Tips for Strengthening Organizations From Within, the Tom Hanks Way

At a time when cyberthreats continue to grow, organizations around the globe are struggling to overcome the challenge of a cybersecurity workforce shortage. According to the 2019 Strategies for Building and Growing Strong Cybersecurity Teams (ISC)² Cybersecurity Workforce Study, there are 2.8 million professionals worldwide working in the cybersecurity domain, and an additional 4.07 million are still needed.¹

Filling this shortage has become a top priority for organizations, as cyberattacks are responsible for devastating damages and losses.

There are different strategies and tactics that organizations can use to build, up-skill and retain cybersecurity teams, including capitalizing on ongoing cybersecurity programs to strengthen the organization from within, transforming its staff into frontline soldiers against cyberthreats.

Talented non-security-focused employees with transferable skills can be found in other departments such as IT, human resources (HR), legal, finance and marketing. Making a cybersecurity program more appealing to the entire workforce within the organization increases the chances of having capable employees want to join the cyberarmy.

No matter the size of the organization nor the business domain, establishing and running a successful cybersecurity program depends on common principles and practices. Some people-focused principles can be demonstrated and understood by linking them to some of the greatest Tom Hanks characters. Throughout his career, Hanks has played many iconic roles facing and responding to various types of threats. He has portrayed characteristics that organizations seek to cultivate when trying to stay ahead of the changing threat landscape.

Aligning With Enterprise Objectives

In the film Saving Private Ryan, Captain John Miller, portrayed by Tom Hanks, and his squad frequently argue about whether or not to attack a radar station on their way to Ramelle Bridge. The squad’s point of view is that attacking the radio station is an unnecessary risk, considering it does not align with their objective to bring Private James Ryan home. Captain Miller clearly states the objective, “Our objective is to win the war,”² reminding them of the overarching vision and big picture.

COMMUNICATING THE RIGHT MESSAGE TO NON-SECURITY-FOCUSED EMPLOYEES CAN BE A SIGNIFICANT DIFFERENTIATOR FOR A CYBERSECURITY PROGRAM BECAUSE IT CAN PROMOTE HOW PROFESSIONAL AND ATTRACTIVE A CYBERWORKPLACE IS TO POTENTIAL EMPLOYEES.

It is not uncommon for teams to be distracted by day-to-day operations, tasks and challenges, causing them to forget or overlook the big picture. For a cybersecurity program to be successful, it must align with the organization’s objectives. It is imperative to ensure that there is a clear link between what is being done and how it contributes to one or more of the overarching objectives. Enterprise strategy (the compass in Captain Miller’s hands), governance framework (the squad’s accountability and roles and responsibilities) and risk appetite (demolishing the radar station) are among the most important factors that influence and shape how a program will look and how it will be perceived by the noncybersecurity task force. For them, the clearer the picture, the more likely they are to be engaged. The more engaged they are, the more security-aware staff the organization will have.

Collaboration and Communication Are Keys

In the film Apollo 13, whether on Earth, where Gene Kranz (Ed Harris) is managing a chaotic mission control, or in space, where Jim Lovell (Tom Hanks) is managing two other astronauts, collaboration and effective communication are keys to a successful outcome.³

Collaboration promotes a simple principle: inclusion is a better strategy than exclusion. In the film, the astronauts, mission control, the US National Aeronautics and Space Administration (NASA) engineers and the flight director demonstrated what collaboration and teamwork really mean and even under intense pressure were able to turn a potential disaster into a success story. It is beneficial to the organization to collaborate with different stakeholder groups, engineers, technology experts, business unit leaders and others to understand their perspectives. Creative ideas and innovative contributions or solutions can be obtained from unexpected sources.

Organizations should communicate in a way the audience can hear by selecting the right communication method, message, timing and frequency for each audience to increase the chance of successful understanding and acceptance of the message. Communicating the right message to non-security-focused employees can be a significant differentiator for a cybersecurity program because it can promote how professional and attractive a cyberworkplace is to potential employees. It is important to clearly communicate opportunities within multiple departments about career path planning, certifications and incentives.

Training Is the Next Best Thing

In the film Captain Phillips, knowing they are entering hostile waters with a history of piracy, Captain Phillips, portrayed by Tom Hanks, gives his team advanced training. On the second day of the trip, he conducts an unannounced drill to see how his crew would respond to a small boat approaching the ship. This drill test uncovers problems (gaps) in their process, and the discussion following the drill results in new and creative solutions.⁴

No matter how well trained and educated an organization’s workforce is, the lesson from Captain Philips is to never stop preparing, training and improving as a team because situations will not always be the same and there will always be new challenges to face.

Many factors can trigger the need for continuous training, including technology advancements, new regulatory mandates, the changing threat landscape and market conditions.

Training may vary from technical security training courses to general security awareness programs, and the point is to tailor training to the needs of the stakeholders. When it comes to training, there is no one-size-fits-all solution, which is why it is imperative to consider different approaches including:

• Classroom courses
• Online self-study materials
• Email tips
• Gamification

Do not underestimate the power of training and certifications when it comes to job satisfaction and recruitment. People often look for improvement and growth opportunities, so it is helpful to leverage tailored training programs to promote that cybersecurity is a continuously evolving field that offers a challenging workplace environment.

Cultivating a Culture of Antifragility

In the film The Terminal, Victor Navorski, portrayed by Tom Hanks, suddenly finds himself without a country when his passport is invalidated. Despite all of the difficulties and a lack of full command of the English language, he demonstrates remarkable antifragility during his nine-month stay in the international transit lounge at John F. Kennedy Airport, New York, USA. He has the capacity to bounce back in the face of repeated difficulties and to improve after each setback.⁵

Antifragility as it relates to systems can be defined as being able to increase system capability and thrive as a result of stressors, shocks or failures.

Antifragility is beyond resilience or robustness. Resilient systems resist shocks and stay the same; antifragile systems improve.⁶

Cultivating such a culture involves:

• Promoting a safe-to-fail culture where people see failure as an opportunity for improvement
• Leveraging knowledge management systems to share lessons learned across the organization
• Sponsoring innovation hackathons, ideathons and Capture the Flag (CTF) events

ANTIFRAGILITY AS IT RELATES TO SYSTEMS CAN BE DEFINED AS BEING ABLE TO INCREASE SYSTEM CAPABILITY AND THRIVE AS A RESULT OF STRESSORS, SHOCKS OR FAILURES.

Celebrating Success

In the film Castaway, Chuck Noland (played by Tom Hanks) cries “Look what I’ve created. I have made fire!” after starting a fire on his remote island without a lighter or match. The look of victory in his eyes and his voice make an inspiring moment in the film. Those flames inspired a four-year survival journey.⁷

Establishing and running a cybersecurity program is a journey; typically, a long one. Throughout this journey, it is important to remember to celebrate accomplishments and achieved milestones. Celebrating success can:

• Boost confidence across the organization
• Motivate and inspire others
• Help the workforce develop a success mindset

There are several tactics that can be used to share achievements with an organization’s entire workforce:

• Case studies from other organizations can be used to show how the organization avoided setbacks experienced by others.
• Talented staff, newly certified personnel and overachievers should be recognized and celebrated.
• Progress, milestones, awards and recognitions should be communicated.

Conclusion

The cybersecurity workforce shortage is a global challenge, but leveraging ongoing cybersecurity programs, initiatives and efforts can strengthen an organization from within, attract internal non-security-focused talent and even get the entire workforce to act as frontline soldiers against security threats.

Endnotes

¹ (ISC)², Strategies for Building and Growing Strong Cybersecurity Teams: (ISC)2 Cybersecurity Workforce Study, USA, 6 November 2019, https://www.isc2.org/Research/Workforce-Study
² Steven Spielberg, dir., Saving Private Ryan, Universal City, California, USA, Dreamworks Distribution, 1998
³ Ron Howard, dir., Apollo 13, Culver City, California, USA, Universal Pictures, 1995
⁴ Paul Greengrass, dir., Captain Phillips, Culver City, California, USA, Columbia Pictures, 2013
⁵ Steven Spielberg, dir., The Terminal, Universal City, California, USA, DreamWorks Distribution, 2004
⁶ Taleb, N. N.; Antifragile: Things That Gain From Disorder, Random House, USA, 2012
⁷ Robert Zemeckis, Cast Away, Los Angeles, California, USA, Twentieth Century Fox, 2000

Abdelelah Alzaghloul, CISA, CRISC, CISM, CGEIT, ITIL 4 MP

Is an information technology advisor with 16 years of experience in IT governance, service delivery and IT transformation programs. He is experienced in the deployment of various IT governance frameworks and standards in the telecommunication sector. He is also a certified trainer in IT governance and service management fields.