“Part of the CISO role is to be looking toward the future and seeing past the current hot news or operational health dashboard. Solving today’s issues will not help you a year from now. You must be very good at solving today’s reactive challenges along with taking the time to prepare and predict for what is coming in the future.” Walt Czerminski – CISO
Every month, Fortify Experts holds CISO Round Tables discussing the latest trends and topics. Recently, we discussed how these successful security leaders have been able to create higher-performing security teams. Here is a summary of their top tips or suggestions on how to Create a Higher Performing Security Teams.
- Measure Success Through Business-Focused Metrics
Chief Information Security Officers (CISO) are often technical experts and can be easily enamored by technology. The allure of the latest sexy visual dashboard or newest analytics can be a draw for the sake of being cool technology. However, it may not solve relevant business issues facing the unique business challenges that the security team is there to serve.
Therefore, the security leaders we interviewed recommended starting by understanding the business strategy. By partnering with each Business Unit (BU), leaders can begin to develop how their security program can enable the BU not disable them. Several leaders suggested that a robust security program could even become a competitive advantage for each BU. The program might be able to win the trust with new customers or offer enhanced security solutions to existing customers.
Several security leaders discussed how implementing the NIST cybersecurity framework allowed their BUs to promote this additional level of data security as a competitive advantage. With all the news about 3rd party data breaches, applying additional levels of security and controls could attract more business.
Although proven and thoroughly tested, NIST is not the only framework to leverage. Depending on the industry, other security frameworks have specific expanded controls such as CIAQ cloud security assessment, S2-Scored Risk Assessment, Cybersecurity Maturity Model, or a whole host of other financial industry standards. Some of these may be required within that industry or they could provide a competitive advantage even if they are not required.
Synergize the security program’s mission with the broader vision and mission of the business.
Different BU may place a higher level of importance on remote access, systems sustainability, elevating technical competency, data privacy, cloud technologies, product security, compliance, or even insider threats. Therefore, understanding their independent risk profile is essential to begin defining specific goals and baseline security controls for each BU.
While many of these attributes will be common across BUs, the attention to specific BU goals can be leveraged to provide the financial support and resources to ensure those goals and metrics are achieved.
Then develop appropriate metrics in concert with the BUs to measure progress against those goals. “How to Measure Anything,” by Doug Hubbert, is a suggested read to help quantify risks and turn business goals into quantifiable metrics.
To hold all parties accountable, those metrics should be available to everyone – the security team, the business units, and the executive board.
With a clear data-driven vision, the security team and business can get behind a unified mission and purpose to help improve the security posture across the organization. Managing through metrics provides clarity on what is currently being accomplished and how much progress has been accomplished over time.
- Make it Personal
With over 90% of cyber attacks still coming in through employees’ devices, successful security leaders often discuss how creating a security-focused corporate culture can be more impactful than developing the most complete strategy, deploying the latest sophisticated AI technology, or even having the highest performing security team.
Security strategies often fail when the business culture does not support them or see the intrinsic value of the strategy. However, by creating an army of cyber-vigilant employees who are deputized to help the security team perform, the program as a whole will be more effective.
Culture Trumps Strategy Every Time.
Start at home. One method of creating an effective business-focused security culture is to make it personal. First, raise personal awareness of the dangers and risks of not being digitally safe at home. Then, teach the employees how to protect themselves and their families at home. Since, work is now at home for many people, raising personal safety awareness at home will more naturally raise employees’ safety awareness at work.
Personal Security Assessments. More firms are now requiring employees to complete safety awareness training before they are allowed to work from home. One such free tool is the www.s2me.com security assessment which walks individuals through the risks associated with connected devices such as routers, mobile devices, connected TVs and appliances, etc. It also gauges employees’ current security practices such as password use and storage, backups, and data recovery capabilities.
This assessment helps them evaluate how secure their personal practices are, how secure their network is, how it could be compromised, and where vulnerabilities may be introduced into their systems. The assessment provides an objective score and recommendations on how to improve their security score. In addition, the S2 tool monitors the user’s email for them and will notify them when it shows up in possible breach reports.
S2 also has a corporate version called S2Teams which allows companies to send out these assessments to employees and then anonymously aggregate results back to the security team to help them understand where security training is needed the most.
Some employers are also providing employees with tools such as password managers like LastPass so they can more securely manage their personal and business passwords.
Take it to the Office. ExxonMobil went as far as creating internal infomercials showing a character called, “One Click” which took a humorous approach to show how one wrong click could take down the whole company and bring the wrath of his co-workers down upon him.
Provide a carrot and a stick. Many firms have deployed email phishing training tools such as PhishMe (Confense.com) or KnowBe4.com which is more of an entire security training platform. Companies can provide a carrot to employees by rewarding them for reporting phishing attacks, or by not being fooled by them. Conversely, for employees who are not diligent and careful, the company can provide additional training or even disciplinary actions including termination if the employees continue to be digitally careless.
Create Security Evangelists. Some security leaders engaged business users and taught them how to test for vulnerabilities within their own systems. This raised their security awareness level and helped them become security evangelists within their business units.
By engaging all employees to protect their own personal digital assets, it will translate to protecting the company’s digital assets. Building a security culture mindset of “See something, say something” helps the business users become part of the solution and not part of the problem.
- Teach the Team How to Fail Forward
Make it Ok to fail. Face it, we will fail at protecting all of our data.
Bad guys are better resourced than we are, so we will always be playing catch up.
At some point, no matter how good we are, someone will click on the wrong link, data will get shared without our permission, and most likely our passwords will get exposed by one of the hundreds or thousands of technology firms we use every day to conduct our digital lives.
Security leaders need to communicate to the team, to the business, and to the board that failure is part of the process. Success will follow failures. Great leaders don’t focus on those failures. They learn from them. Leaders tell us, it is more important to be consistent in your approach and doing the next right thing to drive long-term results.
An example of how to turn failures into success is how one becomes good at a video game. There are no user instructions on how to play a new game such as Mario Bros, Fortnite, Call of Duty, Overwatch or most other video games. So how do you become good at these games? You die a lot! You learn from each failure and you keep trying new things until you make it further in the game.
Since things do not always go right on a security team, leaders need to create an environment where employees know that they will be protected if the team experiences a failure or breach.
Communicate that “We all make mistakes” and admit when you mess up as well. When a leader shows a high degree of vulnerability, it sets the example of how the team needs to respond when they mess up. Being authentic creates the space for people to approach you when they recognize their own failures instead of hiding them.
Due to the sting of a failure, we often learn more from our failures more than we do from our successes.
As hard as it may be, displaying a normalized reaction, even during failures or stressful times, can reassure employees. Great security leaders encourage their employees to keep trying new things. If they are not occasionally failing, then they are likely not pushing themselves enough.
- Empower Your Team by Creating Psychological Safety
Highly effective security leaders create a culture that encourages employees to think for themselves. Much like creating a safe place to fail, creating a psychologically safe work culture helps empower employees so they can accomplish what is needed to be done without constant oversight.
Employees need to be empowered in their own area of responsibility so they can take ownership of that specialty. We don’t want robotic employees. The goal is to build employee’s confidence so they make better decisions on their own.
One leader suggested that if an employee asks, “What should I do in this situation?” Put it back on them, “What would you do if you were in my shoes?” Even if the answer is not exactly what you would do, if it is acceptable enough, then let them do it. This will help build an employee’s confidence, trust, and better decision-making.
In a culture where there are public criticisms, employees will avoid stepping out of their comfort zone and only do what they are told. They will be less willing to offer up creative solutions which could lead to better ways to evaluate data or streamline processes for fear of criticism.
When giving feedback, criticize in private, praise in public.
By sharing what you can with the team on the challenges you face as a leader, it can help them buy into more ownership in the solution. While it is not a democracy, often encouraging collaboration will provide fresh ideas and let the team feel more empowered.
One leader encouraged his security team time to take several hours a month to work on creative pet projects which could be useful to the firm. More often than not, those projects would be implemented. Whether it is 2 hours per week or 2 hours per month, it could pay off in dividends.
By creating a psychologically safe culture that encourages employees to exercise their creative side, they get the opportunity to feel important by becoming part of the solution. This encourages them to continue to become more independent and think more creatively.
- Establish Robust and Routine Training
To keep up with the constantly changing threat landscape, every security team needs to be constantly learning and adapting. Leaders need to be able to evaluate a team’s current strengths and weaknesses both individually and holistically.
Several security leaders suggested creating fundamental blocks of training, where everybody takes the same baseline training when they join the team to provide some level setting. Then build role-based tracks with more specialized training for specific roles.
In addition, understanding an individual’s career interests and goals will help you map additional training to foster their growth and long-term job satisfaction.
Here are several good tools for skills assessment, training, and suggested career path options:
- https://www.sans.org/assessments/security-essentials
- https://fedvte.usalearning.gov/
- https://www.cybrary.it/
- https://www.cyberseek.org/pathway.html
One of the best-known security training organizations is SANS (www.sans.org), but it is expensive and can be like drinking from a fire hose.
Here are some other examples of inexpensive or even free training:
- Black Hill Information Security Team(blackhillsinfosec.com) – They offer a “Pay what you can” model and provide good entry-level training.
- Find other industry professionals who are willing to share their case studies to expose your team to real-world examples.
- Focus on cross-training team members to ensure there is more breath of experience across the team.
- Invite vendors in for lunch and learn sessions.
- Encourage your team to join and participate in security focused organizations such as ISSA, ISACA, InfraGard, CSA, etc.
- Allow the time to attend conferences (in person & on-line) for education.
One leader requires his employees to block out time on their calendars every week so they can dedicate it to reading and continued education. Especially in cybersecurity, training increases job performance and satisfaction, plus reduces attrition because employees are stimulated intellectually and feel valued.
- Create Mentorships Inside and Outside of Security
One highly-effective technique to accelerate competency is to create formal mentorships between junior resources and more senior resources within the security team. Training fades within a few weeks so it is better to pair someone up with a mentor to help apply the training in real-world scenarios. The senior resource is held accountable to answer any and all questions, and to raise the level of competency of the junior resource.
Mentoring provides a growth opportunity for both parties.
As cybersecurity becomes more of a business-focused problem instead of a technical problem, improving soft skills is essential to the success of the team. Soft skills will also drive more employee advancement up through the ranks.
Mentoring helps senior resources develop communication, teaching, and leadership skills. It also helps reduce the egos of these more knowledgeable employees which leads to a more inclusive work environment.
Another effective technique used by successful security leaders is to partner up team members with mentors from other departments. This accomplishes multiple goals.
- It gives them a coaching advocate outside of the security team.
- It helps them work on their soft skills.
- It gives them the bigger picture of the company’s purpose, which in turn, helps them see the importance of their role.
- It allows the business person to learn more about the security teams’ mission and leads them to become more of a security advocate within the business.
Mentorships both inside and outside of the security team can accelerate employee growth and job satisfaction for both the mentor and the mentee.
- Show You Genuinely Care About Them
Security teams always experienced stress. After Covid hit, the stress level on most teams exploded. People, devices, and data went remote which had not been remote before. Most security teams had to put in overtime to catch up with securing, people, assets, and data.
Even though environments may have settled some, focusing on the mental health of employees is still critical. Being aware of an employees’ personal situation and tuning in to their level of stress will help you identify those who need additional emotional support or maybe even need time off to recharge. Engaging employees at the personal level can have long-term benefits by creating more loyal employees.
Some leaders schedule a weekly coffee check-ins or virtual happy hours to provide the opportunity to have informal conversations. This can give them the outlet they need to fulfill the absence of interpersonal relationships they miss by not being in the office.
Creating real relationships with employees drives loyalty, performance and tenure.
One leader takes remote walks with employees. She schedules a Facetime call with an employee and then they both go for a walk in their separate neighborhoods all while carrying on their check-in conversation.
Since employees were working overtime, one leader suggested employees take off 90 minutes per week during work hours to do something for themselves. Then on Friday they shared what they did. Another leader forbade meetings on Friday so everyone could focus on their own work.
A leader also described how he brought in various self-improvement coaches via Zoom to stimulate thoughts and mental improvements.
Creating space for employees to know they are valued and individually important to the team, allows them to recover faster when they are down, and thrive more when things are good.
- Raise Your Teams Emotional IQ
Security leaders are always studying and trying to anticipate the behaviors of threat actors.
Effective security leaders use that same skill to anticipate an employees’ needs, their unique motivators, what situations create stress for them, and how to optimize their work environment and assignments to maximize their performance.
There are several tools that can help reveal these nuances to accelerate a leaders’ understanding of how best to motivate his or her team.
One of the easiest ways to gain this insight is to conduct employee behavior assessments such as a Birkman Behavior and Occupational Assessment. A behavior assessment is much more in-depth than a standard personality test such as a Briggs-Myers, DISC, Predictive Index, etc. Those generally focus only on the outward personality people want you to see. The Birkman looks deeper into what motivates someone at their core, how they stress, why they have communication challenges with certain people, and what their occupational passions are.
Leaders can leverage this behavioral training by also using it to elevating the teams’ emotional IQ. Creating self-awareness often is the first step to self-improvement.
It also allows you to train employees to become more aware of the differences in how others approach situations creating a more inclusive and creative culture. Creating co-worker awareness helps the team appreciate these differences and even value them. The more in tune the team is with each other, the better they will communicate and work together.
Teams with higher emotional IQ seek out more diversity of thought because it makes the whole team stronger. This creates teams that are more diverse, inclusionary, creative, and productive.
Teams that understand that “diversity of thought” is a strength, thrive and produce more.
Fortify Experts has developed a shortcut to quickly accelerate the team’s emotional IQ by creating an Employee Operating Manual for each team member. This one page summary helps accelerate on-boarding, communication, productivity, and job satisfaction. It immediately allows managers and teammates to know them as if they have been working together for years and helps the team understand how to best work with the individual to create less conflicts and more productivity.
In Summary:
Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice to on how to create a higher performing security team.
If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.
About Tim Howard
Tim Howard is the founder of 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST based security assessments.
In addition, he has a passion for helping CISO’s develop Higher Performing Teams through coaching, by creating interactive CISO Forums and by helping them create highly-effective team cultures.
With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.
He also teamed up with Lyndrel Downs to launch Cybersecurity DIVAS to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.
Tim is married with 3 kids. He is an avid runner and has completed two IronMan Texas events. He is also a graduate of Texas A&M University.
Invite Tim to connect: www.linkedin.com/in/timhoward