In a recent article, I proposed using a warrior mindset to design, implement, and govern an organization’s cyber defense plan. If the proposition of using such a mindset to develop a cyber defense strategy was acceptable, I would suggest that a key tactic of such a strategy is a growth mindset.
The Risk of Having a Fixed Mindset
It is fair to say that a majority of people, when faced with a decision, are risk averse. This aversion is compounded in a crisis situation. Being risk averse is part of human nature. We humans are creatures of habit who follow simple reproducible patterns, are reluctant to change those patterns until behavior becomes unproductive, and, even when confronted with clear failure, often follow the same behavioral patterns in the hopes they will work again. Such behavior is the result of a fixed mindset.
Many organizations operate with a fixed mindset foundation that limits behaviors such as sharing information, collaborating, innovating, seeking feedback or admitting errors. This mindset often results in a desire, on the part of the individual or organization, to look smart, avoid challenges encountered, see effort as fruitless or worse, give up easily, and ignore useful negative feedback or criticism. In cybersecurity, this mindset is often associated with behavior such as reluctance to share information and experiences related to strategy, tactics and threat intelligence– both inter-organization and intra-industry.
Conversely, the cybercriminal community openly shares information and knowledge, perhaps for a price, that allows each adversary to learn, grow, and become more innovative in their efforts to succeed in their attack on a more stagnant opponent who is operating from the least competitive mindset: the we’ve-always-done-it-this-way mindset. Such a mindset is a classic example of the fixed mindset.
Individually, everyone has some degree of fixed mindset and growth mindset. The majority of us start with the fixed mindset being dominant. Our life’s experiences and education often reinforce that dominance and define the personal and corporate culture in which we comfortably operate. Because mindset determines our perspective on, passion for and commitment to an endeavor, this cultural approach to cybersecurity places great emphasis on maintaining the status quo.
Embracing a Growth Mindset
In contrast, a growth mindset embraces challenges, sees effort as the path to mastery, enables a person to persist in the face of setbacks and allows them to learn from criticism. This mindset must become the dominant mindset in the pursuit of any goal if it is to culminate in successfully achieving that goal. In the case of cybersecurity, that goal is for security to be a business enabler as well as mitigation of the risk to the compromise of critical digital assets.
Cybersecurity Benefits of a Growth Mindset
In that context, let’s explore the development and benefits of a growth mindset and its contribution to the effort of creating a flexible, adaptive and innovative cybersecurity program.
It is universally accepted that humans and human error present the greatest risk to any cybersecurity program. You can call me old school but, if you agree with the assessment that people present the biggest threat to the compromise of the proprietary data that makes an organization unique, then you should agree with the proposition that strengthening that weakness must become an important tactic in an organization’s cybersecurity program strategy. So, why are so many training programs created in a manner that would imply their being an after-thought? In many instances, that is exactly what they are as a result of the organization’s desire to check off the compliance obligation of employee security training.
Adapting to the New Normal
Human beings under stress for extended periods of time, if not properly trained, will make bad decisions or choices regarding the action to be taken. Many of the actions will be based on convenience and, as result, normally will involve a greater risk that has not been considered. Such a situation is the current COVID-19 new norm operating environment. Changes to policies and procedures, that for the most part are temporary, have been implemented and business continues to function. But, at what risk?
When this crisis has been resolved, the temporary changes may not apply to the new operating environment. Additionally, it is not unreasonable to assume the pre-COVID-19 operating environment is not an environment to which the organization can or will return.
A new cybersecurity plan for this more permanent operating environment will need to be established. I use the words more permanent because the adversary is also preparing for this change and the need to be flexible and adaptable will become a standard that, in large part, does not exist today.
The opportunity to establish a growth mindset culture with respect to security is at hand. If this transformation effort is to succeed, the Board of Directors and Executive management can have no doubts regarding their commitment. Any perceived doubt by any member of one of these teams will serve to undermine the initiative.
What may undermine confidence and create doubt is the belief of decision makers that technology is the silver bullet to security. Technology is but one tactic to support the new strategy. The most state-of-the-art technology is ineffective when the operator has not been fully trained in its capabilities and the techniques, tactics and procedures (TTPs) for its use.
The preparation and execution of this new plan will require training people to efficiently function in their roles and be prepared for the obstacles encountered. This new plan must encourage continued growth in knowledge and experience that will result in a much better response to the next global crisis that surprises the world.
Committing to Growth
Committing to building a growth mindset culture is a human challenge. The ideas, assumptions, decisions, and (in)actions of decision makers, based on a growth mindset, will help decide which businesses prosper and which do not survive.
When companies embrace a growth mindset, employees report a feeling of empowerment and greater commitment to their role’s responsibility and its contribution to achieving the mission of the organization. This mindset encourages innovation in processes, seeks the help of others, emphasizes thinking out of the box, requires testing new strategies and seeks to capitalize on setbacks to identify opportunities to move forward.
While normal motivation techniques such as praising and rewarding effort are a part of the growth mindset, such motivation normally creates or strengthens the fixed mindset. A growth mindset rewards and places greater emphasis on learning and progress in performance improvement which is a more powerful and longer lasting form of motivation. It is motivation that leads to increasing the person’s perception of their value to the organization and results in increased trust, satisfaction and loyalty.
A growth mindset seeks knowledge in multiple new domains. This is a primary benefit of having a multi-disciplined security team. This expansion of knowledge in new domains combined with the knowledge in existing domains provides the ability to create, in Lt. Col. John Boyd’s Observe, Orient, Decide, Act (OODA) Loop, a library of mental models that can quickly be brought to bear in the decision step of the loop.
Practice Makes Progress
Committing to developing such a mindset is the just the first step in creating a culture where it is regularly practiced. Behavior of any type is a learned skill. For this type of learning, deliberate practice is the best way to make the needed improvement and to measure the progress.
Deliberate practice is a highly structured activity engaged in with the specific goal of improving performance. The four essentials of deliberate practice apply to both individual and organizational efforts to improve. They are:
- Be motivated to attend to the task and apply the necessary effort to improve performance.
- Apply pre-existing knowledge in the design of the task in order for the task to be correctly understood after a brief period of instruction.
- Provide immediate feedback regarding performance of the task.
- Repeatedly perform the same or similar tasks to achieve the desired performance and to maintain that level.
How an individual or organization conducts practice significantly impacts the results. Each entity must constantly challenge itself. For the organization, this responsibility rests with leadership. In either case, deliberate practice means not repeatedly doing what you already know how to do.
The first principle of maneuver warfare is to target critical vulnerabilities. This should be the guiding principle for governing individual and organizational training and practice. It is incumbent on leadership to work with individual team members and the team collectively on their weaknesses and develop training practices to improve performance in those areas.
Leadership must also identify deficiencies in the cybersecurity program and either develop scenarios to test and improve performance or commission a third party for the design of the scenarios and oversight of the exercise. Wargaming is an excellent tactic to use for improving performance as well as exposing areas requiring further concentration of training.
Practice must be deliberate and intense, carefully scheduled and limited in ways to avoid burnout. Team exercises must include stress and uncertainty similar to that of a live situation.
This type of practice isn’t always fun. It must be accepted that this effort is a journey in the pursuit of performance excellence and has no end.
There are three zones in which practice occurs:
- The Comfort Zone – This is one in which many individuals and organizations find themselves. The practice does nothing for improvement and is basically an ego stroking exercise resulting in a false sense of accomplishment.
- The Panic Zone – Practice in this zone leaves the participant paralyzed because the activities are difficult and there is a lack of knowledge regarding how to approach them. This is all too often the experience in a live cyberattack. In practice, the activities are most often counter-productive to the goal of performance improvement. The Panic Zone is a place where the individual and/or the organization is lost.
- The Learning Zone – This is where the skills and abilities that are just out of reach are targeted for performance improvement. They are neither so far away that they cause panic nor close enough where they are easy to complete. If you are in this zone, you are experiencing improvement 50% – 80% of the time you conduct the practice.
As a caution, if you are realizing improvement less than 50% of the time you practice you are in the Panic Zone. Likewise, if you are not experiencing failure at least 20% of the time you are in the Comfort Zone. Neither zone is conducive to learning, improving performance and strengthening your growth mindset.
In regards to cybersecurity, a culture of continuous learning is critical to keeping pace with the cybercriminal, their TTPs and the threat they present to an organization’s unique operating environment. That knowledge cannot be gained and, perhaps more importantly, strategically used in the organization’s cyber defense plan if anything other than a growth mindset is being used to execute against the plan. There will always be risk and it must be addressed when making any decision. A growth mindset both encourages taking a risk and doing it through a more informed decision process.