Getting to "Yet": Growth Mindset for the C-Suite

Yeah, I’m on a kick. I get it. Yesterday, I wrote about using the Growth Mindset for teaching cybersecurity awareness‍. However, too many discussions assume that management‍ doesn’t actually care or understand cyber‍ . The thing is, I think they do understand that it exists and is a business‍ risk. They just feel that if they divest it to their it departments‍ then they don’t have a responsibility.

And that’s where the Growth Mindset comes into our conversations with them.

What is the Growth Mindset

Although I went into a lot of detail earlier, the quick overview is this: the Growth Mindset focuses on “not yet” as opposed to “never will.”

In cybersecurity‍ , this becomes even more important, especially when talking with the c-suite‍ and trying to get them on board. As professionals, we’ve moved from “a data breach‍ is no longer an if but a when .” In other words, we’ve come to the realization that a cyberattack‍ is a foregone conclusion.

In other words, we’ve created a vocabulary of “can’t” when we need a vocabulary of “yet.”

Using Mindset Works for Conversations with Management

Mindset Works is a program teachers use to encourage their students to move from a Fixed Mindset of “I’m not smart enough to learn this” to a Growth Mindset of “I haven’t learned this yet.” Teachers focus on clear language communicating confidence in kids’ ability to learn and encouraging risk-taking.

But, you ask, aren’t businesses‍ inherently risk‍ averse?

Why yes, yes they are. They’re risk-averse when it comes to losing money. Often, since they’re decided they can’t control IT‍ because they don’t understand it, their personal divestiture leads to them assuming that their cybersecurity program‍ is simply another monetary loss in terms of salary, employee benefits, and tools needed.

But, if we take a lesson from the Growth Mindset language, you can reframe the discussion with a business leader‍ to show that what they think is a “risky” expenditure can lead to a stronger cybersecurity posture

Communicate the Learning Goal: Communicate the Benefit

The Growth Mindset Framing Tool starts by focusing on ways to communicate learning goals rather than learning outcomes. A learning goal focuses on growth while an outcome focuses on an assessment. However, at the end of the day, by focusing on growing a body of knowledge, kids will more likely achieve the desired assessment outcomes.

So let’s put this in terms of information security compliance‍ . Functionally, your audits are the assessments, right? And you’re struggling to meet those assessment requirements because events occur in between audit periods that diminish your security stance. You’re trying to get your organization to adopt a security first‍ approach to compliance because that’s the best way to maintain data integrity, confidentiality, and accessibility while meeting the assessment needs.

Here’s what the Growth Mindset Framing Tool suggests teachers say,

  • New material is an opportunity for all of us to stretch our abilities
  • Today, your brain will get stronger.
  • Today’s target for learning is {insert X objective). Tomorrow we will continue our work and take a deeper dive by working on [Y objective}. (FYI: this is scaffolding)
  • This is very challenging material. You may not understand all of it right away, but I want you to give it a first try.
  • This is a very challenging task. I want you to try, even if you think you won’t get it right. I’m not looking for right answers; I’m looking for risk taking.

Why are these communications important? Because they discuss the ability to evolve. And as it security professionals‍ , we know that malicious actors continue to evolve their threat methodologies.

So, how do we use this language with the c-suite‍ without them feeling like a bunch of third-graders? We communicate this in terms of business risk not just learning risk.

Changing the narrative from “we need to do this or we’re a failure” to “let’s try this and if we need to evolve our strategy we can” brings management into the conversation more willingly. By explaining the benefits and suggesting that it’s not a sure-fire answer to data protection problems, management understands that there’s room to grow. They’re more likely to see the process from a continuous growth perspective than from a “one thing does it all” perspective. Thus, they won’t be as resistant when you need to evolve the strategy.

Communicating High Expectations: Communicating Compliance and Security Expectations

The second part of the Growth Mindset Framing Tool encourages teachers to set high expectations for their students. Basically, in a lot of ways, we’re teaching management how to secure their data environments. Just like teachers in the classroom, we’re the experts that they’re relying on.

Here’s what the Growth Mindset Framing Tool suggests teachers say:

  • This will be a challenging concept to learn, but all of us can reach the goal.
  • If you begin to get frustrated, be sure to communicate with me about your progress so I can provide support to you. I am confident you can learn this with the right support.
  • This may be difficult right now, but as you learn more, it will become easier.
  • Here is my challenge for you. I know you can meet it. I want you to challenge yourself.

As with communicating the learning goals, we need to realign the expectation language to the professional environment.

  • continuous controls monitoring‍ is challenging for all businesses, but if we try (insert suggestion) we can work to reach that goal.
  • If you’re having a hard time making a decision, be sure to communicate with me about your progress so I can provide support to you. I know that we can figure out how to make the best decision with the right communication.
  • I know that working on the (insert cybersecurity standard or regulation here) is hard to comply with right now. But, as we shore up our security controls more, we’ll get fewer audit suggestions.
  • We need to meet this (insert audit requirement here) challenge. I know the organization can meet it, but we need to challenge ourselves by continuously monitoring our data environment

Fostering Cybersecurity Strength by Fostering Growth

Here’s the thing. Just like scaring students with an F doesn’t always work (yeah, well, teach college first years for 11 years and then come back to me), scaring management with financial losses isn’t working. Kids get that an F is going to lead to academic probation. Management gets that a breach will cause business interruption or financial instability.

The problem in both scenarios (unless the kid really just doesn’t care which happens) is that they both live in the moment. Businesses live in the moment of their financial situation. College kids live in the moment of wanting to party while they’re young. Just like the college student who’s never experienced an F before gets it but hasn’t lived with the repercussions, a business that hasn’t been breached gets it but hasn’t lived with it before.

Moreover, just like the students who think they’ll “never be able to write because I’m just good at math and a terrible writer” some executives think, “I’m never going to be able to secure my data because I’ll never be able to keep up with the malicious actors.”

Fostering a Growth Mindset in discussions with management allows them to recognize that cybersecurity is a continuously evolving process. They may be safe today but not tomorrow. They need to focus on “yet” rather than “can’t.” They may not have the resources (like some kids may not have the skills) now, but they can get them.