Author: Sharon Smith

Does the word compliance make your skin crawl, send shivers down your spin, and make you want to run for the hills? It seems to do that to everyone I talk to, and therefore, I want to change the story and tell you why compliance, when viewed through a different filter can be the catalyst your organization needs in order improve its security posture.

There are so many compliance regulations, both government-mandated and industry-mandated, it is hard to find an organization that does not have at least one acronym they have to be complaint with. Whether it is HIPAA, PCI, FFIEC, FEDramp, DIACAP, NIST-171, GLBA, NYCRR 500, FISMA, SOX, GDPR, etc., there is a better-than-good chance you are on the hook for at least one of them. And why has this happened? It’s because when left to their own devices, organizations in just about every industry are not taking security seriously and data breaches continue to get bigger and bigger, affecting more people, costing millions and billions of dollars. Depending on the industry even putting lives in danger.

Some of these regulations can literally put you out of business if you fail to comply and even with that threat people call me saying they need to be compliant in the next three weeks. Instead of creating and maintaining an ongoing compliance program they say what do I need to do to be compliant and avoid the fine? Oh yeah, and it needs to be done in the next three weeks.” They are looking to meet the bare minimum standard, check a box and move on and that is when compliance feels dirty and doesn’t solve the problems it was setup to solve.

The reason compliance feels like a four letter word and makes most people cringe is the way that it is commonly handled.

Smaller organizations often don’t have the staff to properly secure their networks and data and have often outsourced everything technology related to a third party vendor. They are in “fire and forget” mode, meaning that as long as the systems are running and nothing strange happens, they figure everything is fine and they don’t discuss security or compliance with their vendor. The challenge with this model is that security is being left up to a third party and unless you are paying extra for a secure solution, most of the time the vendor is not providing much if any security solutions. It’s only when the organization finds themselves on the hook for compliance that they start asking their vendor the security questions they should have been asking from day one. As a result the compliance requirement helps drive their security going forward. If you are a small business who has outsourced your IT to a third party, I strongly recommend having the security conversation early in the relationship, preferably before hiring them.

Even large organizations who have a security team and a large IT department do not approach security in a systematic or strategic way and they also get complacent. The mentality from executive leadership seems to be that as long as everything is working and they don’t hear of any problems, then everything is okay and they don’t have to spend money on security. But is it okay? There are reports that indicate 50% of organizations will fall victim to some sort of breach and only half of those organizations will even realize it. As we often say in the security business, it’s not about if you are breached; it’s about when and whether you will even know about it or be able to respond. It is compliance for these organizations that is often how security teams and technology groups are able to get the budget they need for security.

Regardless of the size of your organization or the industry you are in, when compliance is viewed as an annual audit, which is how many people view it, and someone in the IT department or worse in the Finance department is told they are responsible for ensuring the compliance work is done on time in order to avoid any fines or penalties, it leaves a bad taste in everyone’s mouth. This type of attitude results in everyone spending the next two months working around the clock to validate compliance and do their day job.

Once you realize that compliance is never an annual audit or a one-and-done effort; rather it is an ongoing program that has to be built into daily operational procedures it can stop feeling like a fire you have to keep putting out. During the process of ongoing compliance you are improving the security and longevity of your organization and protecting in some cases the health and livelihood of your customers.

Of course post-breach remediation lights a fire under everyone’s ass to get their security up to par, and as such it’s as compelling a motivator as you can get, but it’s also the worst possible motivator to face and why compliance should be seen as a good thing rather than a bad word. Not only does compliance provide the necessary budget and attention you need for your organization, it provides a systematic approach that can make implementing security more manageable so that you don’t have to face the post-breach clean-up, lawsuits, brand damage, etc.

When the story changes and compliance is viewed as a business driver, something that leads to a better competitive advantage, and everyone’s responsibility, it does not have to be so hard or “dirty.” When you have the right resources, whether internal or external, to help you set it up correctly from the start, teach the organization what it means, why it’s important, and why their role matters, it become manageable.

If  you are in business to stay in business and grow, security matters, and you will want to embrace compliance as a driver. As a consultant in this arena I work with a lot of clients where I come out knowing that they have made a real difference in their security posture and their future growth.

If you have questions about compliance or want to discuss strategies for making it easier, email sharon@c-suiteresults.com. If you don’t have a security team and want more information on how Virtual CISO services work, which are designed to help small and medium size organizations maintain their security and compliance posture reach out so we can talk in more detail.

I was interviewed for a podcast recently for a new show that is all about the business of information/cyber security, and the hosts asked me what I thought was the number one thing that should change in the industry. My answer had nothing to do with more secure software, better security awareness training, better patching schedules, anti-virus, or bigger security budgets. It had to do with the role of the Chief Information Security Officer (CISO).

Since cybersecurity strategy is one of the hats I wear, this was an easy question to answer. Until the CISO has the same seat at the table with the CEO and the board just like the CIO and CFO do, security within an organization will never be a priority. As I mentioned in my article The Culture of Security, security culture, like all culture, lives or dies from the top down.

Most people I talk to outside the security industry have never heard of a CISO, but they can tell me what the CEO, CFO, COO, and CIO are. When I tell people that I am a virtual CISO, I often get blank stares or the question about what’s a CISO.  What this tells me is that security is still taking back stage in the landscape of business strategy and priority.

I talk to a lot of CISOs and hear their stories, more often than not they tell me they report to the CIO, and that rarely if ever do they get in front of the board. When the CISO does not actually sit at the table with the decision makers, whether that’s the CEO and CFO or the board and their message is filtered through another level or two before ever getting to the decision makers, the importance and context of their message gets lost. Moreover, if those decision makers have questions, there is no one at the table to answer them.

When the CISO reports to the CIO, which is the most common reporting structure there is a real issue that needs to be discussed. The CIO and CISO have different priorities and even conflicting priorities. The CIO is responsible for making data and assets available to support business functions. Funding is generally tied to performance of those assets in support of business needs. Conversely, the CISO is responsible for managing business risk, risk that extends to all responsibilities of business and not just technology. The CISO may also recommend a level of protection for data and technology in such a way that negatively impacts the performance of those assets, a metric that is very important to the CIO. Reporting to the CIO will mean security decisions align with the protection of information assets versus protection of the business and only to the degree that does not too badly impact the numbers the CIO is responsible for.

I’ve also seen where the CISO reports to the CIO who reports to the CFO, which has an even bigger impact on their contact with the board. Now the CISO is two layers removed from the top decision makers and strategists, and the person responsible for reporting the information is someone who does not have the background to properly communicate the message or answer important questions. The CFO is interested in budgets and return on investment, which is hard to see with security. The work of the security professional is often invisible and is very hard to prove ROI when the result of doing a good job, having the right people, and the right tools is no breach or no loss of data. It is very hard to tie the effect of no breach to the cause of a good security department.

Here are my recommendations for leaders who don’t want their brand on the front page of the paper because of a breach or security issue:

If you are the CEO or sit on the board of an organization and you believe that security is a priority, ensure your CISO reports to you or another independent executive that is looking at the organization as a whole. For example the Chief Operating Officer, Chief Risk Officer, or General Counsel could be good for reporting structure as long as the CISO has the opportunity to directly brief the board at least quarterly.

If you are the CIO and you have a CISO reporting to you and you believe your organization should take security more seriously, talk to your CEO about moving the CISO out of your reporting chain. Even if you can be unbiased, It’s the right thing to do for your organization.

If you are a CISO or aspiring CISO for your organization, and you report to anyone other than the COO, General Counsel, Chief Risk Officer, or CEO, I would consider having this conversation with the executive team as a whole. Not because you don’t trust your CIO or whomever you report to, but because security is a real current threat and they hired you to help create the strategy to stay secure. You can’t provide real time direction if you are not riding in the same car as everyone else.

If you are looking to take a job as a CISO for a new organization, when you negotiate terms for the position, ensure that you report to the CEO, COO, or General Council. If they say no, it’s a sign that they might not take security as seriously as you want them to, and you might not be happy working there for long.

If security was just a simple part of an IT organization, it would make sense for a security executive to report to the CIO, and they wouldn’t need the “chief” in their title. However since every part of the organization is reliant on security, and not just within IT, it is incredibly important for the CISO to sit outside of IT where they can have a view of and help the organization at large.

The intent is for the CISO to have an unbiased chain of command and access to brief the decision makers and an opportunity to answer their questions. If security is important to your organization this one change could be a real lasting impact that you are looking for.

If you have questions or want to discuss the challenges of the CISO, email sharon@c-suiteresults.com. If you don’t have a CISO, but want more information on how Virtual CISO services work, which are designed to help small and medium size organizations maintain their security posture reach out so we can talk in more detail.

Over the past 12 + years working as an Information Security (now known as Cyber Security) consultant, I saw too many situations where security was not implemented because the business thought that the IT department or Information Security (InfoSec) department could and would take care of it for them.

Before we go further let me define two things; 1) InfoSec is often a separate department from IT, especially in larger organizations, and 2) when I say “the business” I mean any part of the organization that is not IT or InfoSec.

The business is typically the groups that are directly related to the product you sell or the service you offer (sales, marketing, the call center, business users, etc.). They handle customer or sensitive data to do their job, they talk directly with the customer or client, or they directly support the organization (HR and accounting for example). These are the folks I am calling “the business.”

If you are a non-technical executive or business leader you might think that implementing security is the job of IT or InfoSec, however what we are going to talk about today is that if you want your organization to be secure and your data to remain your data, it’s time to look at this very differently.

It is very common for the business to think about security or bring the project to InfoSec right before they are ready to deploy a new system. Sometimes only because security got a “whiff” of the project or the project team looked at a security checklist and said “oh we should run this by security” and then ask, “Is this secure?” or “Can you make it secure?”

The problem with the scenario I just described is that it puts the cart before the horse. The cart being the business project or system that has been built and the horse being security.

It would be like building a bank and the week before it opens saying, “We should put in a vault, some locks, cameras, and ensure that we don’t get robbed, can we do that now?”

In my experience many business projects are implemented to automate a process or make something easier, faster, or better for the business user or customers. A call center rep looking up information for a customer or processing a transaction, providing customers the ability to pay online, or an automated time and attendance systems are all examples of a business initiated project that deals with a lot of sensitive data that needs to be protected.

Without security, these new systems might lead you to hand over the crown jewels of your organization, whether it is intellectual property or customer data, without you realizing it. Therefore let’s look at why security must start with the business and the reason IT or even the Information Security department can’t do it for you.

First and foremost, the business decides what data they need – if you are collecting information from customers, suppliers, partners, the government, or anyone for that matter; it is the business who determines what and how much data they need to get the job done and/or provide a service. IT or InfoSec never dictate the type of data a business user collects or how long it must be retained. The IT department supports the collection and storage of the data after the business determines what they need. IT can support security requirements through technical mechanisms to protect the data, but only if they know where the data is that needs to be secured.

It is the business who decides how they collect the data – do they want it to come in via website, call center, fax, mail, etc. The business determines the process flow to collect the data. IT or InfoSec does not say how data should be collected. IT can enable the data to be collected via technical means, but it is the business who makes the ultimate decision on how they want to collect it. IT cannot help secure a business process they don’t know about or have not been told contains sensitive data.

It is even the business that decides who has access to the data – which employees need to access the data in order to process orders, fulfill customer requests, service contracts, etc., and what level of access they need to do that job. IT may create the accounts, but they do not dictate who gets access to which types of data. Limiting access to data and administrative permissions is a key in basic security, which IT will gladly support.

The business also decides how long they need access to the data. Often what we see when there is a data breach is that there was a great amount of data available to the hacker because the business decided to keep sensitive data much longer than necessary. IT can help purge and remove data when they are told by the business what the data retention requirements are.

Lastly it is the business who decides what data is shared with external third parties and often the security of the third parties is not known or checked. InfoSec is a great resource for helping to validate the security of a third party, but they can only do this when they know who the business is sending sensitive data to.

All of these business decisions get fleshed out when they are developing their business and user requirements, often times in a vacuum without any insight or consulting by IT or InfoSec. Then they create system requirements for the developers who make their vision a reality, but if they have not included security requirements in their system requirements they will often get missed. That is because developers and IT staff who make all of the technical stuff possible are not often security professionals, they are IT professionals.

Just because someone is in IT does not mean they think about security. It’s like going to a general practitioner doctor and assume they are thinking about nutrition, you often need a specialist to discuss what to eat for your specific goals. The IT department is responsible for keeping servers and desktops running, making sure there are no network outages, that databases are available and connected to applications, that systems are developed to work as requested by the business, and that the technology is available when a user needs it.

Security is different because in many cases good security makes access harder and impedes the business and the IT users. It often means the IT folks have to document more and it can take longer to implement server configurations. Security is done by security professionals, who often have IT backgrounds, but are not typically your IT staff.

All of this shows you why discussing security has to start with the business and why the executives making business decisions need to include IT and InfoSec in the discussion from the very beginning. Security must be included throughout the lifecycle of any business or IT project, but all too often is left out of the planning and the cart is ready to go with no horse in sight.

If you have questions or don’t have a Chief Information Security Officer to help bridge the discussions between the business and IT with a security perspective, email sharon@c-suiteresults.com to discuss your challenges and virtual CISO services that are designed to help small and medium size organizations maintain their security posture.

When you think about collaboration what comes to mind? Have you ever given much thought to the importance of collaboration for your cybersecurity team, or how collaboration creates high performance teams? If you haven’t given much thought to the topic of collaboration that’s OK you are going to explore the importance of collaboration today.

Collaboration is the fourth pillar in the EPICC model for high performance teams and is incredibly important for your security team. If you have tuned in to the entire series on EPICC High Performance Teams you are on pillar four. If you are just joining us now you can catch up on the series and read about Engagement, Productivity, and Integrity; the first three pillars for a high performance team.

Since no single person on a security team can stay current on all the technologies, know all the current vulnerabilities, be versed on all the most recent hacks, or know all the possible solutions; collaboration is key to your security teams ultimate success. Collaboration is where engagement, productivity, and integrity come together and your security team spends time working together to come up with innovative new ideas.

Ideas build upon ideas when a group gets together to collaborate. New ideas, solutions, and innovation that no single person can come up with alone are born during collaboration

One of the biggest and often missing pieces of collaboration is discussing progress, what’s working and what’s not working? When a team knows where the project is they can collaborate on ideas to move it forward or maybe even change direction. This is how you remove the number of fires that need to be put out at the last minute and you reduce stress and cost. When something is not working, it quickly becomes the topic of conversation, but what about discussing what is working? That is often a missed, but critical conversation.

When things are running smoothly most people don’t stop to discuss why, but it is essential to recognize why things are working so you can do more of it. Plus, what is working for one person may not be obvious to their peers, so this is an opportunity to teach each other and refine their skills.

Of course I’m not saying you ignore the conversation on what’s not working, that is critical to course correction and you can’t always prevent or find all roadblocks ahead of time. But as soon as something starts to go south the conversation must include what’s not working. But remember, it can’t be about laying blame or pointing fingers, it’s about discussion, collaboration, and then cooperation and integrity to change things around.

The more your team collaborates the more they can identify the possible roadblocks ahead of time. This means you don’t have a group of firefighters running around always trying to put out the fire, you have a group of park rangers who are able to stop the fire before it ever ignites because only you can prevent forest fires.

The great part is collaboration can happen with or without you, the leader, as long as you set the tone, the expectations, and the example. If someone comes to you with a problem you can ask, “Did you work with the team to find a solution yet?” That could be the first step before involving you unless it is critical and needs escalation.

Remember you never know where the best idea will come from. You want to make sure that everyone on the team has a voice and that they know they can share ideas regardless of how crazy it may sound. That is because you built the team community around integrity, everyone should know that there are no bad ideas and that no one is ever ridiculed or judged.

For your next team meeting start a new conversation on the topic of collaboration, why it’s important, what it should look like, and how to accomplish it. Empower your team to work together, communicate openly, and share ideas. Build on the ideas of community and watch your team thrive.

If you have questions or comments about this article or the series you can reach out to me at sharon@c-suiteresults.com to discuss this topic, security teams, or security strategy. If you enjoy podcasts you can listen to C-Suite Success Radio to tap into the wisdom of other successful business people who know the path you’re traveling.

So far we have discussed Engagement and Productivity, the first two pillars of an EPICC high performance team. Let’s continue exploring how to create an EPICC high performance security team, and look at the third pillar, Integrity. Integrity is the glue that holds an engaged and productive team together.

My two favorites definitions of integrity are doing the right thing even when no one is looking and doing what you say you will do long after the feeling you said it with has passed. That last one is what happens when, for example, you ask your friend to help you move and they say, “Sure anything to help…” but then the day comes to help you the last thing they want to do is move boxes and furniture. The person with integrity does it anyway because they said they would.

When members of a team have a what’s in it for me attitude, i.e. a lack of integrity, the team does not get very far. When it comes specifically to a security team, that is downright dangerous. In the world of cyber security, the team has to work well together if you want to stay ahead of the adversary. And if you don’t think you have any adversaries, remember that mistakes and errors internally can cause just as much damage to your organization. Your security team is on the front lines to prevent this and catch the errors or mistakes before they become costly or irreversible.

Your role in ensuring a team with integrity is to create an environment that establishes and supports integrity, and you do this by building a strong community. We have all seen what is possible when communities come together, whether after a natural disaster like a tornado, hurricane, or fire; or after a terrorist attack or violent incident. We have seen what is possible when neighbors help neighbors and the sense of community is strong. We have also seen the flip side with riots and looting that occur when a community is not strong and has a weak sense of integrity among its neighbors.

A community for your team means that everyone works together and no one is thinking what’s in it for me. When one member has a problem it is everyone’s problem, and that means the personal stuff gets addressed too. Because when someone is having trouble at home or outside of work it affects him or her at work. When they can come to work and know that it is safe to discuss with you or the team their focus will improve and so will their productivity.

No one wants to come to work and feel alone or worse suffer in silence, but people need to know it’s safe to share the personal stuff and the work stuff without fear of retribution, judgment, or scorn. You have to build this environment, set the rules of engagement, and make sure everyone knows where, when, and how to address the personal stuff and what will and won’t be tolerated, then lead by example.

Think about those communities where neighbors help neighbors and people have integrity. These Communities have greater property values, good schools, safe streets, and community activity. A team with high integrity members can get more accomplished, see problems ahead of time and bring projects in on time and on budget more easily. That brings value to the organization, which equates to your team having a high property value. When you provide continuing education you are offering good schools, the ability to share problems in a safe space is a safe neighborhood, and community activities means doing things outside of work from time to time. All of this helps build community and results in a high integrity and high performance team.

A low value community is rife with violence, low property values, lack of safety, and often are partly driven by fear. When this is the community of your team the violence shows up as in-fighting, backstabbing, and manipulation. When there is a lack of safety, people don’t share ideas, much less personal problems or challenges they are having with their work. All of this results in a team that does not work well together and ends up with a low property value within the organization.

Your security team is one of these two types of communities: they either have a high or low value within the organization, which will greatly depend on the type of community you have created. Start a conversation with your team about community, get to know your people, treat them with respect, and ask that they do the same. When you see something that might lead to a low value community, speak up and have the tough conversation about what needs to change. Lead by example and keep moving the team forward. Your security team is up against a lot of adversity as they protect your organization from faceless attackers, errors, and mistakes. They often only get feedback when something has gone wrong and rarely hear job well done. In order to keep them working together and in the right direction, integrity is going to be the glue that holds it all together.

If you have questions or comments about this article or the series you can reach out to me at sharon@c-suiteresults.com to discuss this topic, security teams, or security strategy. If you enjoy podcasts you can listen to C-Suite Success Radio to tap into the wisdom of other successful business people who know the path you’re traveling.

This is part three of a six-part series for leaders of cybersecurity teams who want to create a high performance team. To start from the beginning read The Importance of a High Performance Cybersecurity Team and Protecting Your Organization through Engagement of Your Cybersecurity Team.

Throughout this series we are talking about the EPICC model for high performance and the 5-Pillars – Engagement, Productivity, Integrity, Collaboration and Communication. Today is all about Productivity.

When it comes to your cybersecurity team productivity is essential. There is typically more to do than most teams have time for and this team is your organization’s frontline defense against cyber attacks and internal threats. In the last article we talked about engagement in and I want to clarify that just because an employee is engaged, does not mean they are productive. Engagement is a great first step, but engaged does not equal productive.

Being productive means getting the tasks done that have an impact to the team meeting their goals and deadlines and an impact to the bigger picture and organizational goals. The way you are going to help empower your cybersecurity team to be more productive is by getting rid of the idea of time management and to start talking about priority management.

Priority management is a clear understanding of what each person on the team should say yes to and what they should no to. And as their leader this applies to you too.

You will need to work with each individual on your team to help them determine what their priorities are. This is important because if you have more than three priorities you have none – a priority is something that is more important than something else – and if everything is deemed a priority then nothing is actually a priority. This is about looking at the entire team, determining what the team’s priorities are and then breaking those down into individual responsibilities and tasks.

You may find a lot of tasks need to be done and that they all support the priorities of the team. That means you need to clearly identifying what is most important and what is least important and which tasks support which priorities. It is allowing members of your team to say no to requests on their time that do not support one of their three priorities.

As tasks get completed, organizational goals change, or new projects are initiated the priorities will change. Until that time, the priorities you set with each person is their focus and their guide for what they should say yes to and what they should say no to. But in order for them to say no to requests they need to know you support that action and the best way to accomplish saying no.

It’s about empowering them to determine if something supports a priority or not and the freedom to come to you and let you know that by saying yes to this new request something else on their priority list is not getting done.

We all have the same number of hours in the day and when they get filled with tasks that do not support the big picture or do not fall into the category of priority, the big projects don’t get done, or don’t get done well, on time or on budget.

Another big time suck is what people like to call multi-tasking. To read about this in its entirety check out The Dirtiest Word in Business.

The intent here is understand that that there is no such thing as multitasking the way we use the term. Our human brain does not allow for it, we are not built for doing two different cognitive activities at the same time. You are not multitasking you are switching between tasks. You might be doing this quickly, but you are missing out on details and losing efficiency every time you do it. Think about any time you have had to ask someone to repeat themselves because you missed what they said while you were “multitasking” and reading or writing an email while you were supposed to be listening to a conference call. We have all done it and we have all had it happen to us. The point is that we miss critical details, prolong meetings, and lose productivity when we are task switching.

If you want more productive employees and a high performance team you want your cybersecurity team to single task. That is one thing at a time. Even if that task is only planned for 10 minutes, during those 10 minutes they are laser focused on the task without distraction. Teach your team to block time for their tasks and projects and during that time they are focused on the task and nothing else. That means they don’t check email, don’t answer text messages, don’t answer the phone, don’t surf the web, and don’t stop to have a conversation about anything else.

This will take practice because in the world we live in we are currently bombarded with a lot of information all at the same time and we have spent a lot of time thinking that we are great multitaskers.

Start the conversation and discuss priorities and multitasking with your team and with some practice and diligence you will start to see more productivity. Couple that with increased engagement that we discussed in the last article and you are really onto something great.

For more information or help getting the conversation started email sharon@c-suiteresults to discuss resources. Visit www.c-suiteresults.com or listen to C-Suite Success Radio for more topics that will elevate your results.

In the first article of this series I provided an overview of the 5 pillars for creating an EPICC high performance teams. In this article we discuss the first pillar of the EPICC model – engagement.

Gallup continues to report that in the US, employee engagement is  around 30% and worldwide at only 15%. While we know this costs real money and affects the bottom line, it has an even bigger cost when we are talking about cybersecurity. When it comes to your cybersecurity team, 15-30% engagement can actually be dangerous to your organization. This is the team that has to be on their toes 24/7 to keep your network and data secure and you want — no, you need — them engaged.

Engaged employees are motivated and excited to do the work they are assigned to do and don’t have to be convinced to do a good job. They truly want to be at work, and want to do their best to contribute. They are looking for continual ways to improve and innovate and they go above and beyond, take initiative, interact with coworkers and management, produce high quality work products, and take responsibility.

Because that is what you are looking for in your cybersecurity team, let’s get to what it takes to have engaged employees. It takes a leadership team that knows how to create engagement by tapping into the key motivators that people have. As a leader, you can inspire your team to want to do more and be better, but you can only motivate them for the long run if you can tap into their intrinsic motivators. For more information on the following motivators, use the links to take you to a more in-depth article on each one.

Contributing fully through alignment – When you want people to contribute fully they need to align with the work they do in a way that allows them to contribute who they are to a task. When people are not aligned they get bored and find other things to do instead of the work at hand. If you ever feel that people on your team are slackers it could be a sign that they are not aligned with their work and as a result, not fully contributing. That is not a sign of a bad employee; it is a sign that they are doing work that is not aligned with who they are.

The Big Picture – People want to know how they fit into the big picture. How does their work help the organizations goals? Punching a clock or showing up to do a job with no meaning is not going to cut it anymore. Your most loyal, dedicated, and hard working employees will be the ones that understand and believe in the purpose of their role in the organization. As a leader and coach of your team it is your responsibility to ensure your team knows, understands, and is bought into the big picture. It is your job to keep that big picture and shared goals in front of them as part of the on-going conversation.

Continued Growth – As a leader, it is your role to ensure your team is getting continued growth opportunities. They want to learn and grow and they will be more appreciative and harder working when given these opportunities. My experience as an employee in several organizations where there were no growth opportunities lead me to be less motivated and look elsewhere for what I was missing. Plus, when you provide educational opportunities, you are going to have a smarter, more talented workforce, and when has that ever been a bad thing?

Feedback and Recognition – Here is a place where your team needs you more than anywhere else. Do you know that most people go through their days getting no praise, feedback, or recognition, not even at home or from those they love? When people are told they are doing a good job, they will want to do an even better job next time. When they don’t know how they are doing they often make assumptions and think to themselves, “oh well, no need to try harder, no one seems to notice around here.” However, don’t just provide recognition and positive feedback because you are supposed to. Do it from a place of sincerity, like a proud parent would when their child is walking across the stage at graduation or scoring the winning goal of the soccer game. Without proper feedback and recognition you are missing out on one of the greatest motivators of all.

One of your jobs as a leader is to inspire those around you so that they are motivated to contribute fully, which will result in improved engagement and in the case of your cybersecurity team improved protection of your organization’s network and sensitive data. See how you can use these tips to amplify their motivation and help create better results for everyone on your cybersecurity team, and in return, for your organization..

If you have questions or comments email me at sharon@c-suiteresults.com and for more resources visit www.c-suiteresults.com and/or listen to C-Suite Success Radio