RSI Security recently hosted our second Executive Development Series webinar, Cybersecurity Leadership, on August 23, 2024. Our founder and managing director, John Shin, began with a swift recap of topics covered in the previous module, Consciousness of Cyberdefense. To catch up on fundamentals like vertical development, view Module One on YouTube, or read our recap.
Shin then established the main focus of Module Two: how leadership builds on the foundations of awareness, leveraging vertical development to set the stage for powerful communication (to be explored further in Module 3, Cybersecurity Management, on September 18, 2024).
Situational and Environmental Awareness
Shin began by establishing how often professionals in and around technology and IT hear about the importance of awareness—we need to stay awake and not click on anything suspicious. Yet those warnings often go unheeded, as 90% of ransomware done by phishing is through email.
It’s critical to increase awareness organization-wide, and that starts from the top with leaders.
To set expectations and engage the audience, Shin asked attendees to introduce themselves and explain what they hope to gain from this exercise, along with what they’re willing to give to achieve it. Most attendees were willing to give their time and effort and even put their ego or reputation on the line to different ends—building a security department from scratch, securing an optimal position, expanding their perspective, or identifying an area of expertise or focus.
Walking the Talk: Practice and Value Alignment
Taking over, Shin explained how leaders need to lead by example. They need to walk the talk. The power move to create and leverage awareness starts with locating an incongruency gap. In other words, it requires finding differences between our actual behavior and our stated values.
Turning to the audience again, Shin asked attendees to talk about gaps they are facing or have faced in their professional and personal lives. One attendee with extensive experience in the field noted that there’s often a gap between what solutions are available to offer and what customers want or need, which can result in trust issues. Another member noted that there’s often a general gap between how secure an organization wants to be and the steps they’re taking to get there—to which Shin added that there’s a need to consider business outcomes.
Agency and Humanity in the Matrix of Cybersecurity
Next, the group watched the infamous clip from The Matrix in which Neo is presented with the blue and red pills representing two versions of reality. That is, he could passively re-enter the simulation, or he could confront the truth of human captivity and subservience to the machines.
Shin asked the audience what their takeaways were, and one attendee noted that security professionals often find themselves in Morpheus’ shoes, asking clients if they want to know what the problems are. Shin built on this, noting that it’s essentially a question of agency.
Agency is central to security awareness because it relates to a uniquely human capacity.
Namely, Shin explained how the human part of the “triune brain” differs from its rudimentary reptile and mammal components. The reptile mind is devoted to fight or flight responses, which are essential at times but also inherently reactionary. And the mammal mind is able to read, understand, and communicate. But only the human mind is capable of pausing and logical reasoning, monitoring and reflecting on things, and making decisions beyond base responses.
Moving from a Reactive to a Conscious Posture
In the next segment, Shin introduced the concept of the Drama Triangle, first popularized by psychologists in the 1960s and recently revamped by business thought leader David Emerald.
Three mindsets in the drama triangle explain common responses to or roles in drama:
- Victim – This mindset is unwilling to take responsibility and feeling powerless, with associated language like “why is this happening to me” or “there’s nothing I can do.”
- Persecutor – This mindset is about blaming, criticizing, dominating others, or feeling instantly defensive, with language like “this is your fault” or what’s the matter with you?”
- Rescuer – This mindset seeks to shield others and/or oneself from consequences, often maintaining an air of superiority with language like “let me help” or “I’ll do it myself.”
Collectively, these roles make up a vicious cycle.
Shin asked which roles attendees find themselves in, especially under pressure, and most agreed that they’re rescuers by way of a fix-it (or similar) mentality. However, Shin explained that the real power move in any drama scenario is to flex the human capacity for reflection.
It’s impossible to completely avoid drama. Instead, security leaders should improve upon these drama roles with their counterparts in the virtuous cycle. Shin broke these down as follows:
- Creator – Unlike the victim, this mindset accepts responsibility, makes choices, and feels resourceful and resilient. Associated language includes “the outcomes I’ll create.”
- Challenger – Unlike the persecutor, this mindset evokes the will to create in others and feels clear, confident, and committed with language like “I believe you can do better.”
- Coach – Unlike the rescuer, the coach supports others in tapping their own capabilities and feels optimistic and non-attached with language like “what is it that you want?”
In explaining the third role in particular, Shin played a clip from Rocky Balboa in which the boxer talks to his son about taking responsibility and not blaming others for his perceived weaknesses.
The vicious cycle entails anxiety and a reactive posture to problems, whereas the virtuous cycle is about channeling desired outcomes into passions and practical next steps. An even more advanced cycle is that of Focus, Inner State, and Behavior (FISBE), which turns tension into energy. Shin likened this to a bridge or dojo where immense tension plays an important role in creating practical and beautiful outcomes—shifting from reactive to conscious and aware.
The Importance of Attention Management and Awareness
Ultimately, attention management is one of the most important considerations for all security professionals, especially leaders. Shin notes that there have been myriad books written about this subject, many of which have reached enormous readerships across varied business and other contexts. One particularly critical insight comes from David Allen, who has shown that the human mind is much more apt for creative tasks than rote memorization and storing knowledge.
Other important concepts include consensus around properties attention has. For example, it’s powerful yet fragile and trainable. In addition, it controls our perception, steadiness, reactions, decision-making and activities, interactions with others, and even our sense of purpose.
There are also different kinds of attention, which are increasingly important in our new normal defined by the “hyperactive hive mind” of information overload and various states of distraction.
For these reasons, practicing attention in the right ways is the key to building awareness.
Looking Ahead: Practicing Attention Effectively
As Shin explained in Module One, “practice makes perfect” is an imperfect saying. A more accurate expression is “practice makes permanent.” What we practice becomes committed to memory, so it’s absolutely imperative to practice the right way. One example of doing this for attention specifically is tapping into the human brain by remembering to pause and reflect when faced with a difficult situation, rather than trying to respond immediately. Shin recommended focusing on a bracelet or watch and making a conscious effort to tap it when doing this.
Wrapping up, Shin asked attendees to reflect on their biggest takeaways from the discussion, and there was a near-unanimous consensus that the drama and empowerment triangles were most impactful. Understanding oneself from multiple vantage points and considering the ways others might perceive you—and the roles all parties are and could be playing—is all critical.
To learn more, sign up to view our recording of the live event here. Catch up on Module One by watching the event on YouTube or reading our recap. And sign up for Module Three here.
Learn how RSI Security can help your organization. Request a Free Consultation