“Can you sleep at night?” our CEO recently asked me.
Probably not an unfamiliar question for most cybersecurity leaders.
“Yes – yes, I can.” I replied.
And it is true. I have amazing management support and a diligent team – both who have worked to instill a strong security culture throughout the organization.
But I continued my response by saying, “We can sleep at night, but we cannot rest.”
When I said this, I did not mean to imply accepting burnout inducing stress levels or overwork – but adopting a mindset continuous learning, improvement, and testing.
I remember recruiting for an analyst position recently. We had several compelling candidates – both internal and external – but in the end, the successful candidate did not have a professional cybersecurity background.
And after joining and exceeding all expectations, I told them, “I could tell right away you were about that cybersecurity life.”
What I meant by this can best be described by the mantra of our team – Momentum is the Enemy – and this candidate embodied it.
They were curious, asked probing sometimes uncomfortable questions, and independently learned new skills and stayed current on cybersecurity threats.
My personal advice – don’t over index on experience and find candidates like this. You can teach most people how to use any tool – but you can’t teach this mindset.
But to build this culture in a team, you should focus on these core attributes:
- Continuous Learning – every meeting we celebrate any new skills or learning accomplishments team members have achieved. We ask about any new risks or threats on their minds. I also agreed to buy a lunch for a monthly open technology \ cybersecurity discussion about any topic, as long as it is NOT related something we already are working on or have on our radar.
- Continuous Improvement – we have implemented scrum meetings where the team sets and reports on incremental goals for that week to improve our tooling or cybersecurity risk posture. We also insist that perfect should NOT be the enemy of just little bit better. Start a process that lowers risk a little and keep improving it – you will be amazed over time how far you have come.
- Continuous Testing – I am a true believer in Breach and Attack Simulation and continuous pen-testing platforms. But we also consistently reassess our governance frameworks. Have you achieved a target metric? Aim higher or adopt new frameworks \ targets for a different perspective and to uncover any blind spots, assumptions, or control weaknesses.
Reality is we are all heading toward some incident in the future. Our true goal is to detect, contain, minimize, and recover with as little harm as possible.
To be able to sleep with that reality hanging over us, we really need to be active leaders when we are awake.