The Big Mistake (and How to Avoid It)
The Double-Edged Sword of “Fitting In”
So you have the filters set: you have the job description, the due diligence measures to employ, and tests to proctor and review. But like any good relationship, we need that “spark.” In the context of hiring the right candidate, that spark translates to the cherry-on-top of actually liking the new recruit. Arguably, we typically like people who are … just like us. And such is The Big Mistake: hiring someone because he or she is like you. Just because someone is “just like me!” or “reminds me of myself!” or interviews well (because … he or she is “so much like me”) does not correlate to job performance.
Spotlight: The Nice Guy
When you’re asked to picture someone who works in tech, the stereotypical image of a loner in a hoodie often comes to mind. But a company (who later became our client) lucked out: they had a cybersecurity systems architect who was funny, lively, and constantly smiling, come in to interview for a senior position work role. His interview went well as he charmed the boutique team and easily passed the knowledge, skills, and abilities (KSA) tests. He was hired and assigned the serious task of designing and auditing security structures to keep hackers out. Unfortunately, as a new hire, he quickly turned out to be a constant disruptor in the office, pulling people out of their workstations to tell stories, making jokes while struggling to get through routine tasks, and disappearing during stressful situations. How could this happen?
The bad hiring decision made by our client was caused by a progression of problems. And it begins by what we call being “influenced by personality.” The candidate comes in and presents a personality full of high-impact charisma during the interview, and the interviewer’s visceral response is to be impressed, and more significantly, the interviewer feels good. So the interviewer makes the mistake of evaluating the candidate solely based on the charismatic personality he presented. But they don’t dig deeper. Why don’t they dig deeper? How did they get fooled?
There are two forces at work which cause most hiring managers not to dig beyond what the candidate presents and get fooled as a consequence. The first force at work is, it’s easy to feel good. In addition, it’s a relief to feel good, particularly when interviewing job candidates. You’ve got to fill this position, interviewing is difficult, and here’s a candidate who makes you feel good—great, we’re done! Unfortunately, using the feel-good evaluation is essentially a decision about whether you like the candidate, but it’s not an assessment of whether the person will be successful in the job role. And that leads to the second force at work when you allow yourself to be influenced by a good interview—jumping to conclusions, or more precisely: false correlation. You presume that a person you like—who is really a person like you—will succeed in the job role.
And that’s the core of false correlation. It’s a presumption without basis. When you feel good about a candidate, usually because you like them since they are “like you,” you need to articulate reasons for your decision to hire. We have many ways to make this appear legitimate—“good fit” or “rockstar”—but they are all variations of “I feel good because he’s like me.” Fundamentally, it’s lazy. You feel good about the person, so the interview is over, and the job is filled. But more deeply, it leads to uniformity, a shallow bench, and makes diversity and inclusion impossible. Why? Because you hire people who are like you.
In this case, the hiring manager was fooled by high-impact charisma during the interview. He presumed that the behavior shown during the interview process meant the candidate would be a successful employee for that company. He thought “fun-loving personality” correlated to “success in the work role.” When stated this way, the problem with lack of correlation becomes obvious, but here the candidate’s charming personality during the interview caused the hiring manager to decide he was a “good fit,” when in reality, his charming personality made him a remarkably bad fit for both the job role and the company culture.
The path to a good hire begins with precision. You must decide what you are looking for in terms of actual behaviors. It’s fine if you want to start with “fit”—ok, what does fit look like here? Do you really need a fun-loving personality in your systems architect? If you took the time to list out how you need your system architect to behave, “fun-loving” would likely not be anywhere near the top of your list. But most job descriptions don’t even list behaviors. And the reason is because most people don’t know where to begin. Importantly, the company in our example had a job description full of technical certifications and KSAs, but not a list of behaviors or behavioral characteristics—but then, they hired him because of the behavior he exhibited during the interview. Essentially, they hired him based on behaviors, even though they had no description of behaviors that correlate with success for that job.
Our starting point to solve this problem is to accept that behavior matters. How your employees actually behave at work, and more importantly, how they behave under stress, directly correlate with how they perform their work roles. And the only way to identify which behaviors correlate with success and which with failure is to establish a framework to determine why the good employee is good and why the poor performer is poor. When was the last time you took a minute to consider what it is about your best performer that makes her great? When was the last time you performed a review to determine the behaviors which lead to a termination? For most people, the top performer is a “rockstar”—which is meaningless. The low performer “just didn’t work out”—also meaningless.
And that’s why most people use defaults—because specifically identifying behavioral characteristics which correlate to success or failure is difficult. And that’s what these “fit” labels are: generic defaults which seem as though they correlate to high job performance, but which actually do not. And that leads to the second problem, which is getting derailed by a false correlation. Being a “nice guy” is only relevant if being nice actually correlates to success in the job role for that company. The problem is the default presumption of “We’re having a hard time finding somebody, so let’s at least find a nice guy.” And when you go in with that mindset, you’re not going to come out with a nice guy. When you go in with a default mindset, you’re going to come out with somebody who is a “good fit for the team,” and that’s somebody you’re comfortable with—someone who is just like you.
Many organizations talk about their company culture and the idea of fitting into that culture. But on the flip side, it’s vital to value differences in perspective, unique approaches to problem-solving, and diversity in general. This is especially true in the field of cybersecurity, because the stakes are so high. Without diverse mindsets and thought processes, you don’t have a team; you have several people with one opinion. The reason high-functioning teams perform at a different level is because the process of working with different approaches produces a better result. Without differences of opinion and differences in thinking, your cybersecurity performance will suffer. When you start with the structure of, “What do I need?”—what are the technical things and what are the behaviors—the stuff that’s not important will fall away. Mainly, “Do I feel one hundred percent comfortable with this person?” If you have finally found the unicorn that meets the things you need, nothing else will matter, because you’re going to be so happy that you found the person that you need.
Teamwork can coexist with cultural differences. In fact, it can thrive with diversity. Yet, it’s so difficult for people to hire someone when that person is someone different from themselves. The Big Mistake yet again. As Gail notes, we need different views to create better solutions:
Gail: I tell people that I have a different perspective and the more perspectives you have, the better. I want to hear from everybody. I can’t hear from enough people about what they think is important because everybody brings different experiences and insights to the table, and enhances the conversation. And the more of those people you can bring into the tent, the better your chance of avoiding a catastrophe. But sometimes that can be a struggle.1
Think back to the Equifax horror story and the conflicting personalities at the heart of it: a working relationship between the CIO and his subordinate CSO devolving because of “fundamental disagreements,” causing the removal of the security function from IT (out of the CIO’s territory) into legal. Even when a new CIO was hired, and then a new CSO, this siloed structure never reverted.2 While “fundamental disagreements” are unworkable, disagreements in general are not. Cybersecurity requires differing perspectives because every problem requires as close to 360-degree perspective as possible. Adam Bricker explains:
Adam: We need the intellectual curiosity, and the emotional courage, to try to figure out the other side of the story—spending as much time proving ourselves right as proving ourselves wrong.3
There are some who would dispute placing capability first. This argument holds for the notion that “good people” should be found first and then projects found for them. It’s a compelling argument. And in some ways, we agree with it. But while that works for strategic development and innovation, hiring for cybersecurity roles is more focused, so it requires a different approach. The “good people” process would be equivalent to assembling a group of good athletes and then finding a sport for them to play. That may work if you have the time and resources to find a group of athletes who are willing to accept employment without knowing what sport they’ll play. But if you’re building a soccer team, you’ll have better success if you look for good soccer players. And while you may find some good athletes along the way whom you can teach soccer, it takes time and resources to teach them—just like you may find a talented leader who knows nothing about cybersecurity—you can teach them the tech side of cybersecurity, but it takes time and resources to do so. And you will probably find enough good soccer players that it makes no sense to spend time and resources teaching the game to good athletes who don’t already know the rules.
It’s the same for cybersecurity hiring. You need specific people who can do the work, but at some level, there are many people with the technical skill to do the job you’re hiring for. So what’s next?
Understanding Human Behavior
Companies must understand that what they’re hiring is a set of behaviors. Just as there are no universal job descriptions, there are no universal optimal behaviors. Even when you decide to look at soccer players and not any other sport, you find everyone knows the game, but not everyone has the same level of skill and not everyone can play every position.
If you have memories of intramural sports during high school, or if you ever coached your kid’s soccer team, it’s a great way to illustrate the point. It was usually pretty easy to tell who the good soccer players were—they were always kicking around a soccer ball anyway. But they were generally the ones who could kick the ball where they wanted it to go—as opposed to the rest of us for whom it was a luck proposition at best. But regardless of their basic skill, everyone also knew what position the good players should play. There was always a high skill player who was a waste of talent on defense because she’d never stay there. As soon as she got the ball, she’d be off like a rocket and trying to score. As annoying as that would be, you quickly learned that her position should be striker. You’d probably win if she was there, and she was going to play there anyway. Similarly, there were others who had equal ball-handling talent who would simply never move forward. Regardless of the opportunity, as soon as they reached mid-field they would pass forward and hustle back to the penalty zone and set up for defense.
Put simply: you needed both types of players if you were going to win the soccer game at recess. And you need to match the personality (as distinct from the skill) to the position. In addition, the behaviors are not things which can be trained in or trained out. Ball-handling skill can be taught and developed through drills and practice. But the deep desire to protect the goal or the red-hot desire to score can’t be taught. It can be identified during practice and utilized during the game, but it can’t be created where it doesn’t exist.
How does this apply to hiring for your cybersecurity team? First, and most important, you must identify the behaviors you need (as distinct from the skill). After the heavy lifting of Can and Trust, what you want is a hire who Will behave in the way you want them to behave—or, more accurately, how they need to behave to get the job done well. The only way to find such a candidate is to carefully parse how you need the person in the specific job role you are hiring for to behave. There may be major differences between what someone is capable of versus what he or she will accomplish. Why is this important? Because it’s the performance of the team that matters. And here, we transition from soccer to watches.
We have a colleague who loves watches and has a collection, but the one we notice the most is a Rolex dive watch. We don’t know enough to give the watch model name, but we’ve listened to our colleague speak about it enough to have a sense of what goes into its parts and assembly. Naturally, only the best materials are used, the correct alloys and jewels are procured, and the tiny parts are manufactured. The design is also nearly perfect and is the result of years of seeing how watches can be damaged, abused, or just subjected to routine wear and tear. But it’s the assembly which is truly remarkable. When one of their expert assemblers puts the pieces together, a huge amount of time and attention is devoted to ensuring the pieces fit. What they don’t do is grab parts from a box, snap them together, and screw on a casing. They painstakingly inspect each part to ensure it has been manufactured correctly and to standards. Then, they insert it where it belongs in the watch movement and test it to ensure it functions properly before the next piece goes in. If a part does not function properly, the assembler has a set of tools which can file, shape, and refine the part until it functions the way it should. If a part cannot be modified so it will work, it is discarded.
The process is painstaking and deliberate, but results in a set of parts coming together with a close enough fit that the watch functions perfectly. And not just perfectly—it functions perfectly under stress. Our colleague’s watch can be dropped, banged against furniture, scratched across steel, and even taken down to one hundred meters under water, and it still functions perfectly. Why? Because the parts were manufactured of high-quality materials and—most importantly—fitted together with a high level of skill and attention to detail, so all of the parts function as one device even under stress.
This is why understanding behavioral characteristics is so important when hiring for your cybersecurity team. If you take care to ensure all the positions are filled with people who have the characteristics needed to fill each role, and your team is fitted together with care and precision, they will do the job of protecting your company, even under stress. And the fit is very specific. Let’s go back to our funny, lively, high-spirited failure at the beginning of the chapter. For the company that hired him, that set of behavioral characteristics was disruptive and caused problems in how the team functioned. But in another company, one which needs an active cheerleader who bounces from cubicle to cubicle giving everyone approval and a quick break from the pressures of work, he would be a good member of the team. The point is simple and critically important: the team matters, each position on the team matters, and the behavior of each team member matters. Bill Thornton explains:
Bill: On the issue of teamwork—every team can tolerate one or two eclectic people that can’t get along and can’t communicate but are so great, technically, that you’re willing to overlook the problem. But it’s very rare that the person is actually worthwhile. So it’s communication and the ability to work in the group. You don’t have to work perfectly or flawlessly, and collaborate on everything just right, but you’ve got to be able to communicate and effectively work together. Delegate, trust, responsibility, share it. Cooperate, collaborate, if you can’t do any of those skills it’s very difficult to have an effective team. And here’s what I mean, I can put someone—unless you’re again just staring at logs at the very entry level—if I put you in charge of my data loss protection program, you have to cooperate, you have to collaborate with business, with engineers, with everyone across the spectrum. If you can’t do that—I have someone like that—I had to let them go. It’s not fun but it’s critical. It’s a critical skill. I’m not saying it’s a panacea to cover up for inadequate technical skills, but if you don’t have that skill, I’m really not very interested.4
All of the personalities must fit together to form one durable and high functioning whole. And parts are not interchangeable. A replacement gear from one Rolex will not simply pop into another Rolex—it needs to be fitted, modified, if necessary and possible, and tested. The fact that the candidate you are considering was successful with your competitor, or even with the company that you just acquired, does not mean they’ll be successful with you. You simply must understand who and what they are: what they can do and what they will do—determine if they have the behavioral characteristics that correlate to success in the specific work role for your company.
Identifying Behavioral Characteristics
The best indication of behavior is past behavior—which is the portion that the final phase of our hiring model deals with: the Will.
Most hiring managers know whether a person will succeed within the first few months after hiring, usually during the onboarding period. Why is this significant? Because it means everyone knows what failure and success looks like within a few months of hiring. The problem is most hiring managers don’t know soon enough—they know after hiring, but not before. How do you make better hiring decisions? Know before you make a job offer. The solution begins with one of the other core drivers of bad hiring decisions. We’ve already looked at what happens when you try to hire for “fit”: you don’t get a team, you get multiple people with one world view.
The other core driver of bad hiring decisions is Category-Based Presumptions. Things like, “Older people are reliable,” or “Millennials are selfish.” Fundamentally, these presumptions may be correct, but they simply aren’t useful when you’re hiring. Why? Because you’re not hiring a class of people, you’re hiring a person. Millennials might be selfish, but the actual young person sitting in your interview may not be. Older people might be reliable, but the one sitting across from you might be a flake. How do you tell?
This problem is avoided by ensuring you know the specific behaviors required to be successful both with your company and in the specific job you are hiring for. The fundamental key to using behavioral characteristics to differentiate between candidates is to understand behaviors are specific to the job and to the individual, and the purpose of the hiring process is to connect them. Behavioral characteristics are not general—there is no generic set of behaviors which correlates generally with success or failure. While it’s true that there are a variety of publicly available behavior profiles available without much searching, be aware using them can lead to bad hiring decisions, and in some cases, litigation.
The properly prepared and executed behavioral interview is crucial to getting this right. And it starts with asking: Who do you truly need? Begin by working through the particular job role and categorizing the behaviors of previous employees. (Remember, even if it’s a “new job” for your company, someone may already be doing—or outsourcing—the work. That’s probably why you’re hiring, and it means you have behaviors to analyze.) As you work through this analysis, break down past behaviors into those which lead to success in the role and those which lead to failure.
Another issue to address here is the difference between what a person Can do and what they Will do. You may have a person who demonstrates a high level of skill in communication, someone who can fluently speak “tech” and “people,” but if they don’t speak “people” to those who need it because they don’t want to, that’s a performance difficulty which is extraordinarily difficult to correct. The tech person who isn’t interested in communication unless you speak their language is really no different than the tech person who can’t communicate at all. Both are probably Failure–Noncoachable. In fact, one of the critical components listed in the NICE Framework is the ability to communicate technical information in lay terms when necessary.5 A candidate who can do this in a test environment may not be able to do it in an emergency. Worse, a candidate may have the capability of speaking in lay terms, but be unwilling to do so due to arrogance or other personality traits. The behavioral interview extracts this type of data and is a crucial part of the overall candidate evaluation when taken together with credentials and testing.
Once you have relevant behaviors delineated into Success, Failure– Coachable, and Failure–Noncoachable, add to this the list of hard skills, certifications, and training required to perform the role. These four lists (behaviors, hard skills, certifications, and training) are now the foundation for drafting the job description competencies—your articulation of who you are looking for.
Spotlight: Personality
It is important to distinguish between personality and behaviors, which are two different psychological concepts. Personality traits can influence our behavior in many cases, and there are hundreds of academic (and not-so-academic) studies and books written on this topic. But for our purposes, as discussed earlier, one of the key errors that leads to The Big Mistake is thinking that what you see of someone’s “personality” during an interview reveals whether he or she is a “good fit.” While you might think that the abundance of personality inventories available, and the broad range of differing approaches to psychological testing, personality typing, and personal potential indicator assessments, would provide something useful, these tests usually assess general traits like competence, work ethic, or emotional intelligence. An introspective review of these general personality traits may be helpful to an individual who is seeking self-development through reflection, but such testing is not helpful in determining whether a person is both capable and willing to execute a given cybersecurity job role for a particular employer.
We are not psychologists and do not claim to be. Our main point is this: the impact of failing to specifically identify the behavior characteristics—not general personality traits, but the specific behavior characteristics—which correlate with success and failure in a specific cybersecurity job role at a specific company—is exponentially greater than with a nontechnical position. Getting it wrong in the warehouse wreaks havoc in shipping; getting it wrong in network penetration puts the entire enterprise immediately at risk. Again, we are not dismissing introspection or these more generic personality traits as being without value; we are strong advocates for using them in self-development training programs. They are simply too general to correlate specifically enough to be relevant or useful in a hiring process.
Behaviors that correlate with success or failure in cybersecurity job roles must be precise enough to be useful. Bill Brennan highlights how he views certain behaviors fitting into cybersecurity job roles:
Bill: If you’re super detailed and you love following procedure, and that’s where you’re comfortable, in developing new procedures—my goodness, information security has a job for you. You can come be a risk analyst for me tomorrow, I would love it. But if you’re a by-the-book-procedural person, you’re not going to be a very good analyst. And vice versa, if you’re kind of freeform, “I’m going to go where the bits take me but I’m going to get to a conclusion,” my goodness, please join my analyst team but man I don’t want you doing checklists because you’re going to be unhappy.6
Personality traits are general descriptors that do not correlate to job performance; behavioral characteristics are specific descriptors that can correlate to job performance. Consequently, personality traits don’t matter when attempting to find the right hire; behaviors do matter. If your personality assessment tests for emotional intelligence, it will not produce the differential data necessary to slot the detail-oriented procedure person into the information security job and the “follow the bits where they take me” person into the analytic group.
In order to truly visualize this concept in the context of cybersecurity job roles, let’s take a look at exemplary behaviors that cybersecurity professionals have called out. Amanda Tilley, the information security analyst, explains the confluence of traits that create “teachability”:
Amanda: I’ve learned over the years that teachability is an incredibly important trait. It’s essential to have the drive and the resources to go find the answer on your own, but it’s crucial to put ego aside and acknowledge one’s limit. Utilizing your teammates’ experiences and perspectives in a collaborative environment to reach a conclusion makes the entire team better. What makes our team successful is that we are all there for one another, no one on the team should feel like he or she is on an island.7
Let’s break down what Amanda is actually doing here, because it’s more than just stating that teachability is a success indicator for the work roles in her company. She’s intuitively doing the deeper dive into what specific behavior characteristics are the component parts of teachability. They are as follows:
1. The willingness to say “I don’t know.”
2. Responding to not knowing with a visceral need to find the answer.
3. The willingness to freely admit not knowing the answer and seek help.
If she didn’t do the deeper dive, she would be stuck looking for “teachability” in her interview. As a result, she would struggle during the interview to understand how “teachability” manifests itself in behaviors and would very likely end up with a fuzzy sense of whether a candidate “seems teachable.” But by taking the time to get to this granular level, and to specifically articulate the three behavioral characteristics which are the components of teachability for this job role in her company, she has a structure upon which to build her interview question sets. And she avoids The Big Mistake because she knows exactly what to interview for. By setting up behavioral question sets for the three component behaviors of teachability, she will extract differential data which will allow her to analyze whether a candidate is teachable and should be offered a job.
Michael Woodson, the Director of Information Security and Privacy, points out the significance of communication among his team members:
Michael: You’ve got to be able to talk and communicate. You should be able to sit in a meeting, and I expect you to not talk techie. And for those that can’t, and I have those in my camp, they go to a meeting with me or maybe somebody else that can. I never send just one person to a meeting, I always partner them up so they can have somebody to back them. I’ve had to teach them to “talk people.” And what does that mean? You’ve got to be able to take it to the upper level.8
This description of communication is actually a very specific success indicator, and it can be taken in contrast to Amanda’s example which has constituent components. Michael’s example is specific enough that it does not need to be broken down further. The signal that a deeper dive should be considered comes from addressing the question: “What does that success indicator mean?” If the meaning is one thing (i.e., “Communication means ‘talking people’ when necessary”), then a deeper dive will probably not reveal more specific behavioral characteristics and you can start building corresponding behavioral question sets. In contrast, Amanda’s teachability success indicator means three things, so a deeper dive to ensure that all of the components of teachability are articulated is worthwhile before beginning to build question sets.
Gail Gottehrer, the emerging technologies lawyer, describes a seemingly contradictory set of traits:
Gail: This may seem contradictory, but I think the skill that is important is being flexible enough to be both proactive and reactive. You need somebody who can make a plan, can see a situation, assess risk and evaluate scenarios, and then look forward and come up with a plan to address the concerns that exist at the time and those that are foreseeable and help keep the organization safe. But, the person also needs to be prepared to scrap that plan at pretty much a moment’s notice and then come up with a new one, and not get hung up on the pride of ownership, or get defensive about perceptions that the original plan was “wrong,” because, in the world of cybersecurity, the world changes in the blink of an eye.9
Gail articulates an excellent example of the complexity we see in the cybersecurity world, and it underscores why a deep level of precision is crucial when evaluating people for hiring in cybersecurity. Without a structure like Can–Trust–Will, which enables you to unpack and organize the technical skill and behavioral characteristics that correlate with success in specific job roles, you would—like many people do today—throw up your hands in frustration and say “just hire some good people!” But with a structure like Can–Trust–Will, Gail can articulate that she needs someone who can both create a plan and scrap the plan and improvise immediately upon seeing the plan won’t work. And by deep diving into the component behaviors of planning and the component behaviors of scrapping-the-plan, she will be able to build focused question sets which will extract differential data for all of the behavioral characteristics she needs in the job role. It may be difficult to find people with all of the characteristics she needs, but—and this is most crucial—she knows what she’s looking for. Consequently, if she doesn’t find the candidates she needs and has to scrap her own plan, she’ll be doing so with data that prove such candidates aren’t available. And that allows her to either proceed with “Failure–Coachable” candidates who will be trained, or restructure the work roles within her team so employees with the two behavior characteristics are set up to interact in a way which produces success for the company.
Adam Lee, the VP and CSO, discusses his view of “flexibility” in our complex cybersecurity world:
Adam: It takes constant evolution. The threats evolve as fast or faster than your defenses. So every aspect from funding, to staffing, to what defenses are in place, to why you are doing what you are doing, is a constantly evolving puzzle. You cannot have staff that are inflexible … you cannot have a vision that is stagnant or that is fighting the last war … you have to be nimble and evolving while still doing everything you did before, just as well as you did it before because threats don’t go away. They get added to.10
How do you find the people you need to address threats which “evolve as fast or faster than your defenses?” Without a structure which drives a granular analysis to separately identify the technical skills and behavioral characteristics that correlate to success for each work role, you will simply fail to find and hire the people you need to stay ahead of the threat. Dive into the analysis to pull out each behavior that corresponds with success.
Uncommon Characteristics
We’ll conclude this chapter with a few observations related to behavioral characteristics which many of us wish were common, but simply are not. This section is not a lament, nor is it advice that these behaviors should be more broadly sought or developed. Rather, we enumerate them to trigger your thought processes as you begin to understand what skills and behaviors correlate with success in your company. These things are uncommon and should be recognized, both so they don’t find their way into every job description (you’ll have to scrap that plan) and so you’ll recognize them when you see them.
Adam Bricker offers a wonderful view on one of the more uncommon behaviors, “grit”:
Adam: I’ve talked about curiosity, communication, storytelling, critical thinking, discipline, etc. Now we must add another dimension to the skill set—grit. I define grit as “doing the unpleasant when it’s necessary, over and over again.” And these professionals with grit—they’re called at two or three o’clock in the morning, they’re called on Saturday afternoons, they’re called on Monday. And it’s really unpleasant sometimes—what they deal with, the false positives, the false negatives, the nation-state actors and persistent threats, and whatever else there might be out there. But over and over again, they have demonstrated that ability to consistently answer the call.11
This characteristic is complex, rare, and extraordinary. The person who won’t quit when they find themselves in difficulty is unusual but not particularly rare. It’s not perseverance in the face of adversity which makes grit rare, but it’s the willingness to enter a situation which is known to be difficult, to choose to face the same challenge again, which makes grit rare. In addition, grit is also so deep-rooted in the people who have it, that most of them don’t even realize they have grit—they think they’re just doing what needs to be done. Consequently, grit is not only rare but also often unacknowledged and difficult to detect. It’s worthwhile to be aware of the concept and existence of grit, and to ensure you have it in the description for the few job roles which require it.
Curiosity is often mentioned alongside passion in the world of cybersecurity. They are not the same, but their interlocking nature underscores the significance of such characteristics in certain cyber roles. For John Avenson,12 the Vice President of Technology for the Major League Baseball Team the Minnesota Twins, curiosity is so important that he calls it a superpower:
John: If human beings have any superpower, it’s curiosity. While we try to hire technology folks that meet our educational and skills focused job description requirements, we tend to put more emphasis on the traits and aptitudes a candidate can holistically offer. Does their curiosity drive a passion that looks for opportunity? Does their curiosity fuel a spirit to discover and innovate within a small team? We need to hire folks that leverage their curiosity to want to wear multiple technology hats while keeping their head on a business swivel. These kinds of hires are especially important for small or medium sized businesses who don’t have a specialized team working in an independent Cybersecurity Operations Center.13
The way John articulates curiosity reveals it as a way of being, rather than merely a behavioral characteristic—and at his sophisticated level, it is. It’s reminiscent of Adam’s “essential life skills” from Chapter 3, the deep component of who and what a person is which makes them “unable to not” figure things out. Our best advice regarding the superpower of curiosity is to ensure you are always on the lookout for it during your behavioral interview and snatch it up when it suits your open role.
Speaking further to passion, it is a complex behavior which is commonly referenced in cybersecurity—whether it is being defined as desire to grow, to learn, or to advance. Wheeler Coleman gives us his take:
Wheeler: I love taking a strong number two employee and making that person the number one (a lead role such as a CISO). So, whether it’s at a conference, through LinkedIn or other social media, I’m looking for hungry, talented people. They want to prove themselves and are looking for an opportunity to set the world on fire. I once recruited a guy that was a strong number two itching to get a title of CISO. He had a boss that was doing well and not leaving his position anytime soon. He jumped at the opportunity to make a difference.14
There are two forces at work in Wheeler’s description. In some ways, it’s a mentor–protégé interaction, but at its core, it’s a person with a very specific set of drivers having the path cleared by someone who knows the way and values unlocking the potential seen in someone else. The behavioral characteristic of having a “hunger” is what identifies a person with development potential. But without a corresponding behavioral characteristic in Wheeler’s personality—that of coach, mentor, instructor, and developer—the potential of the employee would either remain untapped or would require a struggle to emerge. We won’t do a deep dive into leadership here, but the observation is that while identifying behavioral characteristics is key to finding the people you should hire, it’s fostering the interactions between the people on your team that drives high performance. As difficult as it is to find and hire people, the effort is wasted unless leaders take action to unlock the potential they bring.
Spotlight: Legacy Systems
Many of the cybersecurity leaders we interviewed spoke about the challenge of joining mature organizations that already had existing teams but needed to go through the process of cultural change to grow to the next level. The challenge when taking over a team, regardless of size, is how to create a process to make the necessary change without causing undue disruption. These CIOs, CISOs, and IT leads had to handle a different type of “legacy” system, and it is a complex situation to manage.
It’s easy for the new boss to come in, “clean house” (i.e., fire key people), and bring in their own team—a bunch of new key people. But often, the shock of the change causes more problems than it solves. There’s a better way, and it relies on understanding of the behavioral characteristics which correlate to success in each job role in order to influence the change needed. It’s like the difference between liposuction and a program of diet and exercise when you need to lose weight. Liposuction is drastic and has an immediate and apparent effect, but it may not produce durable results. Diet and exercise do not show immediate results, but when change comes, it is both durable and inexorable. And although the change can happen gradually enough that you might wonder if it will happen at all, it will happen with purpose.
When you take a new job, particularly if it is a senior role, most of the advice you’ll get is about taking the time to learn your environment and understand your people. And it’s important to take that time to understand the behavioral characteristics of the people you have and begin figuring out the behavioral characteristics you need as you restructure the team. But it’s equally important to recognize that the process of taking some time also allows your environment to become familiar with you being in it. If you come in and start pushing, everyone is still trying to understand who you are and how you communicate. If you immediately put them under the stress of change, of doing the old things in a different way, performance suffers. And it suffers for a very specific reason. You’ve come into their environment which is familiar to them, and you want them to be different.
Many leaders talk about listening tours, and how important it is to not do anything for the first six weeks or even for the first six months before truly understanding the environment. Fundamentally, the listening tour is not actually about them understanding the environment—it’s them recognizing the environment takes time to understand and get familiar with them. In the same way you start losing weight by doing small things every day that cause the fat cells to leave the body, so to, you’re interacting with people in a way that draws to you the personalities, and the behavior types that function best with you. This process will also drive away the behaviors and personality types that don’t function well—whether that’s personnel leaving on their own, or being let go as the process moves forward. And if you focus on understanding the behavioral characteristics you have and then determine the ones you need, the change will become a process of managing how the personalities interact and how the team culture changes as people depart and replacements arrive.
1 G. Gottehrer, in discussion with the authors. July 09, 2020.
2 U.S. House of Representatives Committee on Oversight and Government Reform, The Equifax Data Breach. 115th Congress. https://republicans-oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf (pp. 55–56).
3 A. Bricker, in discussion with the authors. July 13, 2020.
4 B. Thornton, in discussion with the authors. July 29, 2020.
5 NICE Cybersecurity Workforce Framework. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf (pp. 25–88).
6 B. Brennan, in discussion with the authors. August 04, 2020.
7 A. Tilley, in discussion with the authors. July 02, 2020.
8 M. Woodson, in discussion with the authors. July 20, 2020.
9 G. Gottehrer, in discussion with the authors. July 09, 2020.
10 A. Lee, in discussion with the authors. July 09, 2020.
11 A. Bricker, in discussion with the authors. July 13, 2020.
12 John Avenson began his twenty-seventh season with the Minnesota Twins baseball team in 2020, and he was named Vice President of Technology in 2006. John is a veteran of the Persian Gulf War, where he served with the United States Marine Corps.
13 J. Avenson, in discussion with the authors. August 03, 2020.
14 W. Coleman, in discussion with the authors. August 12, 2020.