Improving security one person at a time.
What’s the most important aspect of improving cybersecurity?
A) Implementing state-of-the-art technology that works;
B) Re-engineering the processes that businesses use to apply appropriate security policy; or
C) Changing the security culture in an organization.
Most experts think the answer is C. Why? One leading security consultant said that despite the fact that beneficial organizational improvements require changes in people, processes and technology, more than 90 percent of the difficulty is in modifying behaviors of end users, systems administrators and even senior management.
Whether or not you agree, this leads to other vital questions: What is your government doing to impact the security culture? How can we, as security and technology leaders, motivate, influence and impact thousands of people? What really works, and what activities bring the greatest ROI for our time and money?
A typical response is to offer employee training, which most governments provide to meet compliance requirements, and updated security training for technical staff. Many leading companies even bring in professionals who specialize in building organizational change programs.
But I’d like to suggest a more focused and personal approach: Find a mentor from another part of the country or a seasoned security pro who can mentor a recently appointed security leader.
Mentoring works because it allows newer leaders to learn from their predecessors’ mistakes and successes. Numerous studies and white papers have shown the benefits of benchmarking. Having a mentor can build some of that same synergy, but on a more personal level with someone who is trying to help you become more effective.
In 2009, Forbes magazine answered the question: Who needs an executive coach? Here’s the beginning: “Executive coaching is hot. What was once stigma (‘You’re so broken you need a coach?’) has become status symbol (‘You’re so valuable you get a coach?’). Tiger Woods and Michael Phelps have coaches. Even President Barack Obama has a coach, if you count David Axelrod. Microsoft’s young, high-potential leaders get coaches. If elite athletes and organizations think they need coaches, shouldn’t you have one too?”
The article states that coaching isn’t for everyone, but excellent candidates are important leaders who have evolving roles that greatly affect an organization in powerful ways. Other experts said the keys to successful mentoring include: a willingness to learn and be mentored; an openness to discuss sensitive work-related topics; selecting a mentor and mentee who aren’t in the direct management chain; and giving the relationship the appropriate priority with a reasonable time commitment.
This year, the Multi-State Information Sharing and Analysis Center (MS-ISAC) the center for sharing cybersecurity threat and response information launched a one-year mentoring pilot program in which nine state and local security professionals are mentors and nine newer cybersecurity leaders are being mentored by someone outside their state.
Participants mainly include chief security officers and chief information security officers, but a few junior leaders also are seeking to improve their security skills. The pilot comprises monthly phone conversations as well as face-to-face discussions at the MS-ISAC Annual Meeting.
The mentoring program has several objectives, including:
Improve the useful sharing of security best practices and organizational insights on what really works among state and local governments.
Build a government security culture that improves cyberdefense nationwide by making the people a priority.
In conclusion, Seneca once said, “Even while men teach, they learn.” I am looking forward to learning, as a security mentor.