Are stress levels in cybersecurity professionals CISOs shooting through the roof? Reports claim that CISOs are stressed and this is putting organizations at risk. Global IT advisory firm Gartner says that by the year 2025, nearly half of cybersecurity leaders will change jobs. So, in just about two years, 25% of them will opt for different roles entirely due to multiple work-related stressors. CISOs and cybersecurity professionals are on the defense. There is a big psychological impact of this, which directly affects decision quality and the performance of cybersecurity leaders and their teams.
In a conversation with ETCISO Brian Barnier and , co-founders of Think.Design.Cyber, discuss a range of issues impacting cybersecurity professionals and how to manage them.
Do you think cybersecurity lags far behind other disciplines in terms of its tools and methods? You have been quite vocal about this in the past. Would you like to shed some light on this?
Brian Barnier: The first thing to note is, there is no standard definition or understanding of cybersecurity today. We are too reactive in our approach. On one hand, threat-chasing and on the other hand, creating more and more software without innovating math and methods. This is neglecting and crushing people. There are multiple examples of how the domain of cybersecurity lags far behind in terms of methods widely used in other disciples. There are two divergent views in cyber – systems and auditing. Then, people for whom I have lots of empathy who never were educated about the big picture – and thus are just on a hamster wheel. For example, a long-time colleague’s brother lives in the military area of Pune. What I learnt from him is that what is common knowledge in aviation (systems) that can be easily applied to cybersecurity is largely unknown in cybersecurity. A good example is managing pilot cognitive overloads, that is not even a conversation in cybersecurity.
I believe that our cybersecurity friends do not need to be left decades behind other disciplines, including the rest of IT. We can break this loop by using our critical thinking, systems thinking and industrial-strength design thinking heritage. In fact, design thinking is in the bloodline of cybersecurity professionals.
Another example is the adoption of book keeping checks in controls framework over the past 15 years. They are entirely inappropriate for the complex dynamic, highly adversarial system in which cybersecurity lives. Those bookkeeping checks are revealed to be the root cause of so many incidents and breaches – and “hamster wheel” syndrome and burnout for cyber pros. Therefore, for 2023, we need a reformation in cyber — recovering our roots in critical thinking, systems thinking and industrial-strength design thinking. In fact, doing so will make it easier to implement John Kindervag ’s authentic Zero Trust strategy, reduce danger to people, make cybersecurity as reliable as electricity and provide better work-life balance for cyber professionals.
In multiple surveys, it has come to the fore that cybersecurity professionals feel burnout, stress, and poor work-life balance. Lately, there has been a lot of attention on why there is so much burnout and stress in the domain of cybersecurity.
Prachee Kale: Why? Because of the fact that the math and methods lag decades behind other disciplines. Asking brilliant people to use flawed methods to solve problems in a checkers-checking-checkers way of working yet expecting them to deliver exemplary results is always a recipe for failure. No surprise, most breaches occur due to bad math and methods. Let me give you an example: Have you noticed that cyber forensics in the last 20 years (at least in the USA) uses methods adapted from bookkeeping audits?
Bookkeeping is a linear, stable, highly-rules based system where the bad actors have employee badges. How often have you seen methods in cyber adapted from aviation, management, transportation more broadly, manufacturing, weather, earth science, etc.? Yet, those better reflect the nature of the system in which cybersecurity lives — complex, dynamic, chaotic, adaptive, highly adversarial and where bad actors are external. This requires systems and root cause analysis methods appropriate for the nature of the system. These appropriate methods have been used for decades in other disciplines with similar systems dynamics to cybersecurity, but not in cybersecurity.
It does not have to be this way. Cybersecurity can catch up to other disciplines. Inappropriate methods applied to cybersecurity problems are like flaws in a building’s design and engineering: they set people up for failure and burnout. Instead, apply methods like those developed by W. Edwards Deming pioneered 70 years ago. Deming’s System of Profound Knowledge is the antidote, but few understand how it applies to cybersecurity. It can make work-life balance better for cyber pros and better protect people from danger. Cybersecurity does not need to lag other disciplines by decades. Consider all the Indian universities that reference Deming. Plus, the ‘Made in India’ initiative rests on this.
What are the hurdles to creating a better work-life balance for cybersecurity professionals?
Brian Barnier: The hurdle lies in the fact that many people, for various reasons, dislike change—even when doctors emphasize that it is a matter of life or death, patients often resist change. Besides the flawed methods, individuals find themselves trapped in a cycle of pursuing the next significant threat or software. This is why, in outcome accelerator workshops, we guide individuals through understanding the reasons behind their resistance and provide coaching to help them overcome these situations. We draw upon successful strategies used in public health and other fields. This approach aligns with Deming’s principles and empowers change agents to effectively bring the benefits of decades of success to cybersecurity professionals.
Do cybersecurity professionals themselves understand why they continue to falter in the face of attacks and why they have to face so many training programs?
Prachee Kale: There is a big trend in cybersecurity on ‘blaming the business area owner or end users’ or layering cyber software on existing tech stacks. That’s where they’re missing the point. So, I would say no, they don’t realize it and that’s why they don’t understand it. Cybersecurity is a highly specialized discipline, run by disparate experts who are not educated nor empowered to deal with the internal and external environment of the four walls of their enterprise.
The training programs are tech-focused and do not develop a business and operational mindset. It’s a more just-in-time and container-based approach to training, much like today’s tech. When we have empathy and shed light on this, it’s as if a light bulb goes on. At the root of it, typical math and methods are simply antiquated, and other senior executives know it. They are also presented in totally orthogonal reports sent to board members. Again, we need empathy in two ways. Cyber pros know the tech, and execs and board members know what is missing. But they have difficulty communicating. Instead, they could learn so much by teaming together.
Moreover, CISOs are set up to fail because their trainings are so siloed and narrow, especially for anyone who entered the cyber field after 2000 (earlier in Europe, but may not know about India). They have been isolated from decades of knowledge. Topics like value creation, strategy & risk, organizational change management, process design & improvements are entirely missing. There is also a problem with pushing back on attorneys, auditors, and compliance people. CISOs don’t know how to gather support from other areas of the business to push back on compliance actions that often become the root cause of breaches.
From cyber training manuals, the math typically used in cybersecurity is not what was used at Bell Labs nearly a century ago or even by Thomas Edison. . Ironically, many CISOs are not aware that they lack much knowledge due to the siloed training. Many of them pursue continued education, but it does not solve the discipline-level gap that will impact today and tomorrow.
What approach would be most effective in India to help CISOs catch up, feel empowered to take better actions, and enhance people’s protection, while reducing stress and burnout?
Brian Barnier: Awareness and training are important, but cybersecurity predominantly follows a conformist and hierarchical approach. To bring about a change, we need a shift in mindset among CISOs, next-level leaders, and corporate boards, with their active sponsorship. How can we initiate this change in mindset?
We can draw insights from the works of C.K. Prahalad (an Indian strategy professor), Noel Tichy (an organizational behavior professor and former head of the GE management education center, who is actively involved in India and enjoys wind surfing there), and Michael David (who operates in India), regarding the reasons behind business leaders’ resistance to change and strategies to drive that change. By adopting improved mathematical models and methodologies rooted in industrial-strength design thinking principles, it is possible to reduce budgets by approximately 20% unless they are significantly underfunded.
Therefore, the challenge lies in building knowledge (inspired by Deming’s ideas of education and knowledge as opposed to mere tactical training) and taking action based on that knowledge.
How can we address these challenges? What essential components should be included in a program designed for cybersecurity professionals?
Prachee Kale: A robust cybersecurity program is one that combines substantive cyber methods based on systems thinking and organizational growth and improvement. Our focus is on empowering individuals and teams to effect change, reducing burnout and stress, and enhancing the protection of people and companies from danger. Once cybersecurity professionals see and hear this perspective, they quickly realize they are being set up for failure. However, empowering them to enact change requires an additional step.
What can cybersecurity pros do differently?
Prachee Kale: We can learn from other disciplines, particularly the aviation industry. They have accumulated a century of experience with industrial-strength design thinking, which combines critical systems and design thinking. Unfortunately, many cybersecurity professionals are unaware of this knowledge due to structural flaws in cybersecurity methods. These flaws have rendered cyber pros ‘structurally blind’ and ‘cognitively biased,’ setting them up for failure.
Moreover, in other disciplines, root causes are extensively researched, with over 95% of the causes being ‘common,’ as noted by W. Edwards Deming. For instance, organizations like NASA actively educate pilots through newsletters like the National Aeronautics and Space Administration Callback to increase shared knowledge about causes. This approach differs from the typical tactical tech training seen in cybersecurity. It’s essential to consider whether the ‘surprises’ encountered in the cyber environment might actually be root causes hiding in plain sight.”
What are the three big root causes of breaches?
Brian Barnier: The three big root causes of breaches are bookkeeping checks pretending to be real/systems controls, fake frameworks that do not pass the tests of good frameworks in other disciplines, and risk math adapted from bookkeeping or insurance that is totally inadequate for cybersecurity simply because it cannot possibly reflect the nature of the system in which cyber risk lives.
What is the solution?
Learning from other disciplines, industrial-strength design thinking is the key. What if a user kept clicking on suspicious links all day long and nothing happened? It is straightforward. First, discover how the system in which cyber risk lives really works. The objective is to have a deeper understanding than your enemy and outthink them. Second, identify the real problem(s). Third, fix the real problem more efficiently and effectively. Fourth, enjoy the benefits of being empowered with knowledge: improved work-life balance and more rewarding careers, cost and risk reduction, improved productivity, fewer breaches, and a more reliable cyber environment. Ultimately, this approach will make work and life easier for many cybersecurity professionals.