Practice doesn’t necessarily make perfect, but it can lead to improvement. Quality practice is key in matters of human security, and the right quantity of practice can also make a significant difference when it comes to shifting mindsets and behavior.

“Scientists believe that expert-level performance is primarily the result of expert-level practice,” said Wendi Whitmore, IBM Security VP of X-Force Intelligence, Incident Response & Cyber Command. “This concept is called deliberate practice.”

Deliberate practice has a few defining characteristics, according to Whitmore: It must be intentional, it must be targeted to the individual’s skill level, and it must be followed up with immediate feedback.

A science-backed approach to practice can change behavior. It can create more skillful leadership. Organizations that practice deliberately can change individuals, teams and culture for the better. Still, this approach is surprisingly uncommon in the cybersecurity industry. There are a few exceptions, such as the X-Force Command Cyber Tactical Ops Center and simulations in the cyber range.

Human security is what matters during a cybersecurity crisis, where skills and muscle memory can make the difference in make-or-break moments. Leaders and culture are the most important predictors of cyberattack outcomes, so it’s time to stop under-investing in human security.

Great leadership and security culture don’t happen by accident. However, deliberate practice is exactly what Whitmore does best. In her nearly two-decade career in the Air Force Special Forces and industry, she’s run 3,000 simulations and built leading global incident-response teams.

Roland Cloutier, SVP and chief security officer (CSO) at ADP, is another leader who’s focused on human security. Delivering 40 million individuals’ paychecks requires a globally embedded culture of security. A recent conversation between Whitmore and Cloutier looked at ADP’s approach to building security leadership and culture.

5 Tools to Create a Security Culture Shift

“Our focus here at ADP is to make security a component of what everyone does in their jobs,” said Cloutier. He’s seen a “massive transformation” during his decade as ADP’s CSO.

Part of ADP’s transformation is the result of executive buy-in, as the business climate there supports a security culture. However, Cloutier’s revolution is also the result of five universally valuable tools:

  1. Accountability — What’s most important, according to Cloutier, is making sure security is everyone’s business. “We hold our own people and associates accountable,” said Cloutier. There’s a defined framework for accountability at ADP, which includes a structured process for disciplining inadvertent insiders. In some cases, individuals are required to complete reeducation on security and privacy.
  2. Transparency — ADP’s security practice has a transparent approach to awareness initiatives. This approach emphasizes the importance of employees learning the specific, downstream effects of unsecure behaviors.
  3. Relevance — Security is relevant to every member of ADP’s organization, and this is reflected in education programs. Learners grow to understand how cybersecurity makes a real impact on people’s lives.
  4. Pervasive Responsibility — Security is “pervasive across our business,” according to Cloutier. It spans “from our clients to our back office.” Tens of thousands of global ADP associates know security is everyone’s job.
  5. DevSecOps — A transition to secure DevOps, or DevSecOps, has been another huge driver for ADP. Cloutier encourages chief information security officers (CISOs) to think about building security into the entire product life cycle.

New Ideas for Global Security Engagement

“One of our primary concepts is inclusive ideation from our people,” said Cloutier. “We have a new generation of cyber warriors and risk analysts and business people coming up.” ADP views tomorrow’s leaders as a source of security solutions.

The idea of inclusive ideation also extends outside ADP’s walls. “Our sales force asks how we can protect the client better and what clients want,” said Cloutier.

Executive Engagement

Executive committee engagement is another part of ADP’s global security framework. “There’s not just executive oversight,” said Cloutier. “There’s engagement. There are questions, and there are challenges to how we’re approaching security from the executive committee.”

Employee Participation

ADP employees have the opportunity to participate and explore security tasks and, ultimately, careers. Associates can join the Safe Pre-Pro Program, which is a global initiative for security awareness. Over 10 percent of ADP’s global associates have opted into the program. Program members are assigned active security task loads and responsibilities they perform locally, in their current roles.

Staff Immersion

Deliberate practice is another focal point. Internal security champions learn hands-on security skills in the X-Force Cyber Ops Command Center. Sometimes, employees learn side-by-side with ADP’s attorneys, executives and external stakeholders.

“When we train as a culture, we train as a global team. We operate that way in crisis,” said Cloutier.

Workforce Communication

ADP’s security practice has adopted some uncommon, effective approaches to communication. For example, their education efforts include blogs and podcasts that talk about security in a way that resonates with their workforce and clients.

Investing in Tomorrow’s Cybersecurity Talent

In a tight talent climate, Cloutier has had to consider new approaches to hiring and skills.

“We look outside of ADP all the way back into the eighth grade with programs like the Women’s Society of Cyberjutsu,” said Cloutier. “We look at post-grad programs … and how we can help [students] graduate as new leaders in security.”

A 10-year talent pipeline is a rare level of human security investment. Still, it’s the kind of intervention that benefits everyone. Working with eighth graders creates a stronger, more diverse security leadership pipeline for tomorrow.

ADP’s talent-sourcing efforts also extend to individuals with nontraditional technology backgrounds, like global military talent and emerging specializations. “We look at unique areas … to quickly assimilate [new hires] into our environment and make them productive members of our programs,” said Cloutier.

Embedding Human Security in Culture

Cloutier has what Whitmore calls a “relentless focus on improvement.” He’s created a security revolution in the past decade at ADP. The organization’s shift is no accident. Instead, it’s the result of a continued investment in human security.

Security is embedded in ADP’s culture. It’s who they are in front of customers, and it’s who they are behind closed doors. Cybersecurity is part of ADP’s entire product life cycle. “We don’t just talk about security issues or vulnerabilities,” said Cloutier. “We talk about the total quality of product and security measures.”

Human security is among the most important investments an organization can make. As Whitmore put it: “Every investment helps our people and our organizations to dramatically improve the odds in a cybersecurity event.” Deliberate practice leads to expert behavior during incident response, and shifting people’s hearts and minds starts with meaningful experience and education.

Learn more about driving security into the fabric of your business

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read