Digital Transformation and Digital Data Security
The digital transformation effort is currently seen as the next industrial revolution and all industries are in some stage of the process of achieving digital transformation. The Board of Directors and Executive Management can have no doubts when guiding their organization through this transformation. Any perceived doubt, by any member of one of these teams, will serve to undermine the perception of the importance of this effort and therefore the success of the effort. Associated with this transformation, and equally critical to its success is the security of the digital data.
If the organization is to successfully make the transition, every employee must possess a high degree of mental readiness to maintain the focus and perseverance to overcome each obstacle encountered in the journey. Successful digital transformation requires equipping, both technically and culturally, to effectively harness data in real-time, transforming it into actionable insights, and making agile data-driven decisions. As the digital transformation continues, new technologies will be implemented to improve business operations resulting in an increasing challenge in capturing data related to threat alerts. Alignment of security with the organization’s priorities and key initiatives will become increasingly important in the organization’s effort to avoid the financial loss and potential negative competitive impact that can result from a business operations disruption.
Cybersecurity is the mission-focused and risk optimized governance of information, which maximizes confidentiality, integrity and availability using a balanced mix of people, policy, and technology while perennially improving over time.”
Dr. Mansur Hasib, 2017
Maximizing People
For the purpose of this article, the keywords in Hasib’s statement are “maximizes people.” If an organization’s cyber warfare effort to protect its critical digital assets is to be successful, each member of the security team must maintain a high level of vigilance during normal daily business operations and be able to effectively execute or adapt to sudden or significant increases in stress that result from an active threat to those critical digital assets.
In the 21st century, warfare is not a pure military versus military conflict; it is an active struggle between competing entities that involves continuous conflict. In a similar fashion, cyberwarfare involves a continuous threat with the defender’s primary focus being to avoid having the organization’s daily operation paralyzed by the cyber adversary.
Human Targets
Humans, not systems, will be the target of many of these attacks. While the threat of an attack is omnipresent, there are lengthy times where the performance of duties consists of low-stress, mundane activities, with limited action required. Leonardo DaVinci said, “Inaction saps the vigor of the mind”. That loss of mental vigor, in the case of cybersecurity, most often results in diminished mental readiness to detect and respond to a cyber threat.
The inability to stay focused in times of inaction and the resultant complacency in performance of their duties is frequently experienced in American culture.
The human weakness of becoming complacent must be strengthened if an organization is to maintain the diligent execution necessary for the cybersecurity program to succeed. An information security program strategy’s success is dependent on people working together under stress and uncertainty. Good security programs shape the terms of the conflict to the liking of the defender before the conflict begins.
Overconfidence in Technology
A second contributor to complacency is the overconfidence placed in the ability of technology to strengthen cyber defenses. That overconfidence serves to minimize the importance of the human effort with the result being a loss of motivation to do more than what is minimally required.
Many organizations see technology as the means to overcome the human factor in their cybersecurity defense. Simply implementing technology and minimizing, and in some instances eliminating, human involvement is the perceived solution. “No degree of technological development or scientific calculation will overcome the human dimension of war. Any doctrine which attempts to reduce warfare to ratios of forces, weapons, and equipment neglects the impact of the human will on the conduct of war and is therefore inherently false.”[1]Technology alone is not the quick fix for strengthening an organization’s cyber defense and overcoming the human factor. The true purpose of technology was meant to be the equipping of man that he might better satisfy the requirements of his/her assigned responsibilities. Most state-of-the-art weapon systems are ineffective or achieve less than optimal performance when the operator has not been fully trained in its capabilities.
Gaining a Psychological Edge
Neil Patel, marketing expert and entrepreneur, is quoted in Forbes Magazine as saying, “Emotion influences the entire cognitive milieu of the decision-making process.” As such, increasing the mental toughness of each individual and the team, collectively, is a necessary strategy within the cybersecurity action plan. Mental toughness is the ability to work hard and respond resiliently to failure and adversity; it’s the inner quality that enables individuals to work hard and stick to their long-term passions and goals. It is the psychological edge that enables a person to remain focused and confident, during high-pressure situations, and perform at their full potential. It is a skill set that, like all skills, gets better with practice and discipline.
The chief incalculable in any conflict is the human will. A component of mental toughness is grit, human will. Grit is the ability to persevere, sustain efforts towards a long-term goal and stay passionate about pursuing the goal.
Mental Toughness vs. Grit
You might be asking right now, “What is the difference between mental toughness and grit?”
Mental toughness is more associated with short-term stresses, such as those related to a cyberattack. The ability to execute at peak performance will be determined by how efficiently each individual and the collaborative team are able to control their emotions and maintain the optimum level of arousal created by emotions such as denial, anger, and fear that cause behaviors such as tunnel vision or lead to decision fatigue – diminishing capacity for considering trade-offs and identifying dependencies, increasing avoidance of action and making more impulsive choices or not making choices at all.
Grit is more often associated with long-term perseverance, such as the day-to-day maintenance and monitoring of the cybersecurity program, where the stress level is minimal and it becomes necessary to overcome the human nature to become complacent.
Grit is needed when we least expect it and is necessary for us to keep our focus on our goals and control emotions that would alter that focus or cause us to quit. By being goal-focused versus deadline focused, a person with grit is able to avoid much of the distraction or procrastination that is often associated with being deadline focused and remain committed to accomplishing the goal
Training Mental Toughness
Mental toughness and grit can be developed through integrated training. Integrated training is a blend of emotional, psychological, and physical arsenals. Anything that is worked on should connect to some sort of threat scenario so that, irrespective of the drill, there’s an emotional and psychological rationale for the exercise. This type of training, if it is designed with the goal of increasing mental toughness and maintaining mental readiness, triggers and creates the connection between all three arsenals and is the most important moderator for stress in individuals and groups. In a stressful situation, if the people have not been hardened and are not mentally tough, they can easily be defeated regardless of the security controls (technology) implemented.
The mental challenge presented by training scenarios designed to magnify stress can exceed those designed to create physical demands. Designing scenarios that create levels of stress (time/impact) will aid in determining individual and team performance in an actual cyberattack. True peak performance in response to a cyberattack is about operating under periods of intensive stress.
A person, team, or organization can’t magically think their way to becoming mentally tough. It is accomplished by proving themselves, by doing something in real life. That something is preparation.
Through preparation, the individual, the team, and the organization stretch themselves, and, in so doing, achieve small wins that lead to making choices each day which build the collective “mental toughness muscle”.
[1] Warfighting, page 13; Doubleday, Copyright 1989 by The United Sates Marine Corps