Resilience is a Team Sport Chief Security Officers Must Learn How to Coach
One of the most overlooked aspects of incident response is how the culture, communication, and resilience of security teams will change. I recall one instance when a PR exec expressed a concerning level of surprise upon learning that their company’s security team was struggling with low morale, high burnout, and feelings of betrayal following the public fumbling of a major incident disclosure.
The PR team felt they’d achieved the best results possible given the situation, measuring success by the mere inclusion of the company’s statement in press stories and the speed at which journalists were willing to move on to new stories. They hadn’t considered how internal reactions to their PR campaign might impact the effectiveness of other teams could make or break another news cycle.
The lingering consequences for the security team and the potential impact this would have for future incidents was considered inconsequential or simply neglected by company leadership. The security team was left behind while the rest of the company tried to forget anything ever happened.
The crisis certainly didn’t automatically increase the level of influence or respect they experienced throughout the company — instead, they were abandoned to fend for themselves, care for their wounded, and on some days, simply hold it together. It was one of the most incomplete incident responses by a seemingly experienced “crisis communications” team I’ve ever observed and it cost the company dearly.
Unlike the celebratory corporate response our product or marketing colleagues often receive following major sprints or releases, most of the attention security teams ever receive from their companies is in the context of an incident when they’re expected to save the company’s ass. The most stressful situations security teams endure on behalf of their employers are rarely recognized or rewarded by business leaders, let alone incite a company-wide town hall or creative new swag representing every new button in a mobile app.
Unfortunately, it’s common for security teams to feel under appreciated and isolated from the rest of the company, especially when it’s not seen as core to the business (future posts will discuss how to position and communicate security as core to the business). In either case, security leaders would do well to consider a dedicated resiliency strategy for their organization so that individual incidents — or a series of incidents — don’t contribute a long tail of burnout, attrition, and mental health challenges. Security leaders know the true cost of an incident can’t be found in legal settlements or regulatory fines.
There was a great article on resilience published by the Harvard Business Review in early January. Written by Rob Cross, Karen Dillon, and Danna Greenberg, it discussed new research that contradicts the conventional thinking that says, “resilience is something we find within ourselves only when we are tested — a kind of solitary internal “grit” that allows those of us who are strong to bounce back.” Instead, the authors found that “resilience is not purely an individual characteristic, but is also heavily enabled by strong relationships and networks.”
The article presents a strong framework for identifying relational sources of resilience (below), which aligns with many of the areas Discernible counsels CSOs and team leads on building a resilient security organization. One of the reasons I advocate so forcefully for security communications as a proactive rather than reactive investment is to ensure security organizations have the relationships they and their team members need to rebound from setbacks.
Resilience for your team can be built and nurtured through these relationships by helping individuals shift demands, find meaningful purpose, or identify a path forward to overcome the challenges they face. As the authors note, these are the kinds of interactions that motivate us to persist because they function as a support system that can provide empathy and bolster our resilience by shifting perspective and reminding us we are not alone in the fight.
“Resilience is not something we need to find deep down inside ourselves: we can actually become more resilient in the process of connecting with others in our most challenging times.”
They counsel further that merely having a network of supporters isn’t sufficient, but in truly connecting with them when you need them most. Because it’s in the actual interactions and conversations themselves that “validate your plans, reframe your perspective on a situation, help you laugh and feel authentic with others, or just encourage you to get back up and try again because the battle is a worthy one — that we become resilient.”
Strengthening Your Security Team’s Sources of Resilience
Their research also showed that sources of resilience are not universally or equally important to everyone due to personal experiences, values, and context. In working with Discernible clients, I’ve found the same is true for security teams. The relationships security teams rely on to navigate day-to-day challenges often differ by company, leadership, industry, and organizational history.
Understanding which sources are most important for your team provides a helpful guide in prioritizing the sources that will be most helpful during difficult times. These can include a number of connections such as a cross-functional team, an industry peer, an executive sponsor, or an advisor. They can be a professional association or informal community group, or simply a friend. As the authors note, diversity in another important element of resiliency.
“Exposure to a diverse group of people allows us to learn different ways of managing, leading, and handling crises, and helps us develop different relational skills such as negotiating with various stakeholders. It also helps us cultivate empathy and perspective that we carry back into our work, among other benefits.”
Keep a pulse on the sources of resilience for your team at any given time and invest in strengthening them by expanding existing relationships or initiating news ones. Remember these relational sources may change over time as team members, circumstances, or context change.