I think the risks are really attracting the top talent, retaining the top talent, making sure that there is continued funding to invest in cybersecurity on the programs where we will need to prioritize and then processes that need to be improved. Overall, you can’t stop what’s going on outside of your organization. You can’t stop the bad things. You have to just prepare how to respond to them so the biggest risk is not doing anything. That would be detrimental. But, as long as you have a good security program, you’re able to retain the talent and work towards fulfilling some of the gaps and holes that you have, you should be okay.
CIO, Healthcare Provider
Walk into any major McAfee campus around the world and you’ll see a common fixture. It’s not the usual amenity you might expect to find in modernized workplaces, like a gym or friendly dogs at work (though we also have plenty of those!). It’s a . . . wall.
Since the public discourse is replete with talks of walls at the moment, let me explain. Like many companies, McAfee has a vision, mission, and values. Our vision reflects our aspiration for our industry and world. Our mission guides strategy. Our values express behaviors for the company we are. Those important cultural pillars are likely not that different from what your employer espouses.
But what sets us apart from many companies is that we also have a pledge. While our vision, mission, and values reflect our ambition, thinking, and conduct, respectively, our pledge reminds us of our calling:
We dedicate ourselves to keeping the world safe from cyber threats.
Threats that are no longer limited to the confines of our computers, but are prevalent in every aspect of our connected world.
We will not rest in our quest to protect the safety of our families, our communities, and our nations.
You’ll find these words prominently displayed on pledge walls in every major McAfee location around the world. In addition to the pledge, our walls commemorate the signatures from thousands of McAfee employees volunteering themselves to uphold that pledge. For the rest of employees in more remote facilities, including our work-at-home population, chances are they electronically signed this pledge upon joining our company.
The pledge is central to why McAfee does what we do. We’re in the business of cybersecurity. So it’s only natural that security is the lifeblood of our company. Even so, we’re not immune from adversaries intent on doing us harm. No company is.
But how does your company, one that is likely not in the core business of cybersecurity, develop a culture that embeds security into the fabric of your organization? While I don’t envision pledge walls featuring employees committed to keeping the world safe in your future, there are plenty of areas where your company can focus to make cybersecurity a meaningful component of your culture.
Chances are your company and culture could benefit from a healthy dose of cybersecurity. There’s no doubt that the ongoing cybersecurity battle between the good guys and bad guys can tilt in favor of the former when more companies adopt cultures of security.
Since our HR professionals are the experts among us who have devoted their careers to organizational health and are the champions behind the cultures sustaining it, I’m dedicating this chapter to them. While they are not exclusively responsible for company culture, they have more sway over it than just about any other party, except for the CEO. They inspire the rest of us by creating environments that attract and retain exceptional talent, something I’ve witnessed first-hand at McAfee in how a visionary CHRO can spread influence and impact far beyond her reach. And they have much more to offer in being part of the cybersecurity solution than they might think.
Before I joined the ranks of cybersecurity, I spent much of my career in telecommunications. I was part of the wild ride that was the dot-com boom of the late nineties. I remember when just about everyone I knew was off to found or join the next dot-com start-up. It seemed that all were destined for success. I remember those of us fortunate enough to work in the industry at the time gloating that we were part of the modern-day gold rush. I was in the right place, at the right time. There were more job offers coming my way than I could shake a stick at. Life was good.
Until it wasn’t. The dot-com bust at the turn of the century shattered dreams and careers. Unemployment soared overnight. The struggle was very real for many of my friends who traded their equity that wasn’t worth the paper on which it was printed for a pink slip worth even less.
It took several years and multiple rounds of layoffs for a tumultuous telecom industry to eventually equilibrate. But equilibrate it slowly did. And the virtually nonexistent telecom unemployment rate at the dawn of the millennium is now a reminder to those of us who endured that journey and have the scars to show for it, of how too much of a good thing can be very bad indeed.
Fast-forward in my career nearly 15 years later when I entered McAfee and the cybersecurity industry. Of course, I knew that McAfee was in the business of security. It was a calling I shared. I wanted to do something meaningful with the 60-plus hours per week I invest in my career. Saving lives seemed about as good as it got.
So good, in fact, that I soon learned that we couldn’t hire people fast enough. The global talent shortage in the industry took me back to the days of that practically nonexistent unemployment rate from an era gone by. While candidates in cybersecurity roles may relish the idea of perpetual job security, the reality is that the consequences of a zero-percent unemployment rate in this industry are even worse than what I experienced so long ago.
The reason is that there is so much more at stake. Back in the day, filling jobs for the latest dot-com boom wasn’t likely a matter of life or death. Some enterprising start-ups may have found it more difficult to attract and retain talent for their latest ventures, but let’s be real. What was really at stake?
Perhaps we’d have to wait a few more years for the Internet’s potential to catch up to its hype; for the app economy we know and love today to materialize. Those early grocery or pet supply delivery services would see a few false starts. Lucky for us, there were plenty of viable options through which to procure such goods, even while we waited for e-commerce at our fingertips to deliver virtually anything to us in days (if not hours). The dot-com boom and subsequent bust are now but distant memories for most of us. We survived to tell the tale.
Cybersecurity is different. There’s more than network bandwidth or cool applications at stake. A lot more. We have national security to consider. Companies have intellectual property, finances, reputation, and more to protect. All the while, we struggle to fill jobs for those who defend us.
Unlike in the telecom industry, this talent shortage isn’t likely to be solved by some industry bust. We’re not likely to see unemployment rates skyrocket with a glut of talented cybersecurity professionals entering the market. That’s because our enemy won’t have it that way. Adversaries continue to recruit to their ranks. As long as there is no shortage of bad actors, there will be no surplus of cybersecurity professionals.
This is the nature of our beast. Cybersecurity vendors poach talent from one another, since it’s easier to pay more for someone already schooled in the industry than to attempt to recruit from a virtually bankrupt pipeline of candidates. The private sector finds itself in the same revolving door of talent. And the public sector, typically with the most to defend (our national security!) is left to compete in this hotly contested labor market with the toughest constraints on compensation.
The demand for cybersecurity professionals far exceeds its supply. And that gap affects all of us.
To make matters worse, we have a dearth of diversity in the talent pool. Women and minorities are woefully underrepresented. Even if you’re not one who sees the goodness in having a diverse workforce, this problem transcends political or ideological principles. The unfortunate reality is that we don’t have enough qualified candidates in the labor market or pipeline, and that’s a problem that requires all the help we can get. A gender or minority gap works against all of us by greatly diminishing our addressable market for cybersecurity talent.
It’s tempting to think this problem is too big to solve. It’s easier to kick the can down the road than put the work in today to address the cybersecurity talent shortage. It’s particularly understandable when considering what we’re up against:
Perhaps the problem isn’t solvable? Maybe women and minorities simply aren’t inclined to pursue jobs in cybersecurity? Or perhaps they’re just not cut out to do the work? Could it be that the cybersecurity industry is doomed to lack diversity and its inherent benefits?
Not if its origins are any indicator of its destiny. The original software programmer was a woman. Ada Lovelace is widely credited with writing the first computer program in history—an algorithm that would calculate the Bernoulli sequence, which, among other things, explains why an airplane’s wings take flight.
In the mainframe era that dawned in the 1940s, it was women, once again, who programmed the machines. Men were more interested in building these behemoth computers, leaving the meticulous coding to their female counterparts.
During World War II, women comprised 75 percent of the Bletchley Park code-breaking operation3 that helped break the Enigma code of the Germans.
After the war, women remained foundational to coding in the private sector. A woman, Grace Hopper, created the first compiler, something that translated English-friendly code into the bits and bytes understandable by a computer.
As programming jobs exploded in the 1950s and 1960s, women were a mainstay in the labor force. The field was a meritocracy, based on aptitude and achievement. Companies often selected programmers based on an admissions test, one that typically involved pattern recognition. Women and men were on an equal playing field.
What changed?
Perhaps the more important question is: What didn’t change? Women didn’t suddenly lose their propensity to apply math or science skills to their work. And companies didn’t decide overnight that men were more capable than women of fulfilling the responsibilities required of a programmer.
As this history lesson would reveal, sometimes technology can impede progress on one front to accelerate it on another. Specifically, when the first personal computers entered households in 1984, we could hardly have imagined their impact decades later. On one end, personal computing made possible the digital age in which we find ourselves today. On the other, it unintentionally disenfranchised women and minorities from the pursuit of programming roles, including cybersecurity jobs, that are in such high demand.4
You see, when personal computers entered the market, their price points favored more affluent households, as is the case with many new technologies. That reality disadvantaged minority households, which earned, on average, less than their nonminority counterparts.
Within a few years, universities began to be flooded with applicants who wanted to pursue a career in programming—now a hot market with a bright future thanks, in large part, to the advent of personal computing. Economic powers of supply and demand took hold. Universities couldn’t fulfill the demand for all candidates wanting a career in computer sciences, including women and minorities. They began ratcheting up the requirements for such degrees, particularly in the crucial first year of study, to weed out candidates without a perceived penchant for the skills required (typically by accelerating the curriculum that would otherwise be found later in a candidate’s studies).
The fast-tracked curriculum favored those with the prior experience of banging on a keyboard, learning the inner workings of a computer. In other words, candidates coming from PC households—white males.
But what about white females within these households? Why would a little girl’s interest in computers be less than her brother’s when she had access to the same technology?
Think back to the mid-to-late 1980s and the teenage culture splashed on Hollywood’s big screen. You’ll remember pop-culture classics like Revenge of the Nerds, Weird Science, and WarGames. The protagonists that emerged from these box-office hits? Hollywood’s stereotype of a lovable nerd—a white male nerd, to be exact.
Computers, and the programming language that controlled them, became a guy’s trade.5 Teenage girls, like me at the time, no longer visualized ourselves in these careers since it seemed they were tailor-made for males. There’s a saying that strikes a chord with me as a woman, “If she can’t see her, she can’t be her.” And the female archetype who happened to kick butt in programming—one resembling Ada Lovelace, Grace Hopper, and the Bletchley Park women—was conspicuous by her absence in just about every blockbuster movie that glorified computing at the time.
I give you that brief history lesson not to assign blame in any one direction. To be clear, I couldn’t be more grateful that I have a computer through which to write this book. I couldn’t be more appreciative that we have talented programmers—both male and female—who make possible many of the innovations I enjoy today. I happen to be a fan of those 1980s movies that moved computers into our pop culture. And I take absolutely nothing away from the countless innovators—men and women alike—who paved the way for the future we have seized.
I simply want to expand our addressable market for cybersecurity talent because the cybersecurity talent shortage is yet one more threat we face. Another menace to our digital freedom is certainly something we can all do without.
Those who do not learn from history are doomed to repeat it. There is much we can glean from this history lesson to change our trajectory going forward and move above a zero-percent cybersecurity unemployment rate (a strange ambition to want unemployment in cybersecurity, I realize, but I hope I’ve made the point that a bit of a labor surplus beats the seemingly endless talent shortage in which we find ourselves). As the recruiters for our companies, HR professionals have a significant role to play in helping their companies—and the cybersecurity industry—bridge the gap.
We must accept two realities. First, our pipeline of existing cybersecurity talent is desperately lacking, and that problem isn’t going to change anytime soon. Second, because there aren’t enough candidates in the pipeline to fill the cybersecurity jobs we currently have, we need every employee to take up arms in the battle, doing her part to strengthen her company’s defenses.
The two-sided coin—recruitment and enlistment—becomes a call-to-arms for HR professionals. On the recruitment front, HR can help their organizations expand the aperture for cybersecurity talent. This isn’t a case where bias can win. We need all talent helping in the fight—men and women, minorities and non-minorities, arts and sciences. To this last point, our industry has been so focused on STEM (science, technology, engineering, and math) that we’ve lost STEAM (science, technology, engineering, arts, and math). Cybersecurity is as much a psychological battle as it is a technical one (combat lends itself to both). It entails both soft and hard skills. It exercises creativity as much as it does problem solving.
Review your cybersecurity job postings and look for a balance of skills that widen the market of applicants. Doing so will not compromise the quality of candidates (this isn’t about lowering standards). Look to the history of women in this field, back when complex math was computed in a human’s brain, not a machine, and you’ll realize that women are equally as capable of fulfilling the roles as men. You may simply need to look for the same unconscious bias that had universities weeding out diverse talent in the late 1980s in your company’s own cybersecurity job descriptions. When you find it, weed it out relentlessly.
But that’s still not sufficient. You’ll need to do the same throughout your recruitment process. That includes the interview. Unfortunately, questions that are everyday fare in many interviews are also a source of unconscious bias. For instance, behavioral interview questions that are commonplace (such as, “Tell me about a time when . . .”) naturally favor candidates with more history. However, that history may or may not be relevant to today’s challenges. In fact, research suggests such questions predict success only 12 percent better than a coin flip.6
Instead, give the candidate a problem and ask her how she would solve it. You may ask the candidate to walk you through her plan for acclimating herself to your culture and company upon hire. You might show her a flowchart of your current process and ask her to make suggestions for improvement. The point is that you want to see how a candidate thinks, not simply have her regurgitate her past.
In the interview process, use panels of interviewers to identify the most qualified candidates. Here is another case where too much of a good thing can be bad. For example, Google has its Rule of Four, in which they have successfully modeled that four interviews are sufficient to predict a new Googler’s success with 86 percent confidence.7 Any more is overkill. Any less, insufficient.
No matter your company’s ideal number, make sure at least one interviewer on your panel is a diverse leader. Men and women answer questions differently. Having both on your interview panel will account for these differences.
Taking another lesson from Google, they also have an interesting interview question for which they grade men and women differently. It’s this: “On a scale of 1 to 5, rate yourself as a software engineer.”
Their evidence suggests the most successful male Googlers answered “4” when asked this interview question. Google finds that men tend to inflate their experience or qualifications. The score most likely to predict success for female candidates? A perfect 5, as Google finds women are more likely to be reserved and humble.8 (Of course, Google will now have to come up with additional interview questions to determine success, given their secret is out!)
For all these reasons, McAfee uses a panel interview approach for most positions. And we place at least one female or minority on every interview panel to represent the same diversity we aspire to recruit.
Finally, eliminate the bias that may have your company seeking only professionals with prior cybersecurity experience. There aren’t enough of them in the market. We can’t keep poaching from one another, driving up wages, and churning talent in the process. So eliminate questions that bias your company against candidates with different backgrounds. For instance, asking a candidate to tell you about the latest hot innovation he finds interesting in cybersecurity disadvantages those with less hands-on experience (as we learned from the history lesson of the PC). Ensure your questions pick up STEAM—pun intended—when looking for qualified candidates.
I walked into McAfee without having a lick of cybersecurity experience in my background. Within six months, I had co-authored a book on the topic. I’m not minimizing the complexity of the industry. But I am suggesting that skills are transferable. Look for candidates with technical skills in other fields. You’ll find technical industries, like telecom, that aren’t in the same zero-percent unemployment state. Technology lends itself to ebbs and flows in different labor markets. Expand your aperture for qualified talent with transferable skills, whether candidates have prior cybersecurity experience or not.
On the enlistment side of the coin, you can pull multiple levers to embed cybersecurity in the day-to-day jobs of employees, without overwhelming them in the process. First, search your company values—those standards for conduct or guiding principles that you expect employees to uphold—and see where you can add one word to change their meaning in a profound way: security.
For example, in exploring my former stomping grounds at a prior employer, Verizon, I found the company has an impressive credo featured on their website at the time of this writing. Let’s take a look at how inserting just one word can expand meaning without compromising intent (italics mine, to suggest the addition):
We have work because our customers value our high-quality communications services.
We deliver superior customer experiences through our products and our actions. Everything we do we build on a strong network, systems and process foundation. The quality, reliability and security of the products we deliver are paramount. Customers pay us to provide them with services that they can rely on.
One word can change scope without altering purpose.
Now this isn’t a game of Cybersecurity Bingo. There are values or guiding principles where security just doesn’t fit. Don’t force a square peg in a round hole. Case in point from Verizon’s example:
We know teamwork enables us to serve our customers better and faster.
We embrace diversity and personal development not only because it’s the right thing to do, but also because it’s smart business. We are driven not by ego but by accomplishments. We keep our commitments to each other and our customers. Our word is our contract. We respect and trust one another, communicating openly, candidly and directly since any other way is unfair and a waste of time. We voice our opinion and exercise constructive dissent, and then rally around the agreed-upon action with our full support. Any one of us can deliver a view or idea to anyone else, and listen to and value another’s view regardless of title or level. Ideas live and die on their merits rather than where they were invented.
I happen to love that excerpt from Verizon’s credo. But, try as I might, I couldn’t find a way to naturally insert “security” in what is already stated beautifully.
That’s okay. While you won’t contrive a home for security in a company value where it doesn’t belong, you’ll likely find at least one where it easily does. Assuming your values are more than fancy copy on the back of an employee’s badge, you’ll begin to seed security into your company’s foundation by rooting out non-secure behaviors and implanting secure ones in their place.
Next, let’s look at your rewards and recognition programs to find a natural home for cybersecurity achievements. The first is clear and easy. Show some love to your cybersecurity team. As mentioned in Chapter 2, they’ve been relegated to the backstage of your company for too long. Bring them out from behind the curtain.
How? Give your CISO a voice in some company all-hands meetings. She doesn’t need to be a perennial fixture in every company event. But you can certainly expose her and her team’s accomplishments for the broader employee population to understand the attack landscape and the importance of cybersecurity defense. Beyond enlisting more recruits to the fight, a little appreciation goes a long way and may help stymie high turnover rates (thanks to that nonexistent unemployment rate) in your cybersecurity ranks.
Next, expand your rewards and recognition programs to include cybersecurity. I mentioned in the last chapter about the importance of stopping the line for a new product or service release whenever security is subpar. Use your company’s recognition platform to publicly credit employees—whether in cybersecurity or not—for raising valid security concerns that stop any such product or service from ever reaching the market.
Now it’s time to address the elephant in the room where this book is concerned. Up until this point, we’ve been talking about employees as generally well-intentioned subjects seeking to do right by their companies in the way of cybersecurity, but perhaps lacking the education or prescription to do so. That’s largely the reality.
But there is a subset of employees who have no desire to do right by your company. These aren’t simply apathetic bystanders in the cybersecurity fight. These are malicious insiders seeking to do your organization harm and/or personally profit at your company’s expense. According to Verizon’s DBIR report, malicious insiders account for over 10 percent of all company breaches.9
Malicious insiders are the most insidious enemies for companies to address. For one, companies are reluctant to impose a Big Brother state of monitoring on employees—and for good reason. Privacy concerns notwithstanding, employers may be unwilling to treat every employee as a potential bad actor, favoring instead a workplace culture in which trust is freely offered, not arduously earned over time.
Yet, bad actors who work for your company are a reality. What’s an organization to do to weed out the threat from within? Your cybersecurity organization has technologies it can deploy to identify anomalous behavior. But technology, on its own, is a much weaker defense than the combination of technology, tools, and people working together. This is where HR professionals can assist in creating people controls to identify malicious insiders.
First, work with the CISO to identify the employees with the greatest access to the company’s most valuable assets. Your CISO should already have a taxonomy of risk, mapped against value, for your organization’s most prized possessions, whether intellectual property, manufacturing facilities, sensitive databases, or something else entirely. Define the perimeter of employees with privileged access to these valuables. Establish with the hiring manager and your security organization what level of access is required for these employees to do their jobs effectively. Periodically review the list of employees to ensure no job changes warrant an adjustment to privileges. Come performance review time, create a list of employees who may pose a flight risk and compare it against those who have privileged access, ensuring Legal is in the process to respect employee privacy concerns. By establishing and monitoring employee access privileges regularly, you protect your company from those who no longer require enhanced privileges (or may never have required them in the first place).
Note that access hygiene not only protects your company against malicious insiders but malevolent outsiders as well. Had McAfee applied this prescription, we would have removed an agency employee (essentially an extended insider to our team) from having administrative privileges to our social media page when she was no longer doing work for us. By doing so, we would have averted the hack I covered in the first chapter.
Next, within your reward-and-recognition program, carve out a place for whistleblowers. This goes beyond government programs that protect and incentivize these people. Establish a confidential program whereby employees can report suspicious behavior. Clearly, this is a fine line to walk, as you don’t want to create a company culture of distrust among employees. But if you allow employees to speak up when they see something that doesn’t sit right with them, you can marshal one of your most powerful weapons—your own workforce—in identifying rogue employees.
Case in point: A while back, McAfee reprioritized our investment areas to more closely align with our customers’ needs and the marketplace. These decisions never come easy for a company, especially when they impact employees, which was the case in this example.
I received an email from a manager on my team, who forwarded one he had received from one of his employees. In it, the employee asked the manager for help. One of our impacted employees was overheard on what seemed to be a suspicious phone call. In it, the employee in question stated that, now that they had been “let go,” they could reveal exactly what McAfee had been working on in recent months. (I should mention that this employee had knowledge of an upcoming product rollout.)
Upon hearing the conversation, our concerned employee decided it best to send an email to a manager reciting exactly what was said. Because of this, we were able to intervene with a reminder to the exiting employee of confidentiality requirements (without exposing the whistleblower in the process). And we were able to make other decisions to accelerate or otherwise alter the original rollout schedule for the product in question.
Since the exiting employee wasn’t using company systems to relay or exfiltrate the information, this threat would have gone undetected by McAfee’s cybersecurity team. Only one employee overheard the phone conversation and was under no obligation to report it. But the person did. I couldn’t have expressed my gratitude more for one of our own looking out for the company. Find a confidential, nonthreatening way for conscientious employees to blow a whistle or raise a flag when they see something dubious. When they do, reward them appropriately.
Finally, examine your company’s key performance indicators (KPIs) to find those related to cybersecurity. At a minimum, every member of the executive team should have at least one cybersecurity KPI.
This shouldn’t be hard. After all, this book reveals how cybersecurity permeates multiple functional areas of the company and where every employee can play his part. Find a few examples and embed at least one meaningful cybersecurity KPI for every chief officer. He will in turn cascade the appropriate cybersecurity metrics to those on his team with responsibility for the same. Those leaders will, in turn, distribute responsibility to the individual contributors on their teams. This waterfall effect eventually soaks cybersecurity into all functions and all levels of your company.
* * *
This book is about instilling a cybersecurity culture at all levels and layers of organizations. Culture isn’t pushed down. It spreads laterally and organically. The best management can do is provide the optimal soil for great cultures to flourish. That entails ensuring employees are mindful of the vision, mission, and values guiding your company forward. It requires recruiting the right talent, aligned to those company values, and committed to mutual success. And it entails having reward-and-recognition programs and clearly aligned metrics to ensure everyone is moving in the same direction.
As those who most tend to a company’s culture, HR professionals have a significant role to play in depositing cybersecurity seeds. You are instrumental in helping the industry’s, let alone your company’s, cybersecurity talent shortage. By removing the unconscious bias that limits our collective ability to find and recruit exceptional cybersecurity talent and creating a climate that enlists every employee in the battle, HR can bridge the cybersecurity gap for all of us.