I was talking with a fellow CISO at a conference recently and she said something that resonated with me. She had just acknowledged that she wasn’t fully staffed and that her budget was down slightly. “But we’re doing better than we ever have,” she explained.
It took a few weeks for me to process this, but I think she’s embracing something that can make a difference in being more effective business leaders. Stephen Covey explains in the fourth habit of the Seven Habits of Highly Effective People that we have to bravely achieve a balance between courage and consideration, empathy and confidence. Doing this means developing what he calls a “mentality of abundance”.
It’s easy to embrace a “scarcity mentality” when it comes to cybersecurity. There aren’t enough people to fill all the needed positions in cybersecurity. We have to compete with budget with IT. The CPU cycles our security takes up on servers is a performance hit that other applications can’t use. We compete for the very attention of the employees at the companies we are trying to protect. The only thing that is abundant seems to be the cyberattacks themselves.
Why is it wrong to think in terms scarcity? I had to dust off my copy of The Seven Habits: “The Scarcity Mentality is the zero-sum paradigm of life. People with a Scarcity Mentality have a very difficult time sharing recognition and credit, power or profit – even with those who help in the production. They also have a very hard time being genuinely happy for the successes of other people – even, and sometimes especially, members of their own family or close friends and associates. It’s almost as if something is being taken from them when someone else receives special recognition or windfall gain or has remarkable success or achievement.”
One big issue that we face as an industry is that we don’t always think of the bad guys as our competition. We think of the company down the road who tries to recruit away our best people. Vendors think other vendors are their opponents. What if we cooperated instead of competed?
Have you ever heard someone in cybersecurity talk about the bear in the woods? They’ll say, they don’t have to outrun the bear, they just have to outrun you. The bear, in this metaphor, are the hackers that are trying to break into our networks and steal employee credentials. This is the scarcity mindset at work, and unfortunately, it’s wrong. You’ll have to forgive the pun, but we’re all Targets. JP Morgan has more cybersecurity resources than some governments, but they were a victim. The NSA itself, arguably home to the greatest minds in security, was hacked.
What would a mentality of abundance in cybersecurity look like? Again, from The Seven Habits: “The Abundance Mentality, on the other hand, flows out of a deep inner sense of personal worth and security. It is the paradigm that there is plenty out there and enough to spare for everybody. It results in sharing of prestige, of recognition, of profits, of decision making. It opens possibilities, options, alternatives and creativity.”
I don’t know if you caught that, abundance requires a sense of security. Not only do we in cybersecurity to develop our own mindset of abundance, because of the threats we face, our whole organizations may have lost their sense of abundance, making our businesses less effective.
What courage or confidence, if any, is there to be had when it comes to cybersecurity? First and foremost, security is everyone’s job. We need everyone to be a part of security. What happens if we stop thinking about how small our security teams are and instead think of every employee at our company as a security employee? What if, instead of being thought of as a waste of money, businesses believed security is an investment?
No matter what phase their product is in, companies that invest a heavily in research and development of new products recognize that the risk of investing heavily in innovation are compounded when they don’t have great cybersecurity. A company with stronger cybersecurity will be able to get more out of its investments than one that is actually more innovative but less secure. Companies that are in a rapid growth phase need to protect their market share, so they need to ensure customer lists are secure to prevent poaching. Established brands need to focus on protecting themselves from a loss of reputation. Mature products focus on service as a steady source of income, and disruptions to operations can lead to premature obsolescence.
Whether we recognize it or not, security is a part of every business plan. And today, since every company is becoming a technology company, cybersecurity needs to be a part of every business’s roadmap. Highly effective companies will be the ones that find abundance in cybersecurity.