Win By Making The Transition To A Talent-Based Culture

Our focus at Pythia Cyber is behavioral cybersecurity. We bring the best in behavioral science and organizational behavior practice to the realm of cybersecurity.

As part of the mission, we have developed three assessments of cybersecurity talent -- front-line, manager, leader -- for the purpose of assessing talents related to effective cybersecurity performance. Talent assessment is entirely a 'normal course of business' in the behavioral science and organizational behavior realms.

Using a pre-hire assessment process means that you will find that some people have talent, maybe a lot of it, to be effective in these roles. There will also be people who score low on these assessments.

Cybersecurity is a technologist domain. Talent assessment is a behavioral science domain. These are different domains, and that creates a need to create dialog and bridges between the two domains to capitalize on the synergy to be gained through their overlap. 

First let's ask why we wish to create overlap. Cybersecurity for too long (in my opinion) has been focused on certifications and technical credentials. This seems to have been acceptable, and it made sense when the supply of certificate-holders was low.

But then there were more companies needing cybersecurity personnel and cybersecurity started to become endemic to expanding marketshare and organizations moved more operations and property to cloud systems. And then -- well, now actually -- it turns out that bad actors are more intently looking to defeat organizations in cyberspace. This is a perfect recipe for caring about cybersecurity talent.

Over 115 years of empirical behavioral science research has demonstrated that pre-hire tests are effective in predicting job performance. But there has been no utilization of these methods in cybersecurity.

It's not much of a behavioral science issue, it's a cybersecurity issue. To cut to the chase, cyber-attackers still target system vulnerabilities -- unpatched systems, systems with lack of strong authentication, systems with legacy password systems -- because those systems have not been secured.

To paraphrase Jen Easterly, former head of the US Cybersecurity and Infrastructure Security Agency (CISA): we don't have a software problem, we have a cybersecurity talent problem.

Here is Jen in a new post on LinkedIn wherein she refers to the proactive value of AI in finding problems:

That is essentially what I wrote about last year in “The End of Cybersecurity.” (https://lnkd.in/eexg_R5Z) For too long, we have treated insecurity as something to manage after the fact. We built a huge cybersecurity aftermarket to compensate for brittle, defect-ridden software that, because of misaligned economic incentives, was—to borrow from Ralph Nader—“unsafe at any CPU speed.”

Second, what does that overlap imply? There is more we care about now in terms of cybersecurity work performance at multiple levels than we were able to expect or tolerate in the past. Technical expertise is still highly important. From a competitive perspective, organizations that have better cybersecurity talent are going to win, and organizations with less talent are going to become imperiled. 

Third, there is no shortage of empirical evidence that leadership talent matters. Cybersecurity organizations with more talented leaders are more likely to have effective operations than are those with less-talented leaders.

The hard truth, finally, is that assessing for cybersecurity talent will turn up evidence that technologists might have technical skills but not the talent to be successful employees or managers. There are remedies at the individual level. At the business level, this is where decisions need to made using a talent-based assessment.

As an organization, using a talent-based assessment process means you are changing your culture. Many (most?) companies talk about "fit to their culture" but that generally means something that's hard to define. There are a lot of aspects to culture -- see the graphic header on this post. A talent-based culture is different. It means that you hire for, manage, and develop people based on their capacity to engage and succeed -- what Brendan recently referred to as 'TAU." When an applicant 'fits' your talent-based culture, it means your organization values talent, rewards talent, selects for talent, manages for talent, and develops for talent. It means your organization believes in data that show how behavioral assessments predict performance.

Shifting to a talent culture means you have shifted to a culture that wants to succeed and is ready to commit to success.

Ask us how to make the transition to a talent-based culture.

(image by Vmarss, CC BY-SA 4.0 <https://creativecommons.org/licenses/by-sa/4.0>, via Wikimedia Commons)