Achievement Over Effort

Yesterday Ted posted about how to consider talent as you develop your employees. Today we will look at Pythia Cyber's emphasis on talent as well as experience and credentials from a different perspective: what makes cybersecurity different from most of the rest of IT. More "why" than "how."

I am not the only one who has noticed an alarming tendency in business (American business at least) to reward effort instead of achievement. When I started managing information technologists--either developers or operations personnel--I was stunned to start to have "I spent X hours/days/weeks on this" as an excuse for new technology or new configurations not working properly.

This was a problem for me because part of the reason I was drawn to information technology was the glorious black-and-white nature of it all: it either worked or it didn't. The new one was either better or it wasn't. Upgrades were either smaller and faster and more reliable or they weren't. This suited me down to the ground because, sadly, I don't really care how hard someone worked on something. With all due respect to all the people who have tried to convince me otherwise, in IT it is rarely the thought that counts. Results matter.

As time went on we all adapted to this tendency. We decided that if the team eventually produced the result, we would be satisfied. This trend was compounded by the increasingly high level of abstraction in IT, which meant that lots of people didn't really understand what was actually happening. Thus was born the IT person who, instead of rolling up their sleeves and diving deep, was content to shrug and say "I don't know." "I don't know" is a great place to start debugging an issue but a terrible place to stop. Adding fuel to this particular fire was the increasingly rapid pace of change which made "maybe this will be fixed in the next release" a plausible position instead of a red flag.

Out of this nonchalance we tried to build cybersecurity which seems like a logical off-shoot of IT and it mostly is an off-shoot of IT. With one crucial difference: giving people the time and space to eventually get it right doesn't fly. "After all our recent cyber incidents, I think that I have our firewall configured pretty well" isn't as acceptable as "after all the initial bugs and requests, I think that the latest version is ready to ship." Telling your colleagues that perhaps a new release of the network intrusion detection software will finally let you detect and stop network intrusions is not good enough. And so on.

This lack of room to eventually get it right is a big part of why Pythia Cyber wants you to make talent a big part of your hiring and promotion processes. It is hard for you to judge the value of previous experience or certification along this dimension: yes, they ran a cybersecurity program somewhere else, but how good was that program? You can see that they have held cyber defender positions in other companies, but quickly do they catch on to new programs? Their resume tells you that they have managed people as part of a cybersecurity program before, but were they promoted on the basis of talent or as a reward for utterly unrelated performance?

You can't afford to be the place where someone tries and tries again until they get it. A can-do attitude and a willingness to keep at it are often assets but not if they mask a basic lack of talent. Don't get there eventually. Build a talent-based program with the right people in the right jobs doing the right things.