Rational Cybersecurity at RSA: The Human Element

“We need to change our cyber security story from one of technical conflict – with business leaders on the sidelines – to one with users and the business as central characters.” As the author of the upcoming book Rational Cybersecurity for Business, RSA CEO Rohit Ghai’s core conference message was music to my ears. So what better time than now – as the human element finds its day in the sun – to kick off the first of a series of posts I plan to showcase more than 50 Keys to Business Alignment from the book.

Key #1 for Cybersecurity-Business Alignment

Rational Cybersecurity for Business (announced here) takes care of the organizational alignment part of the Human Element. It provides more than 50 specific keys to alignment within the book’s six Priority Focus areas of Risk Management, Control Baseline, Security Culture, IT and Security Implication, Access Control, and Cyber-Resilience.

Are you a Security Leader?

What I heard at RSA again and again is that hackers are better organized than we are. That seems hard to believe with all the threat intelligence sharing, the ISACs, and other industry or government groups that security pros have set up to collaborate. Unfortunately, we’re not doing nearly as well at collaborating and organizing back home with the business.

Presentation after presentation at RSA bemoaned that “burnout is real” in our profession. Speakers cited the same statistics about CISO turnover and substance abuse, staff dissatisfaction, and staff shortages that I discovered while writing the book. But what can get lost in all this is that the business still looks to us for leadership on cybersecurity issues and in that expectation lies our opportunity.

“If you’re in the security business,” said Deirdre Diamond, Founder of CyberSN, at a Monday afternoon workshop on Personnel Management, “You’re a leader the minute you start a job at a company.”

How to Never Have a Talent Gap

In his presentation “I Believe, I Belong, and I Matter: Solving the Cyber Risk Talent Gap” Malcolm Harkins asserts he never had a talent gap. It is a leadership gap, he claims, that is creating the skills shortage we experience in cybersecurity: “If the CEO says security is important but then compromises on it, what sort of the message does that send to the CISO? If the CISO is leaving and disengaged from his or her own role, what sort of message does that send to the team? It is almost as if the CISO  has TWO battlefields: the threat landscape and then corporate budgets, bureaucracies, and behavior.”

But before getting too stirred up about our issues with the business we must remember that there are two sides to any relationship. Just ask: What did we do to create this? Were we the Doctor of No? Did we play the FUD card one too many times? Did we talk at too technical a level? Or did we retreat into silence or passive aggressive behavior? For each of us, only you can know to what extent you may have created part of the business challenge. Even if it is mostly not your fault, this is an important thought exercise to go through.

I strongly encourage anyone reading this blog to go on to the RSA conference site after the show and get a copy of Malcolm Harkins’ slides (or watch the video if it’s made available). I particularly like his Venn diagram of “I believe, I belong, and I matter” as the ideal situation. He even analyzes the interstices (or gaps) on the Venn diagram. For example, if employees feel like they don’t matter or they don’t believe they will lack hope. What the manager needs to do is to give these employees some small wins so that they can rebuild a sense of purpose.

Harkins’ Bottom Line: “I don’t want staff burned out, but I want them committed. If they believe, belong, and matter I won’t have a talent shortage.”

The Organizational Element

Rational Cybersecurity for Business focuses on another aspect of the human element. How can we organize and manage cybersecurity alignment to business? Alignment is both a human and organizational concept. It incorporates some psychology, some politics, and requires a whole lot of Know How. Rational Cybersecurity for Business provides highly specific and actionable alignment guidance. It not only offers communication tips and advice, but also works that advice into the six Priority Focus areas so vital for most organizations.

On Diverse Security Teams

In another positive trend, RSA2020 focused heavily on the human element’s diversity angle. The content from the Personnel Management workshop and the Tuesday morning keynotes alone opened new windows in attendees’ awareness on the following topics:

• Creating diverse security teams expands the talent pool, helps engage with more diverse business or customer constituencies, and broadens the teams’ perspective.
• Diversity can be sought not just in the core gender, ethnology, and age areas but also in social styles, industry experiences, and national, cultural, or academic backgrounds.
• The 80% unemployment level of neuro-diverse individuals could be a missed opportunity to put a future Alan Turning or Albert Einstein on your team. How many of your application security specialists would enjoy spending 16 hours scrutinizing 10s of thousands of lines of code for that extra semicolon?
• Building a more diverse team takes work to overcome unconscious biases, learning to work together, and being both less offensive and less prone to take offense (on all sides). We also need to pinpoint the areas where expanding diversity will most benefit specific teams in specific industries.

More good news for Rational Cybersecurity: All of the practices one learns over time from increasing diversity and improving the management of diverse teams will also enhance one’s ability to maintain collaborative relationships with diverse business leader and teams. As one audience member at the show suggested: “I’ll hire EQ over IQ any day of the week.”

Regaining Trust

As Ghai said in his RSA keynote, we must reclaim the cybersecurity story narrative and rethink culture. We need to engage the media to show that we have “winnability.” That’s not to say we will always win against the hackers. There will still be breaches. But if we can continue carrying on the digital transformation while managing the risk in the process than we have won. Hearkening back to his 2019 RSA keynote on “the time when we [almost] ran out of trust” Ghai now envisions: “We can restore trust in technology by successfully managing cyber-risk.”

However, we need to do more than just “engage the media.” We must work in the trenches of our own security programs to align with the business and IT leaders, developers, and users across our organizations. For too many organizations still have disengaged business stakeholders and such disengagement creates a corrosive effect on any security project it touches.

Security leaders need actionable information on how to engage and align with all levels of business stakeholders. That’s why I wrote Rational Cybersecurity for Business and made it available via Apress Open Access. Let’s start the open information flow now. What do you see as our most pressing business alignment issue and what are your stories? Please comment below or Contact Me.