In the introduction to this series, I made the declaration that “it is imperative the organization and each employee leaves their comfort zone with respect to cybersecurity.” The first question that any reader of that statement would most likely ask is, “WHY?”
In this second piece of the series on leaving the Comfort Zone, that is the question to which I will attempt to provide a credible answer.
Workers, for the most part, are checked out. Just a third of workers reported feeling engaged on the job, according to a recent Gallup survey. That’s even lower than in 2020. What’s more, about 60% of respondents reported feeling emotionally detached at work and 19% reported being miserable. Feeling disrespected at work, struggling with pandemic burnout and more contribute to that discontentment. Companies with engaged workers enjoy higher profits.
Cyberwar is a model of fourth-generation warfare. It is a conflict characterized by blurring the lines between war and politics, combatants and civilians. Roughly speaking, “fourth-generation warfare” includes all forms of conflict where the other side refuses to stand up and fight fair.
An active adversary is, by definition, working to thwart the CISOs mission and acting in a criminal fashion without the constraints of law, regulation or corporate ethical standards. Meanwhile, an internal stakeholder audience is just trying to comprehend the breadth and depth of the challenge and oftentimes just beginning to come to terms with the realization that this is much more than an ‘IT Problem’. They are often grappling with how to even begin addressing a problem of such magnitude.
The comfort zone is a closed system and, as such, is subject to the Second Law of Thermodynamics and entropy that continues to increase in such a system as it relates to work performance in a spontaneous process such as cyber defense. The increasing entropy leads to heightened apathy with respect to desired security behavior, situational awareness and the security mindset of a mature cybersecurity model within the enterprise culture. The failure to expand the knowledge and experience, relative to cybersecurity awareness and preparation, contributes directly to the increasing entropy governed by this law.
If an organization is to defend its critical data in this fourth-generation warfare environment, all means of response and defense must be in readiness. The rules in this version of warfare are ever-evolving and being rewritten as information technology and its use expands and exposes more vulnerabilities.
In the history of warfare, any significant advance has always depended, in part, on active innovation by strategists. The dichotomy of mindsets between the attacker and the defender has provided a significant advantage to the attacker.
The attacker’s mindset and resultant strategy has been and will continue to be, ‘build the weapons to fit the fight” which best enables them to follow the advice of Sun Tzu, “The best strategy is to attack the opponent’s strategy.” In that context, a philosophy of the attacker community has been, per Sun Tzu, “To send people to war without teaching them is called abandoning them.” In that context, they followed the further counsel of Sun Tzu to “Teach people for seven years, and they can go to war.”
The defender’s mindset regarding strategy continues to be “fight the fight that fits one’s weapons” which has resulted in a defense plan whose tactics have been a constraining factor in building a mature cyberwar model. Western culture has, invariably, halted its strategy development at the boundary that technology has not yet reached. This strategy has often been executed at the expense of failing to train their employees to use their skills, with a high degree of efficiency and productivity, to achieve a mature cyber model. The human factor, trained as a weapon that is the equivalent of the attacker’s human factor, should provide sufficient motivation for the organization to leave the Comfort Zone with respect to employee training.
“War may be fought with weapons but they are won by men. It is the spirit of men who follow and of the man who leads that gains victory,” (General George S. Patton). This quote becomes even more relevant in cyber war if he/she becomes a weapon!
It has been determined that sixty-nine percent of breaches are the result of human error and, in those instances, a lack of situational awareness has been determined to be the number one cause of that human error. Even the most experienced people can lack situational awareness; especially when performing tasks that have become routine and are perceived as mundane such as those performed in their comfort zone.
In most organizations today, the majority of employees are operating in the level of situational awareness known as “Condition White.” They are in their personal comfort zone where they feel safe and secure. At this level of situational awareness, the individual is unprepared and unready to take any action. They believe there is no jeopardy and are, therefore, not actively assessing the potential of a threat and/or threat indicators. The apathy normally associated with this condition increases the risk probability of their security behavior making them a potential target to be exploited.
It is for these reasons that the organization must leave its Comfort Zone in regard to both strategies and supporting tactics if it is to stop being a slave to technology in its thinking and subsequent planning.
Today’s cybersecurity battles occur within the minds of those who comprise the constituents of an organization, requiring them to be proactively engaged in achieving the desired security behavior.
According to Gallup’s 2022 State of the Global Workplace Report, “employees who are not engaged or who are actively disengaged cost the world $7.8 trillion in lost productivity.” They define engagement as “psychological commitment to one’s work, team and organization… engaged employees are mentally in the zone, ready for action.”
The cybersecurity model, regularly developed within the organization’s Comfort Zone, does not prepare it to compete in a fourth-generation warfare environment successfully. In this environment, a philosophy of executing a variety of focused and unexpected actions, for the purpose of creating a turbulent and rapidly deteriorating situation in which the attacker cannot cope, is critical to a successful cyber defense.
The mindset of each individual determines that person’s perspective and governs their behavior with respect to a subject. The mind is, most often, a closed system susceptible to an increase in entropy and a diminished ability to perform useful work such as the desired security behavior. If an individual’s mindset is to change, it begins with increased knowledge, involves a continuous experience that expands the individual’s comfort and builds confidence in their decision-making. A confident mind is the product of education and experience outside of a person’s comfort zone.
It is becoming increasingly important to create a sense of responsibility for security in every employee such that they commit themselves to develop into a weapon prepared for the TTP of the cyber adversary. Operating without clear objectives, as is the situation most employees find themselves in regarding the security leader’s intent, must be avoided. Each employee must learn to execute a response in accordance with the leader’s intent in order to break the enemy’s will.
It is human nature to strive for the best possible performance in the execution of their duties if that individual feels a sense of accomplishment, feels their value to the organization is appreciated and believes that effort aids their effort to reach their full potential!
Training that causes such intrinsic motivation regarding security awareness is not the norm today. As a result, the product of most training is seen in this quote from Leonardo da Vinci, “Study without desire spoils the memory, and it retains nothing that it takes in.”
According to David Eagleman, a neuroscientist who studies how our brains perceive time, it boils down to the fact that our brains process familiar information quickly. When new information is introduced, it takes our brains longer to organize and synthesize the data, making the experience more memorable and time (appear to) slow down.
Practicing the mindset in everyday matters will result in a more dynamic “make it happen” type of unit, versus a unit always waiting for guidance and failing to take initiative. The initiative is more critical now than ever before. This type of training, done in the Learning Zone and Growth Zone, cannot be done in the Comfort Zone.
Benefits of leaving the Comfort Zone
While the benefits of leaving the Comfort Zone will, most likely, not be achieved overnight, the cumulative upward spiral of achievement and confidence as a product of continuous training, preparation and testing will become a potent tactic in the organization’s cyber defense plan strategy.
Benefits, in addition to security behavior performance improvement, include:
- Address and correct the perspective of 70% of employees believing they personally do not play a role in maintaining their organization’s cybersecurity posture. An investment in training with the purpose of aiding the individual to achieve their full potential will demonstrate the organization’s view of their value in achieving a mature cybersecurity model. It can aid in addressing the individual’s often unspoken desire to experience personal growth and fulfillment. Such a commitment can ignite the intrinsic motivation of each person to improve their security performance, increase loyalty and trust and persevere when peaks, obstacles and plateaus that complicate their security awareness journey are encountered.
- Development of a Growth Mindset that causes the individual to realize setbacks, often viewed in their current mindset as a failure, can become opportunities for learning and provides unlimited- potential for performance improvement and individual growth in the application of their skills.
- Greater self-efficacy is an individual’s belief in his or her capacity to execute behaviors necessary to produce specific performance goals. It refers to a set of beliefs the person holds about their ability to complete a particular task. The first proponent of achieving self-efficacy is the product of past experience, observation, persuasion and emotion that are part of the scenarios used in the Learning Zone.
- A benefit for the organization is a motivated employee whose situational awareness is greatly improved.
Staying in our comfort zone is a form of isolation that increases an individual’s vulnerability to mental malware and subsequently falls victim to an adversary’s disinformation/misinformation attack. In the long run, our comfort zone becomes our uncomfortable zone known as the “Panic Zone.”
Information security departments must continue to ask themselves how they can reduce human error in a meaningful way and start thinking of the human layer as something to work with rather than work around. As with every other layer, there must be a time and financial investment in performance improvement of situational security awareness and the resultant achievement of the desired security behavior. Evidence is increasing to prove training of the human security layer, within the Learning and Growth zones, reduces risk and aids the effort to build a credible component of a mature cyber model.
It is why I am so adamant in encouraging corporations and individuals to get out of their “Comfort Zone” and take the education journey through the “Learning Zone” and “Growth Zone” causing both to identify skills, improve their performance in those skills and develop a desire to continue to improve, as a result of the passion they experience and the intrinsic motivation to succeed in developing a high level of situational security awareness.
The one size fits all security awareness training so prevalent today and performed in the organization’s comfort zone fails to overcome the cognitive biases formed in the comfort zone and falls very short of improving the awareness and vigilance necessary for strengthening the cyber defense in the fourth-generation warfare environment.