All too often, I hear colleagues wax poetic on the disdain their directors and managers have towards the mission of cyber security. I'm always eager to provide some sage couples counseling wisdom toward these difficult relationships between CISOs and their colleagues.
1. Designate FUD as your Friend rather than Adversary
Someone once said that Fear, Uncertainty, and Doubt (FUD) will get you, at best, one to two weeks of hypervigilance and funding until the fizz goes out of the soda pop. To change culture, you need to make things happen differently. Acceptance of a new culture and aligning its features into that which already exists sometimes requires the act of befriending fear. The average human response toward whether one accepts change is "loss aversion," where there is a willingness to lose rather than accept change. The excitement of FUD should be embraced. To accommodate this, communicate with the company in all settings on the latest and greatest trivial items of cyber and how intriguing it is.
2. Laugh Out Loud
Cyber security is a fun realm to work within. When the dark clouds approach, you should be able to laugh at yourself and your situation. Cyber security is not for the weak at heart nor for those with an unending yearning for appreciation. If you don't like your job, then you will dread doing it. You get one life; get busy living it and laugh with the challenges.
3. Create, Don't Wait
Imagine what your new company security-minded culture should look like and do it. Educate yourself on how to get there, surround yourself with cyber security optimists, then dive in head first with a renewed vigor and enthusiasm not seen by many. Surprise yourself with your creativity in educating the workforce. With today's connected world, there is very little room to make excuses about why you were not able to convey a message.
4. Focus on the Reason not the Excuse
Focus your conversations with employees on why you want to be the top in cyber security rather than on the excuses about why it is so hard to do. Get specific and include emotional and energetic reasons: "For me, it is personal. Privacy is the what and cyber security is the how."
5. Turn But into And
It's not This or That. It is This and That. The importance and priorities should not dictate that your sole focus and strategy should be affixed to only one thing. Make cyber security one of the several key strategies in your company. Compliance, industry standard, company reputation, efficiency and practice, and many other value adds are key success drivers for every company that relies upon data integrity.
6. Play to Win or Don't Keep Score
Too many are in the CYA business rather than the FTW marathon. See the dreams and go for them; don't see the demons to hide from them. There are so many reasons to be the best with information assurance and information security. You can either be concerned with the adversarial aspects or the creation of solutions. Either way, you will find what you are looking for.
7. Cyber is Your Friend; Build the Relationship
Appreciate your friendship with cyber security. Share it with others. Introduce your friend often. Tell stories about how good your friend is. Be glad when your friend becomes very popular.
8. Change from Pro to Novice
A quick way to shut down a conversation is to say, "I know this (already)." That is not very appealing. Instead, try, "Tell me more" or, "This is good information, I want to learn." Sometimes, instead of throwing up walls by being the expert you may find that admitting you have a problem is the first step to enlightenment.
9. Love Your Risks for the Mitigating Controls They Bring
Learn to appreciate your gaps, threats, and vulnerabilities. Your thankfulness for these risks will foster your patience for designing the controls that can address them. Risks are a gift—embrace them.
10. Be True to Yourself
Give your colleagues credit but always get it in writing. Never assume everyone understands, so ensure they do and document everyone's training at least annually. Most importantly, seek critiques, criticisms, and comments at all possible opportunities.
Your love for cyber security will be much more productive as you make mistakes and grow.