“My budget screams they don’t get it!” the Fortune 500 Chief Information Security Officer (CISO) told me. She was confiding in me after a major cyber incident, and was referring to her company’s management committee. After several tireless yet fruitless years of campaigning for more cybersecurity funding to shore up defenses, the major incident she had feared had come to life.
Unfortunately, her exasperated remark is one I hear from a wide range of major companies. I spend much of my time advising executives on how to make headway in the face of organizational adversity. It makes sense why progress is hard; cybersecurity isn’t typically a revenue-generating function, and in a competitive world, the bottom line rules all. However, it surprises me what cyber leaders perceive as immovable roadblocks facing their cyber program: items such as insufficient internal headcount, a non-security-conscious company culture, and a security technology marketplace that’s still price-prohibitive. “If only the management committee would give me the resources I asked for, we could’ve quashed this attack,” that CISO told me. Is this true? I propose the answer isn’t so black and white.
People in cybersecurity leadership roles today serve an important function for their organization, and often for shareholders. When you peel away so-called “external constraints” and really zoom in on what that leader has control over, it’s her own choices and actions. Those choices and actions are hers alone, and can have cascading consequences – positive or negative. What ultimately enables a good leader to make ideal choices and then act on them boils down to her mindset.
What is a mindset?
At a high level, people tend to fall into one of two “mindset” categories: fixed or growth. As Stanford Psychologist Carol Dweck expertly details in her book, Mindset: The New Psychology of Success, the fixed mindset leader believes that the characteristics of people and systems are innate and immutable, and that weaknesses or errors are a referendum on overall intelligence or quality. In cybersecurity, this leader would believe that technologies are only so effective, personnel are only so skilled, and the broader culture has a set appetite for engaging on cybersecurity. In contrast, the growth mindset leader views challenges, constraints, and mistakes as opportunities for growth and learning: flawed technical architectures can be better optimized, people can adapt and develop new skills, and enterprises can grow to better appreciate cybersecurity's value proposition.
Ultimately, to be a thriving cybersecurity leader today, you need to create teams, functions, and ways of working that perpetuate and embody the growth mindset.
The challenges of a fixed mindset
Our mindset plays a critical role in how we see ourselves and others. It also drives our actions, and those behaviors form the basis of how others perceive us. When you're employing a fixed mindset, you perceive today's constraints as a rigid reality that's unlikely to change much. Some characteristics of this include:
You perceive a person's skills and abilities (e.g., interpersonal communications) as largely set in stone
You have a belief in innate talent (i.e., people are predisposed with "natural" gifts)
You regularly face an overwhelming fear of failure
When you fail at something, you're downtrodden and you blame the external world
If this is you as a cyber leader, you're in trouble! Especially since you’re working a daunting, 360-degree set of challenges: focusing some energies "down and in" to ensure your program is doing its job in securing the business, while also working "up and out" - influencing the executive ranks of the business and external entities to ensure you have the right support from the broader ecosystem. A fixed mindset individual views the cybersecurity program as only able to fight today's fire. You'll profess the idea that "there's such a talent shortage out there." Like the CISO I mentioned earlier, you'll think executives and business partners just "don’t get it," and that you'll have to find success in spite of their ignorance. Simply said, living with a fixed mindset will crush you and your program.
The benefits of a growth mindset
Time to look at your work through a better lens. In a growth mindset, you realize that your reality can be anything that you commit to - that perceived limits are often of your own creation. Constant learning and development become an obsession. When you take this approach as a leader, it’s infectious, permeating to every individual or team you encounter. Team members start to believe they have a purpose beyond blocking and tackling. They begin to see their "job" as a platform for unleashing new ideas and changing the status quo.
Simply said, living with a fixed mindset will crush you and your program.
In cybersecurity, growth mindset leaders can unlock potential value, inside and outside of their program. For example, operational leaders will no longer complain that "we don’t have the right tools to protect and monitor laptops from malware." Instead, they'll work creatively to better understand the environment and reduce risk by devising cost-efficient network architecture improvements that limit how much malware outbreaks can impact the business. Likewise, executive cyber leaders thrive on opportunities to change the hearts and minds of business stakeholders, creating a pervasive "shared consciousness" regarding the importance of the cybersecurity mission. By shifting into a growth mindset, you might evolve your program into a "team of teams" model - one where your core team networks itself with other parties inside and outside of the enterprise to increase capacity to secure the business. Making moves like this bring substantive impact, enabling the business to grow faster and with more confidence.
You can teach and influence others in the organization to adopt a growth mindset, and you can also start hiring people who already have it. When you find people that have an insatiable, burning desire to learn, you've got gold. They may exist on your team right now or not; maybe they're not even in your company yet. Doesn’t matter. Find them, value them, and grow them. In cybersecurity, anything can be learned. Fundamentally, you need the type of person that will commit to learning.
How to get there
So, if you're not living a growth mindset already, how do you begin? Here are some pragmatic ways to move in the right direction as a cyber leader:
Define and live a compelling belief. Step away from current realities and think about what's possible. Close your eyes and pretend you're staring down at your current world, filled with all the people, processes, and technologies that surround you. Think broadly and boldly about the real differences you can make, and put that to paper. Stare at that paper every day - update it as necessary - and commit to spurring massive, meaningful action. To illustrate, I suggest you follow Rick Howard, Chief Security Officer at Palo Alto Networks. His cybersecurity community thought leadership (example) is the embodiment of living a compelling, inspirational belief for making things better.
Become self-aware. Honestly diagnose your strengths and weaknesses. Ask for lots of input from your family, friends, and colleagues – this well-rounded input will give you diverse perspectives from several angles. There are lots of useful tips on how to practice self-awareness, but then you’ll need to make it stick. Once we know our strengths and desired areas for improvement, we can commit to developing those skills and holding ourselves accountable in measurable ways.
Seek the most rewarding outcomes. The "go big or go home" idiom is dead on. In cyber, we need to move beyond continual incremental gains, and look for massive "leap frog" improvements. This starts by envisioning the most high-value outcomes possible. Personal development guru Tony Robbins has a simple yet powerful method for this, called the Rapid Planning Method. Once you’ve truly identified those outcomes, you can start to lay out the series of activities you'll need to journey through, along with the anticipated roadblocks and resources you'll need. Then it's time to get creative in making laser-focused movement along these paths.
Establish a learning culture. Microsoft's CEO Satya Nadella is truly setting the standard for why and how to do this. For a culture that adopts this mentality and lives it fully, anything is possible. You'll need the right people around you to make this a success, so start with finding a second layer of leadership that believes in a learning culture.
As you commit to baking personal habits like these into your life (this can’t just be a one-time activity!), you’ll begin to feel a shift in how you perceive the opportunities in front of you.
With the pace of cybersecurity today, you can't afford to sit on your laurels. Think about the opportunities for change that you have in front of you as a leader. What are you waiting for?