Part 4 in the series on leaving the Comfort Zone.
“Action without vision is only passing time, vision without action is merely daydreaming, but vision with action can change the world.” -Nelson Mandela
The decision to leave the Comfort Zone and execute a cybersecurity training program focused on continuous performance improvement in security behavior begins with a public commitment, at the executive level. A fundamental principle of leadership is “lead by example” and, in regard to this public commitment, active participation in the program, at all levels of leadership, demonstrates support for its success and garners the necessary commitment at all levels of the organization.
It is vital to have a training strategy before leaving the Comfort Zone. However, before you can have a strategy, you must have a philosophy. Philosophy is the unique idea around which a specific strategic position or vision is organized. It holds the competitive organization together. In far too many training initiatives, if there is a philosophy, it is an implied philosophy that leaves much to the interpretation of the individual. As we are witnessing in cyber defense today, implied philosophies are resulting in decision-making that falls short of meeting the “security leader’s intent.”
The security leader’s intent is designed to help subordinates understand the larger context of their decisions and actions. All actions are based on taking the initiative and imposing their will on the attacker. Everyone must have a clear understanding of intent at least two levels above their role if they are to be equipped to use their own initiative and judgment when required to depart from the original plan.
The plan for leaving the Comfort Zone must be developed using a Strategic Planning Framework if the organization and/or individual is to successfully make the mental jump from the “current state” of the cybersecurity model to the “future state” of defense required by the continuously evolving threat environment.
“The side that fields the fully prepared army against one that is not will take the victory.” In the cyber war today, the cybercriminal is better prepared!
The training plan begins with a strategic vision. The vision is critical for providing a clear purpose for the program and a clear picture of the potential future vulnerabilities and the risk of exploitation within the organization’s unique operating environment. This vision, as is so often the case in cyber strategy development in Western culture, cannot stop at the boundary that technology has not yet reached.
The vision should be a shared commitment which is the reason for making the commitment public. In doing so, it becomes a strong commitment that defines responsibility and accountability. Superior training is a form of low-risk strategic asymmetry. The costs to develop and maintain superior training are justified by the reduction of risk that results.
In the realm of security, asymmetry is acting, organizing and thinking differently than your opponent in order to maximize one’s advantages, exploit an opponent’s weakness, attain initiative or gain greater freedom of action (i.e., empower employees to act) which is critical to meeting the security leader’s intent in the remote working environment in business today.
An asymmetric strategy regarding training provides the opportunity to take the necessary holistic view and consider the whole complex of interrelated measures, many of which are not technical or cannot be solved by any technology. Rather, they are solved by the increased knowledge that leads to the innovation and ingenuity of the human security layer behavior. Knowledge is gained through many sources/means and is retained through the experience gained from the application of that knowledge in situations. These application experiences help to develop and mature the intuition of an individual which most often leads to better decision-making.
People live by assumption, not intention and no one improves by accident. Personal, like organizational, growth does not come naturally. In leaving the Comfort Zone, the execution of a training program designed to achieve the desired objectives, outlined in Part 3 of this series, must be governed by the “Law of Intentionality” and can be summarized as, “No accomplishment of worth is reached by accident.” An intentional effort to reach desired objectives is required if the effort is to have maximum impact. “If you don’t intentionally prepare for growth, you intentionally prepare for decline.”
The purpose of leaving the Comfort Zone is to create a proactive security culture founded on a growth mindset. The defender in cyberwar must be able to veer, as the moves and countermoves of the attacker occur at a tempo that enables them to control the situation. The strategy of the attacker has been and will continue to be, “build the weapons to fit the fight” and has provided an advantage when in competition with the current defender strategy of “fight the fight that fits one’s weapons.”
Leaving the Comfort Zone and implementing a plan based on a strategic framework addresses the need of the defender to overcome what has been a constraining factor of the current tactical technology point solution and addresses the critical need to develop the human factor as a tactical weapon in the fight.
A Continuous Journey of Small, Proactive, Methodical Steps Forward That Patiently Foster Self-Awareness While Intelligently Assessing The Plan’s Objectives
- Change the mindset regarding individual and organizational learning. Move from “now” to “yet” that encourages a commitment to a learning journey with no conclusion.
- Establish baseline objectives to create an understanding of, and an appreciation for, the value of the individual’s security behavior, in their daily role, to the success in maturing the cybersecurity model.
- Develop and maintain a regular assessment policy of the skill level in security behavior through training by doing. Continuously reinforce existing knowledge and simultaneously increase knowledge leading to a higher level of situational awareness.
- Adopt the attacker mindset and prioritize vulnerabilities based on exploitability and make every employee a weapon in the organization’s arsenal capable of fighting their role-based unique cyberwar.
This quote is very relevant to the current human security layer training in cybersecurity, “Soldiers without training cannot stand up to one out of a hundred opponents, yet they are sent out against a hundred each.” Most organizations are sending their employees into a threat environment, relative to their role and the critical data used in the performance of their duties, woefully unprepared.
The cybercriminal has positioned themselves as the superior competitor as they have invested significantly in the Sun Tzu policy of “Know the Other.” At a minimum, they have a decade of experience advantage in the knowledge and skills of their opponent; YOU!
Weaponizing employees is the act of providing knowledge, training and experience to improve their performance in the use of their skills such that their situational awareness is heightened and their security behavior becomes a weapon to better thwart the efforts of an attacker to exploit both organizational and individual vulnerabilities.
Fundamentals in The Execution of Strategy for Leaving The Comfort Zone and Achieving our Objectives
In far too many situations, within an organization’s operating environment, employees are operating in a state of ignorance as a result of insufficient training. Knowledge-based training is foundational to correcting this situation. It is used to regularly refresh and improve awareness of the changing threat environment, provide new as well as reinforce existing knowledge that leads to improved security behavior in the environment, establish a baseline of expected behavior and develop reproducible patterns of behavior that become habitual.
Proactive cybersecurity requires observing the industry, the current threats within the industry that present the greatest risk of exploitability to the organization’s unique operating environment and orienting the organization and individuals to best defend its critical digital assets.
The training curriculum to accomplish the orientation is decided upon and prepared based on these observations. As the training is delivered, discipline in executing the desired behavior should be a point of emphasis. Additionally, the trainer should be evaluating individuals to assess skills they may have that can be further developed in the practice sessions.
The training is a series of cycles through the training year with the intent of increasing security knowledge, updating policies and procedures, as well as leveraging tools from vendors that can aid in the effort to meet the security leader’s intent.
In succeeding preparation exercises, based on the input obtained from the previous training cycle that includes practice and testing, updated observation of events in the organization’s industry, intelligence gathered regarding the adversary tactics and an understanding of change necessary to better orient the organization’s current defense posture, the curriculum is refreshed.
Knowledge-based training is bi-directional. Review at the conclusion of a cycle, by all involved in the training exercise, provides further insight into how the next cycle may need to adapt as well as how future cycles should be structured. If done appropriately, individuals will potentially have new skills identified, gain a greater feeling of belonging, a feeling of accomplishment and, due to a sense of increased value these feelings create, their intrinsic motivation provides a greater desire to achieve and maintain the desired security behavior.
Learning through observation during practice is a source of much of the learning achieved. Humans are predictable and, as such, involuntarily mimic others. This type of learning is sometimes called shaping, modeling, and vicarious reinforcement.
Observation learning may incorporate a social component that influences whether the observer will choose to engage in or avoid a certain behavior. Because humans are creatures of habit, by nature, they will follow simple reproducible patterns that become a habit. Incorporating observation learning into the practice exercise is a means to take advantage of this aspect of human nature.
The Four Stages of Observational Learning
Every employee must be in the right mindset to learn and have the mental toughness to remain focused on the example being set. Sufficient time to observe and grasp what is being performed must be allotted.
Choosing the model for this type of learning exercise will impact the overall learning experience. People who are viewed as similar to the observers tend to command greater focus by the observers. Selecting people who have demonstrated skills to perform as an example and, perhaps, are functioning in the same role as the group of observers tends to command greater focus.
It is human nature to retain, on average, between five to nine items using an individual’s short-term memory. Learning by doing significantly improves retention as it removes the behavior pattern from short-term memory and builds it into a habit.
When peer-to-peer daily observation is incorporated into the learning-by-doing approach, further increases retention.
Each person will have their own unique capacity for achieving the desired behavior. However, it is the execution of the behavior and the positive feedback from leadership acknowledging its execution that is invaluable to achieving success in the effort to create a habit.
Behavior is most often a function of motivation. The proper mix of intrinsic and extrinsic motivation must be determined and implemented if the desired behavior and performance are to be achieved. The desire for personal growth and fulfillment is an intrinsic motivation for every person that this training program can help recognize.
Skills-based training targeting performance improvement in the use of an individual’s skills, identified in the preparation phase, can simultaneously create intrinsic motivation and improve their security behavior.
Using skills-based training, the leader can task an individual with responsibilities commensurate with their abilities rather than attempting to charge them with a task they are unable to perform.
“The valiant can fight; the cautious defend, and the wise counsel. Choose individuals based on their talent and no talent will be wasted.”
Learning occurs as a result of experience. Testing is a means to provide that experience in an environment free of risk. The testing provides the opportunity to build new mental models the organization or the individual can use in the collective or individual decision-making process.
Learning through experience can involve both beneficial and negative behaviors. The latter can and, most often, result in failures and lessons learned that contribute to halting such behavior in the future or changing it into a beneficial behavior.
One purpose of testing employees is to reframe the mindset perspective of stress from it being bad to a mindset perspective of it being a positive energy that assists the individual in better emotional control.
The core idea is that our nervous systems have a Goldilocks zone of arousal. Too little, and the individual remains in the Comfort Zone, where boredom sets in. But too much and they enter the ‘panic’ zone which, due to insufficient preparation and practice, is where many individuals find themselves in a breach event. They become anxious and can no longer make informed decisions regarding proper behavior and subsequent response.
The emotion of fear often dominates decision-making in a cyber event. The evolutionary preset actions of fear are fight, flight and freeze. Testing scenarios must be structured to foster rational thinking at a “tempo” that overcomes the flight or freeze tendency in the individual and results in an action that seizes control, from the attacker, causing them to be forced to respond to the defender’s actions.
Studies have shown that the more decision-making power an employee has, the greater their commitment to their role. This is especially relevant in today’s hybrid work environment. Their perception of the threat and the trust placed in their decision-making power positively impact a change in behavior.
Confidence in allowing increased decision-making power can be developed through regular testing. A product of increased decision-making power is the maturation of confidence of the individual in their intuition, based on heightened security awareness and practice using it in training scenarios.
Testing can contribute to the improvement of individual key skills identified in the preparation and practice steps. Perhaps more importantly, critical security skill gaps of the organization can be addressed through development and performance improvement using “deliberate practice” and testing scenarios, providing the opportunity to gain experience in their use.
Many mistakes are the price of admission to improvement and continued growth. By adhering to the Law of Intentionality, mistakes and failures become learning points during this phase of the training program.
The testing environment must be a supportive environment. It must be an atmosphere in which individuals feel comfortable exploring new ideas and taking risks. It also means providing encouragement and feedback, both positive and negative, which will help individuals learn and grow from their experiences.
Account for Human Nature in the Training Program
Since our primary reason for leaving the Comfort Zone is improving human security behavior, consideration in the design of the program must be given to the principles of human nature that will most likely create friction in that effort. Behavior change begins with every individual understanding the organization’s goals.
A fundamental principle of human nature is that, as finite creatures, there are a limited number of dimensions in behavior. We rarely act in isolation and prefer to interact with the environment around us. The cultural changes, associated with changes in habitual behavior, that will occur as a result of leaving the comfort zone environment will most likely create obstacles.
It is imperative that the cybersecurity training program create an environment, regarding security situational awareness, that, at a minimum, is at a level where the person understands that threats exist in the operational environment of their role that requires changes in their behavior patterns if they are to act in accordance with the security leader’s desired behavior.
The second Principle of Human Nature is “Humans are Lazy” and, as such, are generally willing to take the path of least resistance. This is especially relevant in a cybersecurity environment because, unless a person is prepared through continuous knowledge-based training and their focus, driven by intrinsic motivation, has shifted to skills improvement using skills-based training in practice, they will not have an aversion to risky behavior that makes their job easier!
Leaving the Comfort Zone and focusing on behavior improvement is a meaningful way to start thinking of the human security layer as something to work with rather than work around the current mindset perspective of adding more technology to reduce human error.
While the benefits of leaving the Comfort Zone will, most likely, not be achieved overnight, the cumulative upward spiral of achievement and confidence, as a product of preparation, practice and testing, will become a potent set of tactics in the organization’s effort to develop a mature cybersecurity model within the enterprise culture. Making gradual rather than radical changes is often more successful when attempting to leave the Comfort Zone. This allows individuals time to adjust to new situations and make progress toward their goals rather than feeling overwhelmed or stressed by change all at once.
Knowledge is the starting point for all other skills and the most critical component of strategy. Sun Tzu defines military wisdom (strategy) in terms of sober and methodical deliberation and planning. The best military policy is to attack the opponent’s strategy; the next to attack alliances; the next to attack soldiers.
The tactic, seen as a strategy, of point solution implementation of technology to address a specific threat at the expense of preparation, practice and testing of the human security layer has created a technology dependence that has become the bane of cyber defense for Western culture. Such dependence has cultivated, within the human security layer, an attitude of complacency and a false sense of safety in the individual’s comfort zone. That complacency and lack of situational awareness, as it relates to the security behavior of every person, enables the cybercriminal to exploit vulnerabilities associated with each of the best military policies of Sun Tzu.
The freedom, of the cybercriminal, to employ one or more of these military policies against the current defense-in-depth model has put the defender in an inescapable, hopeless threat condition environment known as “the horns of a dilemma.” However, the impact on an individual or an organization can be controlled through a change in the relationship with that “condition.”
Leaving the respective individual or organizational comfort zone and maintaining a continuous presence in the learning and growth zones is just such a change.
As you continue to train in the learning zone, it is vital to recognize the fact that the Comfort Zone you originally left will continue to expand as employees become proficient in what is being taught at the time. This has the potential for creating a level of complacency similar to what you were first motivated to overcome. This is a reality of human nature and your training program must be prepared to adapt and adjust to this principle of human nature as well as the adversary’s demonstrated ability to evolve and develop threats targeting the change in behavior of your employees.
 Sun Tzu, The Art of War
 Greg Groeschel
 Sun Tzu, The Art of War
 Things that will always exist in the operational environment but cannot be controlled by either force.