Unleashing Your Catalysts to Maximize Cybersecurity Gains

It’s no surprise: good cyber-talent is scarce. Studies validate this worrying reality. Fortunately, we’re seeing efforts to prepare the next generation workforce, but that doesn’t solve today’s talent shortage. 

Too often, we generalize this talent challenge as unsolvable, or we overly focus on technical skills as the dire need. That’s a lazy approach. The problem requires a more nuanced look, and so does the solution.

To make substantive gains now, cyber-leaders must reframe how they look at current talent and near-term hires. Leaders must think creatively about how people with certain mindsets and skillsets can catalyze a security program’s growth, and produce outsized gains for the business. 

Why We Need to Start Valuing Catalysts
In the cyber-context, a catalyst possesses an extraordinary ability to grow the program’s capability, capacity or influence. When unleashed, they produce desired outcomes faster and  more widespread than others. They come from varied backgrounds:

  • Engineering: these people tune architectures and tools to improve process automation, machine transparency and service delivery efficiency
  • Marketing: they employ creative messaging and engagement techniques to build stakeholder alliances
  • Organizational psychology: they’re deft in analyzing cultural dynamics and shaping security initiatives to smooth business adoption

You need catalysts, badly, and guess what? You likely have some today. It’s time to be more creative in analyzing your talent. Don’t just concentrate on your most ‘seasoned’ (senior) people. You can do better. You must find catalysts, no matter where they sit.

What to Look for When Identifying Catalysts
When starting your catalyst exploration, start with your desired outcomes. As Harvard Business School professor Clayton Christensen would reflect, what jobs need to be done? Here are some examples:

  • Enterprise-wide incident response coordination
  • A robust vulnerability management process created and communicated to infrastructure teams
  • Translation of system-level risk data to story-based business risks, for board consumption

Once you know the jobs to be done, you can start looking for appropriate catalysts. In doing so, analyze these two aspects:

  • Mindset (primary focus): This is a person’s general attitude. As framed by psychologist Carol Dweck, life experiences form a mindset, and you’ll want someone who possesses a growth mindset – where they see obstacles as opportunities, embrace adaptation as vital and value constant learning.
  • Skillset (secondary focus): A person learns skills in a classroom, book or on the job. They are commodity features a person becomes proficient at through practice, and are important for solving specific problems (e.g., coding, architecture, process refinement).

Get started by pairing ‘jobs to be done’ with an analysis of your team’s mindsets and skillsets. Study your team, but also look to an extended audience – people in adjacent organizations that could serve as a force multiplier. Find those people that have a growth mindset; people that are hungry to learn and make those around them better.  

How to Bring the Catalyst Construct to Life
This can be the hardest part, as it requires disrupting your organization. Whenever you change who does what, peoples’ emotions and pride come into play, so you’ll want to mitigate negative consequences. As you work to balance catalyst empowerment with ‘keeping the peace’, consider these lifecycle tactics:

  1. Keep a fresh view of ‘jobs to be done’: identify the highest-priority activities that need doing. Don’t fall captive simply to viewing business as usual (BAU) activities as highest priority. Sometimes you must clear a path to enable BAU work to happen. Note your barriers and tackle those jobs first. 
  2. Implement the right talent scanning system: spend the upfront time articulating the mindset and skillset characteristics that’ll enable your desired outcomes. Then, you and a trusted group must obtain input on who fits the needs. You might find them in leadership ranks, located down in the program or even outside the organization. Regardless, find them.
  3. Broadly communicate your catalyst choices: when people understand your intent, they’ll better accept why you’re empowering select catalysts. You might only need a catalyst to do the job for a few months, and then rotate them back to their BAU role. This flexibility can be appealing. When people realize you’re operating a rotational system of matching specific jobs to people, they’re more apt to embrace the opportunity afforded by this construct.
  4. Set expectations and incentives, and measure ROI: You’ll need to ‘sell’ catalysts on accepting new responsibilities. They’ll have their concerns. Make clear what you need from them, but also relay the incentives. You’re asking a lot of these people, so make it worth their while. Finally, hold them accountable and measure progress. Agree with catalysts on what success looks like, regularly review progress and determine necessary course corrections.

Being a catalyst is about igniting change, new behavior and better outcomes. As a cyber-leader, embrace the value of empowering catalysts and ensure you’re positioning them to create maximum value. In a world with such a talent challenge, it’s time to think and act creatively.

Matthew Doan is a leader in Booz Allen Hamilton's Commercial practice. He advises senior clients and leads project teams in driving innovative strategic and operational cybersecurity solutions, particularly for global automotive, oil and gas, industrial, and high-tech companies. His recent work centers on helping manufacturers understand and manage their cyber risk ecosystem in evolving domains such as connected products, manufacturing, and supply chain. Previously, Matthew worked strategic threat preparedness challenges for the US Intelligence Community and Department of Defense. Matthew is also a fellow in New America's Cybersecurity Initiative, where his primary areas of research and thought leadership cyber leadership and human factors (i.e., psychological, cultural, and organizational dynamics).

What’s Hot on Infosecurity Magazine?