Are Your Best Employees "Your Biggest Risk"?

Your life as a cybersecurity professional, especially as a cybersecurity leader, entails managing risk. There are external risks (a.k.a. hackers), there are physical security risks, there are budget risks, there are organizational risks and there are technology risks.

Your employees -- moreover, your best employees -- are a risk. So sayeth CISO Tradecraft® Newsletter (CTN) this week. Their rationale is clear: "The hard truth for modern leadership is that AI has democratized capability so thoroughly that your entire organization, not just your engineering team, can now generate production-grade risk at machine speed."

We just finished summarizing Rich Mironov's latest post, 'Code isn't product,' that landed on a strikingly similar note: faster code production leads to "DOA products" because there is not consideration of what customers actually want, you're simply turning over more code to demonstrate activity with a mindset that activity equals productivity and expecting that customers have also scaled their attention capacities (and budgets) for your fusillade of coding.

Since we already reflected on coding not being producing, let's think about your best employees and the risks they entail.

Sorry to start with a pre-AI observation but let's face it: all employees are insider threat risk vectors. There is an entire insider threat industry that hasn't advanced beyond: grievance plus access plus opportunity = risk -- i.e. the formula in the graphic.

But the CTN thesis is that your "best employees are your biggest risk." Best as we can tell, these best employees are risks because...they are more capable, more productive, and push boundaries in the pursuit of their talent.

Here we are with another pre-AI observation: if your best employees are your biggest risk because they get more done, well, that's always been the case and AI is simply making that clearer, faster, and more relentlessly. In the behavioral sciences we perseverate a lot about "star employees" outperforming, you know, non-star employees (see helpful video by Professor Herman Aguinis). AI has accelerated the gap between star employees and...very good employees?

There are two ways to deal with this as a cybersecurity leader.

CTN puts their solution this way (quoting at length):

Being “AI-native” is not a luxury; it is the baseline for future business viability. Much like the transition to the cloud, the move to AI will leave behind those who hesitate.

As a professional, you must maintain your “AI streak.” Much like a daily habit of learning, you must engage with these tools every day to stay relevant. The goal of this revolution is not to replace the human element, but to use AI as a lever to amplify the things only humans can provide: intuition, empathy, and “product taste.”

The ultimate strategy is to leverage AI to amplify your people, not replace them.

We're all for this set of recommendations but to be blunt this should apply to any employee, not exclusively "your best employees." In fact the more you take their (excellent) suggestions, CTN's advice will make the gap wider.

Our solution is as follows:

1. If you are responsible for hiring, developing, or managing managers or leaders, you need to hire for new personnel who have the talent to manage the best employees. That is the first and always best option.

2. If you are already in a position of leadership and you worry about the riskiness of your best employees, you need to find ways to engage your best employees while reassigning or up-skilling or otherwise dealing with your less-than-best employees -- appreciating that they are the vast majority of your team.

Those are your only two options. Yes, it's that stark.

That may feel vaguely unnerving or even threating. And that's the biggest risk.

Ask us how you can manage your risk by better leading your best employees.

(image credit: Gill, J.C., CC BY 4.0 <https://creativecommons.org/licenses/by/4.0>, via Wikimedia Commons)