The Comfort Zone in cybersecurity is a mindset you must change by strengthening the soft skills of every employee.
Introduction
“The Comfort Zone is a behavioral state within which a person operates in an anxiety-neutral condition, using a limited set of behaviors to deliver a steady level of performance, usually without a sense of risk.”[1]
A comfort zone is a type of mental conditioning (mindset) that causes a person to create and operate within mental boundaries. These boundaries are most often the source of an unfounded sense of security where apathy and complacency are common. Within the comfort zone, there isn’t much incentive for people to reach new heights of performance. It’s here that people go about routines devoid of risk, causing their progress to plateau.
This psychological state and the perception of safety it creates keep a person from seizing opportunities for growth because such an effort involves something unfamiliar. Perhaps the greatest danger the feeling of safety presents is that it causes an individual or the organization to operate in a level of awareness known as Condition White. This level of awareness is best described as a state of lack of preparation and readiness to take any action which results in what is seen as the biggest cause of breaches; human error as a result of a lack of situational awareness.
A mindset provides a person’s perspective on any subject and is the product of the individual’s formal education, experience in the use of that knowledge and operating in an environment according to the habitual behavior they and their peers have developed.
Security Behavior
In cybersecurity, the environment includes the working environment of the individual’s role within the organization and its function within the enterprise operating environment of the organization. The training, preparation and testing of behavior or lack of one or more in the first lead to achieving or failing to attain the level of performance of the desired security behavior in the second.
In far too many organizations, the primary working environment continues to be the comfort zone where training to meet the organization’s respective industry regulatory requirements is the primary focus. The human factor and all of the associated behavior vulnerabilities caused by the principles of human nature, if addressed at all, are minimal.
The individual’s working environment must move from the comfort zone to a continuous learning and growth zone where the objective of improved security behavior, in that environment, meets the security leader’s intent and contributes to an organizational operating environment inclusive of a mature cybersecurity model.
Everyone will agree that the cyber defense strategy must be innovative and adaptable. If the cyber defense strategy is to be innovative and adaptable, the boundaries of that strategy must extend beyond the commonly accepted boundaries of technology established by so many organizations operating within a traditional Western culture. This boundary limitation is repeatedly witnessed during the after-action review of a breach and the question, “How can we improve?” is asked. The “technology is the answer” mindset leads to a decision, at the expense of training and preparation of the performance of the most innovative asset in the organization’s arsenal; the employees, in accordance with the first law of human nature that states, “humans are creatures of habit who follow reproducible patterns of behavior and are reluctant to change those patterns even when faced with clear failure”. That mindset is a perfect example of staying in the comfort zone.
Fight or Flight or Freeze?
In response to anxiety-provoking stimuli such as a security breach, the options are either fight (meet the challenge), flight (run away/hide), or freeze (become paralyzed). In far too many instances, the boundaries of a response strategy are “frozen” to the technology comfort zone. The proper mix of intrinsic and extrinsic motivation of individual employees must be determined and implemented through training, outside of the individual’s and organization’s comfort zone, if the desired behavior and performance are to be achieved.
Strategy takes place only in the world of human competition. Sun Tzu says, “Know Yourself and Know the Other and victory will be certain”. That is where the competition begins and we all will agree, I believe, that the “Other” has a huge advantage, in knowledge, created by the training they have received in comparison to the typical employee regarding vulnerability, risk and desired behavior.
Knowledge is the starting point for all other soft skills and the most critical component of strategy. Technology is a tactic, a weapon, to be efficiently and productively used by the human factor within the mature cyber model strategy. The skills of knowing and foreseeing are mental skills that can be improved through training.
To extend the boundaries of a cyber strategy, improvement in the knowledge and skill performance of the human factor is critical. The innovation, ingenuity, and creative capabilities, when cultivated, of the human mind, can push the boundary out beyond the capabilities of existing technology.
Making every employee a weapon, in the organization’s arsenal, to fight the cyberwar of their unique operating environment, should be an objective of that organization’s training program. Improving the performance of individual soft skills will have the greatest impact on behavior performance and lead to the individual becoming the most efficient weapon, within their soft skills capabilities, possible!
Improvement begins when a decision to leave the comfort zone and enter the learning zone is made. Leaving the comfort zone means a phase of trial and error during which at least some success is inevitable and builds self-efficacy and an increase, by the individual, in the belief in their ability to grow.
Developing your people is one of the most important parts of being a leader. If you don’t make a conscious and committed decision to leave the comfort zone, you most certainly will be yanked from it and thrust into the panic zone when attacked by a cybercriminal.
“All growth starts at the end of your comfort zone.”[2]
[1] Judith Bardwick, Danger in the Comfort Zone, 1991
[2] Tony Robbins