March 4, 2020 By Jasmine Henry 4 min read

Practice doesn’t necessarily make perfect, but it can lead to improvement. Quality practice is key in matters of human security, and the right quantity of practice can also make a significant difference when it comes to shifting mindsets and behavior.

“Scientists believe that expert-level performance is primarily the result of expert-level practice,” said Wendi Whitmore, IBM Security VP of X-Force Intelligence, Incident Response & Cyber Command. “This concept is called deliberate practice.”

Deliberate practice has a few defining characteristics, according to Whitmore: It must be intentional, it must be targeted to the individual’s skill level, and it must be followed up with immediate feedback.

A science-backed approach to practice can change behavior. It can create more skillful leadership. Organizations that practice deliberately can change individuals, teams and culture for the better. Still, this approach is surprisingly uncommon in the cybersecurity industry. There are a few exceptions, such as the X-Force Command Cyber Tactical Ops Center and simulations in the cyber range.

Human security is what matters during a cybersecurity crisis, where skills and muscle memory can make the difference in make-or-break moments. Leaders and culture are the most important predictors of cyberattack outcomes, so it’s time to stop under-investing in human security.

Great leadership and security culture don’t happen by accident. However, deliberate practice is exactly what Whitmore does best. In her nearly two-decade career in the Air Force Special Forces and industry, she’s run 3,000 simulations and built leading global incident-response teams.

Roland Cloutier, SVP and chief security officer (CSO) at ADP, is another leader who’s focused on human security. Delivering 40 million individuals’ paychecks requires a globally embedded culture of security. A recent conversation between Whitmore and Cloutier looked at ADP’s approach to building security leadership and culture.

5 Tools to Create a Security Culture Shift

“Our focus here at ADP is to make security a component of what everyone does in their jobs,” said Cloutier. He’s seen a “massive transformation” during his decade as ADP’s CSO.

Part of ADP’s transformation is the result of executive buy-in, as the business climate there supports a security culture. However, Cloutier’s revolution is also the result of five universally valuable tools:

  1. Accountability — What’s most important, according to Cloutier, is making sure security is everyone’s business. “We hold our own people and associates accountable,” said Cloutier. There’s a defined framework for accountability at ADP, which includes a structured process for disciplining inadvertent insiders. In some cases, individuals are required to complete reeducation on security and privacy.
  2. Transparency — ADP’s security practice has a transparent approach to awareness initiatives. This approach emphasizes the importance of employees learning the specific, downstream effects of unsecure behaviors.
  3. Relevance — Security is relevant to every member of ADP’s organization, and this is reflected in education programs. Learners grow to understand how cybersecurity makes a real impact on people’s lives.
  4. Pervasive Responsibility — Security is “pervasive across our business,” according to Cloutier. It spans “from our clients to our back office.” Tens of thousands of global ADP associates know security is everyone’s job.
  5. DevSecOps — A transition to secure DevOps, or DevSecOps, has been another huge driver for ADP. Cloutier encourages chief information security officers (CISOs) to think about building security into the entire product life cycle.

New Ideas for Global Security Engagement

“One of our primary concepts is inclusive ideation from our people,” said Cloutier. “We have a new generation of cyber warriors and risk analysts and business people coming up.” ADP views tomorrow’s leaders as a source of security solutions.

The idea of inclusive ideation also extends outside ADP’s walls. “Our sales force asks how we can protect the client better and what clients want,” said Cloutier.

Executive Engagement

Executive committee engagement is another part of ADP’s global security framework. “There’s not just executive oversight,” said Cloutier. “There’s engagement. There are questions, and there are challenges to how we’re approaching security from the executive committee.”

Employee Participation

ADP employees have the opportunity to participate and explore security tasks and, ultimately, careers. Associates can join the Safe Pre-Pro Program, which is a global initiative for security awareness. Over 10 percent of ADP’s global associates have opted into the program. Program members are assigned active security task loads and responsibilities they perform locally, in their current roles.

Staff Immersion

Deliberate practice is another focal point. Internal security champions learn hands-on security skills in the X-Force Cyber Ops Command Center. Sometimes, employees learn side-by-side with ADP’s attorneys, executives and external stakeholders.

“When we train as a culture, we train as a global team. We operate that way in crisis,” said Cloutier.

Workforce Communication

ADP’s security practice has adopted some uncommon, effective approaches to communication. For example, their education efforts include blogs and podcasts that talk about security in a way that resonates with their workforce and clients.

Investing in Tomorrow’s Cybersecurity Talent

In a tight talent climate, Cloutier has had to consider new approaches to hiring and skills.

“We look outside of ADP all the way back into the eighth grade with programs like the Women’s Society of Cyberjutsu,” said Cloutier. “We look at post-grad programs … and how we can help [students] graduate as new leaders in security.”

A 10-year talent pipeline is a rare level of human security investment. Still, it’s the kind of intervention that benefits everyone. Working with eighth graders creates a stronger, more diverse security leadership pipeline for tomorrow.

ADP’s talent-sourcing efforts also extend to individuals with nontraditional technology backgrounds, like global military talent and emerging specializations. “We look at unique areas … to quickly assimilate [new hires] into our environment and make them productive members of our programs,” said Cloutier.

Embedding Human Security in Culture

Cloutier has what Whitmore calls a “relentless focus on improvement.” He’s created a security revolution in the past decade at ADP. The organization’s shift is no accident. Instead, it’s the result of a continued investment in human security.

Security is embedded in ADP’s culture. It’s who they are in front of customers, and it’s who they are behind closed doors. Cybersecurity is part of ADP’s entire product life cycle. “We don’t just talk about security issues or vulnerabilities,” said Cloutier. “We talk about the total quality of product and security measures.”

Human security is among the most important investments an organization can make. As Whitmore put it: “Every investment helps our people and our organizations to dramatically improve the odds in a cybersecurity event.” Deliberate practice leads to expert behavior during incident response, and shifting people’s hearts and minds starts with meaningful experience and education.

Learn more about driving security into the fabric of your business

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today