Practice doesn’t necessarily make perfect, but it can lead to improvement. Quality practice is key in matters of human security, and the right quantity of practice can also make a significant difference when it comes to shifting mindsets and behavior.

“Scientists believe that expert-level performance is primarily the result of expert-level practice,” said Wendi Whitmore, IBM Security VP of X-Force Intelligence, Incident Response & Cyber Command. “This concept is called deliberate practice.”

Deliberate practice has a few defining characteristics, according to Whitmore: It must be intentional, it must be targeted to the individual’s skill level, and it must be followed up with immediate feedback.

A science-backed approach to practice can change behavior. It can create more skillful leadership. Organizations that practice deliberately can change individuals, teams and culture for the better. Still, this approach is surprisingly uncommon in the cybersecurity industry. There are a few exceptions, such as the X-Force Command Cyber Tactical Ops Center and simulations in the cyber range.

Human security is what matters during a cybersecurity crisis, where skills and muscle memory can make the difference in make-or-break moments. Leaders and culture are the most important predictors of cyberattack outcomes, so it’s time to stop under-investing in human security.

Great leadership and security culture don’t happen by accident. However, deliberate practice is exactly what Whitmore does best. In her nearly two-decade career in the Air Force Special Forces and industry, she’s run 3,000 simulations and built leading global incident-response teams.

Roland Cloutier, SVP and chief security officer (CSO) at ADP, is another leader who’s focused on human security. Delivering 40 million individuals’ paychecks requires a globally embedded culture of security. A recent conversation between Whitmore and Cloutier looked at ADP’s approach to building security leadership and culture.

5 Tools to Create a Security Culture Shift

“Our focus here at ADP is to make security a component of what everyone does in their jobs,” said Cloutier. He’s seen a “massive transformation” during his decade as ADP’s CSO.

Part of ADP’s transformation is the result of executive buy-in, as the business climate there supports a security culture. However, Cloutier’s revolution is also the result of five universally valuable tools:

  1. Accountability — What’s most important, according to Cloutier, is making sure security is everyone’s business. “We hold our own people and associates accountable,” said Cloutier. There’s a defined framework for accountability at ADP, which includes a structured process for disciplining inadvertent insiders. In some cases, individuals are required to complete reeducation on security and privacy.
  2. Transparency — ADP’s security practice has a transparent approach to awareness initiatives. This approach emphasizes the importance of employees learning the specific, downstream effects of unsecure behaviors.
  3. Relevance — Security is relevant to every member of ADP’s organization, and this is reflected in education programs. Learners grow to understand how cybersecurity makes a real impact on people’s lives.
  4. Pervasive Responsibility — Security is “pervasive across our business,” according to Cloutier. It spans “from our clients to our back office.” Tens of thousands of global ADP associates know security is everyone’s job.
  5. DevSecOps — A transition to secure DevOps, or DevSecOps, has been another huge driver for ADP. Cloutier encourages chief information security officers (CISOs) to think about building security into the entire product life cycle.

New Ideas for Global Security Engagement

“One of our primary concepts is inclusive ideation from our people,” said Cloutier. “We have a new generation of cyber warriors and risk analysts and business people coming up.” ADP views tomorrow’s leaders as a source of security solutions.

The idea of inclusive ideation also extends outside ADP’s walls. “Our sales force asks how we can protect the client better and what clients want,” said Cloutier.

Executive Engagement

Executive committee engagement is another part of ADP’s global security framework. “There’s not just executive oversight,” said Cloutier. “There’s engagement. There are questions, and there are challenges to how we’re approaching security from the executive committee.”

Employee Participation

ADP employees have the opportunity to participate and explore security tasks and, ultimately, careers. Associates can join the Safe Pre-Pro Program, which is a global initiative for security awareness. Over 10 percent of ADP’s global associates have opted into the program. Program members are assigned active security task loads and responsibilities they perform locally, in their current roles.

Staff Immersion

Deliberate practice is another focal point. Internal security champions learn hands-on security skills in the X-Force Cyber Ops Command Center. Sometimes, employees learn side-by-side with ADP’s attorneys, executives and external stakeholders.

“When we train as a culture, we train as a global team. We operate that way in crisis,” said Cloutier.

Workforce Communication

ADP’s security practice has adopted some uncommon, effective approaches to communication. For example, their education efforts include blogs and podcasts that talk about security in a way that resonates with their workforce and clients.

Investing in Tomorrow’s Cybersecurity Talent

In a tight talent climate, Cloutier has had to consider new approaches to hiring and skills.

“We look outside of ADP all the way back into the eighth grade with programs like the Women’s Society of Cyberjutsu,” said Cloutier. “We look at post-grad programs … and how we can help [students] graduate as new leaders in security.”

A 10-year talent pipeline is a rare level of human security investment. Still, it’s the kind of intervention that benefits everyone. Working with eighth graders creates a stronger, more diverse security leadership pipeline for tomorrow.

ADP’s talent-sourcing efforts also extend to individuals with nontraditional technology backgrounds, like global military talent and emerging specializations. “We look at unique areas … to quickly assimilate [new hires] into our environment and make them productive members of our programs,” said Cloutier.

Embedding Human Security in Culture

Cloutier has what Whitmore calls a “relentless focus on improvement.” He’s created a security revolution in the past decade at ADP. The organization’s shift is no accident. Instead, it’s the result of a continued investment in human security.

Security is embedded in ADP’s culture. It’s who they are in front of customers, and it’s who they are behind closed doors. Cybersecurity is part of ADP’s entire product life cycle. “We don’t just talk about security issues or vulnerabilities,” said Cloutier. “We talk about the total quality of product and security measures.”

Human security is among the most important investments an organization can make. As Whitmore put it: “Every investment helps our people and our organizations to dramatically improve the odds in a cybersecurity event.” Deliberate practice leads to expert behavior during incident response, and shifting people’s hearts and minds starts with meaningful experience and education.

Learn more about driving security into the fabric of your business

More from CISO

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…