Practice doesn’t necessarily make perfect, but it can lead to improvement. Quality practice is key in matters of human security, and the right quantity of practice can also make a significant difference when it comes to shifting mindsets and behavior.
“Scientists believe that expert-level performance is primarily the result of expert-level practice,” said Wendi Whitmore, IBM Security VP of X-Force Intelligence, Incident Response & Cyber Command. “This concept is called deliberate practice.”
Deliberate practice has a few defining characteristics, according to Whitmore: It must be intentional, it must be targeted to the individual’s skill level, and it must be followed up with immediate feedback.
A science-backed approach to practice can change behavior. It can create more skillful leadership. Organizations that practice deliberately can change individuals, teams and culture for the better. Still, this approach is surprisingly uncommon in the cybersecurity industry. There are a few exceptions, such as the X-Force Command Cyber Tactical Ops Center and simulations in the cyber range.
Human security is what matters during a cybersecurity crisis, where skills and muscle memory can make the difference in make-or-break moments. Leaders and culture are the most important predictors of cyberattack outcomes, so it’s time to stop under-investing in human security.
Great leadership and security culture don’t happen by accident. However, deliberate practice is exactly what Whitmore does best. In her nearly two-decade career in the Air Force Special Forces and industry, she’s run 3,000 simulations and built leading global incident-response teams.
Roland Cloutier, SVP and chief security officer (CSO) at ADP, is another leader who’s focused on human security. Delivering 40 million individuals’ paychecks requires a globally embedded culture of security. A recent conversation between Whitmore and Cloutier looked at ADP’s approach to building security leadership and culture.
5 Tools to Create a Security Culture Shift
“Our focus here at ADP is to make security a component of what everyone does in their jobs,” said Cloutier. He’s seen a “massive transformation” during his decade as ADP’s CSO.
Part of ADP’s transformation is the result of executive buy-in, as the business climate there supports a security culture. However, Cloutier’s revolution is also the result of five universally valuable tools:
- Accountability — What’s most important, according to Cloutier, is making sure security is everyone’s business. “We hold our own people and associates accountable,” said Cloutier. There’s a defined framework for accountability at ADP, which includes a structured process for disciplining inadvertent insiders. In some cases, individuals are required to complete reeducation on security and privacy.
- Transparency — ADP’s security practice has a transparent approach to awareness initiatives. This approach emphasizes the importance of employees learning the specific, downstream effects of unsecure behaviors.
- Relevance — Security is relevant to every member of ADP’s organization, and this is reflected in education programs. Learners grow to understand how cybersecurity makes a real impact on people’s lives.
- Pervasive Responsibility — Security is “pervasive across our business,” according to Cloutier. It spans “from our clients to our back office.” Tens of thousands of global ADP associates know security is everyone’s job.
- DevSecOps — A transition to secure DevOps, or DevSecOps, has been another huge driver for ADP. Cloutier encourages chief information security officers (CISOs) to think about building security into the entire product life cycle.
New Ideas for Global Security Engagement
“One of our primary concepts is inclusive ideation from our people,” said Cloutier. “We have a new generation of cyber warriors and risk analysts and business people coming up.” ADP views tomorrow’s leaders as a source of security solutions.
The idea of inclusive ideation also extends outside ADP’s walls. “Our sales force asks how we can protect the client better and what clients want,” said Cloutier.
Executive committee engagement is another part of ADP’s global security framework. “There’s not just executive oversight,” said Cloutier. “There’s engagement. There are questions, and there are challenges to how we’re approaching security from the executive committee.”
ADP employees have the opportunity to participate and explore security tasks and, ultimately, careers. Associates can join the Safe Pre-Pro Program, which is a global initiative for security awareness. Over 10 percent of ADP’s global associates have opted into the program. Program members are assigned active security task loads and responsibilities they perform locally, in their current roles.
Deliberate practice is another focal point. Internal security champions learn hands-on security skills in the X-Force Cyber Ops Command Center. Sometimes, employees learn side-by-side with ADP’s attorneys, executives and external stakeholders.
“When we train as a culture, we train as a global team. We operate that way in crisis,” said Cloutier.
ADP’s security practice has adopted some uncommon, effective approaches to communication. For example, their education efforts include blogs and podcasts that talk about security in a way that resonates with their workforce and clients.
Investing in Tomorrow’s Cybersecurity Talent
In a tight talent climate, Cloutier has had to consider new approaches to hiring and skills.
“We look outside of ADP all the way back into the eighth grade with programs like the Women’s Society of Cyberjutsu,” said Cloutier. “We look at post-grad programs … and how we can help [students] graduate as new leaders in security.”
A 10-year talent pipeline is a rare level of human security investment. Still, it’s the kind of intervention that benefits everyone. Working with eighth graders creates a stronger, more diverse security leadership pipeline for tomorrow.
ADP’s talent-sourcing efforts also extend to individuals with nontraditional technology backgrounds, like global military talent and emerging specializations. “We look at unique areas … to quickly assimilate [new hires] into our environment and make them productive members of our programs,” said Cloutier.
Embedding Human Security in Culture
Cloutier has what Whitmore calls a “relentless focus on improvement.” He’s created a security revolution in the past decade at ADP. The organization’s shift is no accident. Instead, it’s the result of a continued investment in human security.
Security is embedded in ADP’s culture. It’s who they are in front of customers, and it’s who they are behind closed doors. Cybersecurity is part of ADP’s entire product life cycle. “We don’t just talk about security issues or vulnerabilities,” said Cloutier. “We talk about the total quality of product and security measures.”
Human security is among the most important investments an organization can make. As Whitmore put it: “Every investment helps our people and our organizations to dramatically improve the odds in a cybersecurity event.” Deliberate practice leads to expert behavior during incident response, and shifting people’s hearts and minds starts with meaningful experience and education.