Hidden C/S: The Performance Review

This post is part of a series about aspects of cybersecurity which are not obvious, especially to newcomers.

This post is about the cybersecurity aspects of the humble performance review.

What does cybersecurity have to do with performance reviews? To answer that question, let us go down the cybersecurity chain from start to finish.

(1) Senior management signs off on a cyber asset as critical, which means that the asset is to be protected from at least one specific risk. This is Identify in the NIST CSF.

(2) Someone in the cybersecurity program (CSP) assigns a "control" to that risk for that asset. This is Protect in the NIST CSF. This step includes agreeing on what constitutes proof that the control is effective.

(3) Monitoring that control becomes part of someone's job. This is Detect in the NIST CSF.

(4) Sharing the results of that monitoring, the evidence which makes your CSP evidenced-based, with a supervisor becomes part of the same someone's job on which their performance is judged.

(5) Summaries of that evidence joins all the other management reporting used to keep senior management in the loop.

Performance reviews become a big part of your CSP in item 4 above. People pay attention to what you care about, not what you claim to care about. If your boss cares about your role in the CSP, takes an interested in how well you do your part, then you will do a better job. If your raises depend, at least in part, on how well you do your part, then you will do a better job.

Cybersecurity needs to happen every day; it needs to be habit, to be automatic. That level of commitment does not happen without reinforcement. The performance review is that reinforcement.

This is an example of why Pythia Cyber stresses the behavioral aspects of cybersecurity: technology is only half the story.

This post is one of a series of four: [ 1 2 3 4 ]