5 Fundamental Cultural Qualities Behind a Powerful Cybersecurity Punch
I’ve taken a close look at the present state of cybersecurity teams, and, frankly, it’s not a cheery sight.
When asked, every chief information security officer (CISO) and senior-level security leader said that the current threat landscape is getting worse, according to research Censys published this year, The 2023 State of Security Leadership. Attacks are also increasing; 93 percent say their organization has suffered from at least one attack that caused material damage during the last year, with 53 percent indicating that the organization experienced this between two and five times within the past year. Two-thirds of leaders are concerned about the lack of resources they have dedicated to meeting their cyber defense requirements. This leads to stress, with leaders knowing that attackers do not have to struggle with the same talent and budget constraints that defenders face.
CISOs have recently been held liable for breaches—such as the SolarWinds CISO, one of the executives currently being investigated by the U.S. Securities and Exchange Commission (SEC) for his actions around the 2020 breach—so it should come as no surprise then that 60 percent of these leaders are concerned about the mental and physical health and burnout potential of their staff members.
A recent Devo Survey conducted by Wakefield Research determined that the majority of surveyed IT security professionals said that mental and physical stress has led to errors that cause data breaches. A total of 83 percent of respondents said that burnout experienced by either themselves or someone in his or her department has led at least once to an error causing a security breach. Meanwhile, 62 percent of CISOs are concerned about their own mental and physical health/burnout potential.
This makes it crucial for leaders to have trust amongst the team, have the team trust its leader, and remember that attackers are the enemy. If employees feel as if they cannot trust in their leaders for support when dealing with high stress or support when feeling burned out, that stress is likely to amplify and lead to greater or more mistakes, or the employee may leave the team or organization.
To help accomplish a greater sense of trust and support under such stressful circumstances, managers need to consider and embrace an inverted style of leadership. Putting employees first and cultivating healthy corporate environments will help ease the tightly stretched muscle that is the cybersecurity field, keeping teams fully operational.
It’s clear that culture drives positive morale and, in turn, encourages optimal performance. This starts with our leaders and managers, who can take a page from legendary Duke University and U.S. Olympics basketball coach, Mike Krzyzewski. Krzyzewski believed that there are five fundamental qualities of a winning team.
“I like to think of each as a separate finger on the fist,” Krzyzewski wrote in Leading with the Heart. “Any one individually is important. But all of them together are unbeatable.”
I like to think that Krzyzewski’s five qualities can help security teams achieve optimal performance and job satisfaction.
Security professionals can burn out when they feel like they are on a perpetual treadmill operating at high speed—sprinting in place to keep up with alerts. Security teams may eventually conclude that they are trapped in an eternal Sisyphean struggle, one that doesn’t initially seem to be worth the immense stress. That’s when thoughts of quitting begin to surface.
To counter this, leaders must inspire teammates by connecting their daily tasks and routines to tangible, positive outcomes that advance the company’s strategic goals. More than two out of five of Censys survey participants said they are now prioritizing the alignment of their team with the organization’s business needs and concerns, and that sounds like a good start.
In a landscape consistently saturated with new threats and vulnerabilities, how can someone distinguish what is false from what is real? Alert overload will cripple a team’s ability to trust anything. To achieve true clarity, teammates need to see and understand the entire attack surface, something that 53 percent of leaders are prioritizing, according to our research.
For any organization, this level of awareness or visibility begins and ends with data. Data serves as the foundation of the attack surface, and it’s what attackers are after. To gain total trust, teams must take command of their data by identifying where it came from, what it’s used for, and who owns it.
Security professionals have individual roles—but, again, they must appreciate how those roles contribute to the team, and then how they contributes to the entire organization.
Collective responsibility is all about taking accountability for your success. When assessing results and considering how to encourage necessary changes, it is important to take a self-inventory before looking outside of the company. This is why I start every sales kick-off by encouraging my team to look at him or herself with a mirror I provide and asking themselves, “What are we doing well? What do we need to be doing differently?”
This element helps leaders foster an environment where his or her team can collaborate and get fired up about accomplishing objectives. If customers are successful, the team will be successful. Leaders must remember that an organization cannot achieve its goals without team members amped to be part of the company and its mission. As decisions are made, don’t forget about the impact on the customers, the business, and the team.
Through the recognition of joint accountability, individual members can provide any additional support, organization, or insights necessary to ensure the whole team is working effectively. This leads not only to an encouraging environment, but also opens the door for greater ownership, communication, and collaboration towards the end goal: to better serve and support customers.
Caring and Pride
If CISOs and security leaders successfully implement the first three “fingers” of Krzyzewski's analogy, then these last two should organically take root and develop within the fabric of an enriched workplace culture. When employees recognize how their duties fit into and support the goals of both a strategic department and overall organization, the workforce will care more about what they do and take pride in the work.
In addition to positive employee behavior, leaders can proactively address any indicators of mental health or burnout. Find out what factors contribute most to this state and then tackle the problem areas in a meaningful way. Engage employees to learn more about their passions and interests—and make sure they have the time outside of work to pursue them. Emphasize that these conversations are just as important as discussions about the latest threats. By humanizing these exchanges, team members will feel more comfortable about being transparent in the workplace.
Krzyzewski intentionally uses the word “fist” instead of “hand” to describe what the five fingers create when they work seamlessly together, and how much more powerful they can become as a result. For cybersecurity teams, the fist makes for a powerful punch fueled by greater communication, support, ownership and, yes, even empathy. Teams that are well-prepared with renewed confidence and pride boosting their collective strength can pummel any threat that emerges.
Sarah Ashburn is the chief revenue officer for Censys, an intelligence platform focused on threat hunting and exposure management.