognitive bias is a systematic error in thinking that occurs when people are processing and interpreting information in the world around them. Cognitive biases affect the decisions and judgments we make.12 As cybersecurity professionals, we are processing information all day, every day – none more so than our security analysts working the front lines, who are required to make quick decisions while immersed in a deluge of security data, logs, and alerts. We briefly touched upon cognitive bias in Chapter 3 – Business Decisions in the context of decision processes and widening your options, but let's dive into more specifics and investigate how each type of cognitive bias appears in our daily cybersecurity lives. There are 13 primary cognitive biases that we should all be aware of and understand where they may creep up in our jobs (see Table 11.2).14 I have been guilty of every one of these biases at some point in my career.
Bringing together people with multiple backgrounds and life experiences to build your cybersecurity teams and providing the psychological safety that we discussed with enabling crucial conversations in Chapter 8: Communication – You Do It Every Day (Or Do You?) leads to many benefits, including:
· Minimized impact of the biases listed above
· Increased candor
· Encouraged debate of different ideas
· Minimized groupthink
· Safe risk-taking
· Increased candor
· Improved decision-making capabilities of the team
TABLE 11.2 Cognitive Bias in Cybersecurity
|
Cognitive Bias |
Definition |
When it may be found in Cybersecurity |
|
Correspondence Bias |
The tendency to draw conclusions on someone's personality based on their behaviors, even when the given situation can explain these behaviors. In other words, when we see someone behaving in a certain way, we think it is because they are “just that kind of person” instead of taking into account factors of why they are exhibiting such behaviors. |
Conclusion: “Our offshore SOC analysts cannot think beyond the checklist-style playbooks we provide. This is always the case when we deal with individuals from that country!” |
|
Unconscious Bias |
An inherent assignment of positive or negative traits to a person or group. |
“Millennials are lazy.” or “Boomers can't keep up.” (see Managing a Multigenerational Workforce) |
|
Priming Bias |
The tendency to be influenced by what someone else has said, creating a preconceived idea. |
Security analyst 1: “Our crappy webserver crashed again. What a joke! It happens every time it gets a little busy!” |
|
Confirmation Bias |
The tendency to search for or interpret information in a way that confirms your preconceptions or discrediting information that does not support your views. |
Leaning too much on past root causes and experience when troubleshooting a connectivity issue and not considering other possible root causes. |
|
Affinity Bias |
The tendency to be favorably biased toward people like ourselves. |
Leaning toward hiring someone with a similar background to you. |
|
Self-Serving Bias |
The tendency to claim more responsibility for successes than failures or to evaluate ambiguous information in a way beneficial to your interests. |
Individuals who take all of the credit when things go well, or none of the blame when things go sideways. “Spinning” information to side with your point of view or stance. |
|
Belief Bias |
Allowing your belief in the premise of an argument to bias your evaluation of the strengths of the logic of the argument. |
You believe that your organization should invest in detective vs. preventative security measures. You hear at a conference, “It's not if, but when, your organization will suffer a breach.” You interpret that statement to mean that no matter what measures are used to prevent a breach, they are futile, and all efforts should be focused on detecting a breach while ignoring any premise that preventative measures can help minimize the impact of a breach should it occur. |
|
Framing |
Making decisions based on the way information is presented instead of merely evaluating the facts themselves. |
Promoting framing bias is the job of just about every marketer (in this case, cybersecurity marketer) that exists. |
|
Hindsight Bias |
“Hindsight is 20/20.” The tendency to see past events as predictable, although they were likely not predictable when the event occurred. |
“I knew the incident was caused by a zero-day attack against the SMB protocol.” |
|
Embodied Cognition |
A tendency to make conclusions and decisions based on the biological state of the body. |
All of us are guilty (especially this author) of passing judgment or snapping at someone when we are not feeling well or have not had enough coffee. |
|
Anchoring |
The tendency to focus too much on an initial piece of information for subsequent decisions. It is the inability to pivot from an initial impression as new information presents itself. |
Missing a multi-vectored attack by focusing too much on the first attack. A classic example is focusing on a DDoS while ignoring or missing the mass exfiltration of data occurring while the attack has the team distracted. |
|
Status Quo |
The tendency to select an option because it is the default option or less likely to cause friction. |
Not pointing out an affinity bias with your manager because you feel you are in a weak position to do so. |
|
Overconfidence |
Trusting your ability to make correct decisions too much and overrating your skills as a decision-maker. |
Employees who do not understand the full impact of cyber risks to the organization yet are overconfident in their own understanding and their ability to make cyber risk treatment decisions. |
Application
Earlier in this chapter, we promised to build a business case around justifying training up your cybersecurity workforce instead of suffering the consequences of employee turnover, even during a down market. Let's examine a general use case of a cybersecurity architect making around $150K per year. We will use a simple cost-benefit analysis to analyze this use case by analyzing both quantitative and qualitative costs. Cost, in this case, is the cost of employee turnover. The benefit, in this case, is the cost of training. In this case, we want the benefit to be savings to the organization, so we expect the dollar value of the benefit to be less than the dollar value of the cost (see Table 11.3).
Based on this simple analysis, no CFO on the planet would disagree that investing $25,780 to save $280,780 over two years is a good investment. There are other intangible benefits to consider, such as the loss of institutional knowledge when an employee departs, which we tried to capture in “Lost Productivity.” Positive cash flow might be tight in your organization, which may still lead to a “no” for training. Again, understanding business context is key.
Assumptions and Risks
Several assumptions and risks regarding this business case include the following. As with any business case, you may identify other issues or factors to address as you learn more information:
· Salary: For this simple case, we assume that the departing employee and the new employee make the same salary at $150,000/year
· Hiring and onboarding: In my last role, the cost to post a job, advertise, interview, screen, and hire candidates was about 20% of their annual salary. The cost to train them once they were onboarded so that they were self-sufficient was an additional 30% of their salary when we account for their salary and lost productivity from one or more other employees on the team due to the “new employee tax.”
TABLE 11.3 Cost-Benefit Analysis of Employee Training
|
EMPLOYEE TURNOVER (COSTS) |
YEAR 1 |
YEAR 2 |
TOTAL |
|
NON-RECURRING COSTS |
|||
|
Job Posting, Advertising, Interviewing, Screening, Hiring |
$ 30,000 |
$ 30,000 |
|
|
Onboarding & Initial Training |
$ 50,000 |
$ 50,000 |
|
|
TOTAL NON-RECURRING COSTS |
$ 80,000 |
$ - |
$ 80,000 |
|
RECURRING COSTS |
|||
|
Lost productivity |
$ 75,000 |
$ 25,000 |
$100,000 |
|
Lost employee engagement (high turnover disengaging other employees – assuming one other employee leaves) |
$ 50,000 |
$ 25,000 |
$ 75,000 |
|
Training costs (training invested in departing employee) |
$ 12,890 |
$ 12,890 |
$ 25,780 |
|
TOTAL RECURRING COSTS |
$137,890 |
$ 62,890 |
$200,780 |
|
TOTAL COSTS |
$217,890 |
$ 62,890 |
$280,780 |
|
TRAINING (BENEFITS) |
YEAR 1 |
YEAR 2 |
TOTAL |
|
COST OF TRAINING |
|||
|
Training |
$ 7,500 |
$ 7,500 |
$ 15,000 |
|
Travel/Hotel |
$ 2,000 |
$ 2,000 |
$ 4,000 |
|
Food |
$ 500 |
$ 500 |
$ 1,000 |
|
Loss of productivity from 1 week of training |
$ 2,890 |
$ 2,890 |
$ 5,780 |
|
TOTAL TRAINING COSTS |
$ 12,890 |
$ 12,890 |
$ 25,780 |
|
TOTAL TRAINING COSTS |
$ 12,890 |
$ 12,890 |
$ 25,780 |
· Lost productivity: Per Deloitte, a new employee may take one to two years to reach the productivity of an existing employee. This fact is more evident in highly skilled roles such as a cybersecurity architect.15
· Training Costs: I have strived to invest 5% to 10% of the employee's salary on training every year before travel, lodging, and food.
· Market Conditions: It is important to consider market conditions. While on paper, investing in training seems like a no-brainer, a cash-strapped organization during a downturn in the market may decide to hold on to cash to ensure it survives. Cash is king!
Key Insights
· Leverage tools, such as the Kolbe A/B/C Indices, The CliftonStrengths Assessment (StrengthsFinder 2.0), LPI: Leadership Practices Inventory, and Myers-Briggs to identify your strengths and the strengths of the individuals of your team. Use this knowledge to effectively connect your team's work to individual strengths.
· Organizations must engage all generations when establishing and maintaining security culture. Here are some best practices when engaging your multigenerational workforce:
· Ensure your security champions are diverse, including in age.
· Solicit feedback from your security champions frequently surrounding their views on cybersecurity.
· Be the “Department of How” vs. the “Department of No” by ensuring business adaptability, flexibility, and productivity are foundational to your security strategy.
· Almost everyone hates compliance-based security training, so strive to make security awareness fun for all generations through gamification and small prizes.
· Understand how to identify the 13 types of cognitive biases, and identify if any of them creep up into your hiring and management practices.
· Evaluate your leadership style. Do you include and treat individuals fairly no matter your personal like or dislike towards them?
· Ask yourself if your team welcomes and listens to differences of opinion. Do they evaluate new information as it comes in, whether or not it aligns with a previous decision or the status quo?
Notes
1. 1 Ratanjee, V., “Why Managers Need Leadership Development Too,” January 15, 2021. Accessed March 20, 2021. https://www.gallup.com/workplace/328460/why-managers-need-leadership-development.aspx.
2. 2 Definition of Human Capital Management (HCM), Gartner Information Technology Glossary. Accessed March 16, 2021. https://www.gartner.com/en/information-technology/glossary/hcm-human-capital-management.
3. 3 Sorenson, S., “How Employees' Strengths Make Your Company Stronger.” Accessed March 20, 2021. https://www.gallup.com/workplace/231605/employees-strengths-company-stronger.aspx
4. 4 Gallup, “The History of CliftonStrengths.” Accessed April 3, 2021. https://www.gallup.com/cliftonstrengths/en/253754/history-cliftonstrengths.aspx.
5. 5. Kouzes, J.M., and Posner, B.Z, The Leadership Challenge: How to Make Extraordinary Things Happen in Organizations, 6th ed., John Wiley & Sons, 2017.
6. 6 Myers-Briggs, Type and Cyber-Security: A Research Study from the Myers-Briggs Company, 2019.
7. , 7 (ISC)(ISC) Cybersecurity Workforce Study, 2020: Cybersecurity Professionals Stand Up to a Pandemic, 2020.
8. 8 Statista, “Employment Worldwide by 2020, by Generation,” December 31, 2016. Accessed April 8, 2021. https://www.statista.com/statistics/829705/global-employment-by-generation/.
9. 9 Purdue Global, “Generational Differences in the Workplace Content.” Accessed April 8, 2021. https://www.purdueglobal.edu/education-partnerships/generational-workforce-differences-infographic/.
10. 10 NTT Ltd., Meeting the Expectations of a New Generation: How the Under 30s Expect New Approaches to Cybersecurity, 2019.
11. 11 Oltsik, J., The Life and Times of Cybersecurity Professionals. https://www.esg-global.com/research/esg-research-report-the-life-and-times-of-cybersecurity-professionals-2020.
12. 12 Cherry, K., “What Is Cognitive Bias?” Accessed April 19, 2021. https://www.verywellmind.com/what-is-a-cognitive-bias-2794963.
13. 13 Creary, S.J., McDonnell, M-H, Ghai, S., and Scruggs, J., “When and Why Diversity Improves Your Board's Performance,” Harvard Business Review, March 27, 2019. Accessed July 14, 2021. https://hbr.org/2019/03/when-and-why-diversity-improves-your-boards-performance.
14. 14 Wikipedia, “Cognitive Bias.” Accessed April 19, 2021. https://en.wikipedia.org/wiki/Cognitive_bias.
15. 15 “Employee Retention Now a Big Issue: Why the Tide Has Turned.” Accessed April 21, 2021. https://www.linkedin.com/pulse/20130816200159-131079-employee-retention-now-a-big-issue-why-the-tide-has-turned/2021.