"Stories constitute the single most powerful weapon in a leader's arsenal." - Dr. Howard Gardner
According to ADP's Security Ambassador, Jacob Luna, stories are similar in the arsenal of cyber risk leaders. Each person's or company's story is punctuated with plot twists and journeys, and happy endings often depend on how we handle cyber incidents.
Everyone has an opportunity to engineer the arc of their professional journey and the supporting characters they encounter along the way. Jacob frames his perspective through these lenses and, in the process, touches on the uniquely human elements of cybersecurity. Listen to his podcast episode now:
The Mentor: Every Hero's Helping Character
It's hard to imagine where Luke would be without Yoda or Daniel-son without Mr. Miyagi. Mentors perfect both people and professionals, especially in cybersecurity. Jacob was the beneficiary of strong mentorship early in his career. He was heading to flight school to become a commercial pilot– on a different professional runway– when a tech professional adjusted his yaw.
"One day, he brought over a magazine, Microsoft Certified Professional," Jacob begins. "This was in the heyday of certifications when a Microsoft Certified Systems Engineer (MCSE) could net you a lease on a BMW 3-series. At that time, my family wasn't a family of means. We were working class. And this introduced me to an avenue I could pursue to support myself."
The Mentor's Responsibility: Continual Learning
As a mentee transitions to being a mentor, continual learning is the key to being effective in the role. "You have to be able to update yourself. Be ready to learn something new every year," Jacob said.
Embracing this mindset is core to the success of a cyber professional's story arc. "Something that I love about the IT industry is that it's very accommodating to the growth mindset," he said. "(Learning) is mandatory, and that's highly embraced in many educational institutions producing the leaders of tomorrow."
Cyber Risk Professionals Craft Stories for and with Others
Cybersecurity risk experts are in a powerful position to be the helping characters for others along their journeys. But doing this well may require a shift in thinking. "Let's make sure that we're putting people in the middle of the systems that we're building—to create and get better at what we're doing—and to improve upon these processes," Jacob said.
Build Your Box
Jacob underscores the importance of building your box regardless of your role in an organization. A "box" consists of people who can serve as coaches and advise you along the way. His box consists of a CISO coach, a communications coach, and a connections coach.
Each coach serves as a tool for building the next phase of your story. "I'm constantly probing," Jacob said. "How can I elevate? How can I grow my curiosity and capability to flex my intuition muscle?"
This constant probing results in tangible improvements for risk managers and cyber warriors. "I'm constantly chasing—to elevate," Jacob noted.
Constantly Develop Yourself into a Better Helping Character
In cybersecurity plot lines, victorious moments are often short-lived, mainly because the next threat may be only hours away. But by embracing the responsibility to develop constantly, risk professionals put themselves in a position to foster strings of happy endings. Jacob explains the need to improve, "I think that's very important in what we do as cybersecurity professionals– the threat landscape changes daily because the risk is changing as technology is compounding upon itself. The adversary has the assets they need to do more with less."
"I'm very aware of things that I want to grow in myself and how I can better protect the people I care about," Jacob said. "I'm looking back constantly, trying to empathize with those I'm either mentoring or those that have sought me out for anything—even if it's just a quick question."
Your personal development story requires flexibility as well. "Anytime someone is asking me things, in-band or out-of-band, I must help them," he said.
A natural extension of this professional stewardship, Jacob explains, is a sense of shared responsibility. "This is a community of professionals where we're not throwing mud at one another. We're not trying to one-up one another. We're all just trying to do right by the people we protect."
Understand the Characters in Your Cyber Risk Story
Cyber risk management comes down to knowing the characters you're dealing with and the roles you need them to play for the best possible outcome. Jacob explains that this comes down to "simply being able to inventory—to understand who you are directly doing business with. This is where third-party, fourth-party, fifth-party risk comes into play."
The Cyber Risk Professional's Foil: Misinformation
Whether from a well-meaning place or not, misinformation can result in an ugly chapter in a company's cyber journey. Jacob describes this as an "existential crisis," adding: "The crisis I see in third-party risk with misinformation is the outsider's perspective of organizational security posture." He then identifies the culprit: "What you'll find that's happening is uncredentialed assessments."
These result in a cyclical problem. "Once those uncredentialed assessments are produced, you have organizations that may not have a mature third-party risk solution, and they become increasingly dependent on groups building uncredentialed assessments," Jacob said. "These assessments become problematic because they're not the full story."
The Hero of the Day: Credentialed, Fact-Based Risk Assessments
Facts are foundational—especially when you're fighting cyber threats. A third-party Risk Exchange can serve as a dependable source of truth. Jacob says, "CyberGRX is bringing factual information to the third-party risk industry. And that is something people make livelihood decisions on—third-party risk—and it's not something I take lightly."
Get Cyber Risk Intel delivered to your inbox each week: