What if We Use a Collective Framework to Measure Individual Success

By Loren Dealy Mahler, President, Dealy Mahler Strategies
July 13, 2020

When we measure individual success in the cybersecurity industry, we most often look towards metrics that can best be described as “on paper” achievements. We evaluate whether someone has the requisite security certificates, a sufficiently lengthy resume to prove years of practice and time spent developing specific technical expertise, and a number of tours with companies whose names and reputations are familiar across the industry. If someone can achieve a relatively high score across these quantifiable areas, they are by and large considered successful. Bonus points are given for those who have a track record of publications, speaking appearances and industry awards.

But how many of us can name someone who checks all the right boxes, but whose actual, real-life presence is anything but successful? We can all think of a colleague – current or former – who showed up with great fanfare, but rather than raising the quality of the team with his/her personal qualifications, just floated along with no real contribution. Or worse yet, actually dragged the team down. By any objective measure of success, that person would fall short, but yet, the industry continues to elevate their voice with speaking invitations, promotions, and accolades.

So, where is the disconnect and how do we fix it? How do we start measuring individual success in such a way that accounts for key attributes and qualities that truly make someone successful in this field?

I posit that we can better measure individual success by borrowing from an evaluation framework designed for the collective. Simply put, we should evaluate individual success using many of the same metrics that we use to evaluate team success.

When we look at whether a security team is successful, we look at a set of characteristics that are much more intangible. Rather than taking the cumulative total of “on paper” achievements, we evaluate qualities that are harder to quantify. In addition to specific metrics, such as outcomes and deliverables, we look at qualities like communication, collaboration and flexibility. Incorporating each of these into individual measurements of success would give us a more accurate means of determining who in our industry is truly worth of rising to the top.

Communication

Too often communication is considered a “soft” skill and overlooked when we gauge individual success. But for a team, it can make or break your ability to successfully secure your organization. Beyond regular information sharing among team members, there has to be effective information sharing from top to bottom within and across the organization. The type and depth of information will vary, but from basic security training for all employees, to specific threat briefings for the C-Suite and budget briefings for the Board, communication will determine your team’s success. An individual who is able to effectively communicate on a variety of issues across a variety of audiences is going to be much more successful throughout her career than someone who can’t bridge the gap between technical and non-technical audiences.

Collaboration

No single person can defend an entire organization, no matter how many certificates they’ve earned. To achieve success, takes a collaborative team effort – the very same, basic skills of working together that were learned back in kindergarten and refined through every group project ever assigned. A successful team is one that works together, cooperates, shares information, builds off each other’s ideas, allows failure, supports each other in the office — or the virtual office — and acknowledges that we all have a life outside of work. As cybersecurity is a team sport, not a blood sport, we must acknowledge the good work of truly collaborative individuals who create teams that are more cohesive and successful.

Flexibility

When plans change, whether from a new, fast-moving business opportunity, or a crisis situation, successful teams adjust to handle the new circumstances. However, if everyone is locked into their specific lane or area of expertise, it can be hard to capture new opportunities, and the business can lose out. Additionally, successfully responding to an incident – whether an actual crisis or not – requires teams to flex across multiple functions. Without having that flexibility ingrained into the team’s mindset and structure, this task becomes unnecessarily difficult, often to the detriment of the overall organization. No organization has been able to create a flexible team out of inflexible team members. Flexibility radiates from the core, from the individual to the team to the entire organization. Given these differing evaluation frameworks, perhaps the future we should be talking about is one where individual success is measured in a more comprehensive way – one where “on paper” qualifications are only part of the equation, and more intangible characteristics such as communication, collaboration and flexibility are also taken into account. Adopting a more hybrid model would not only adjust the types of individuals who rise to the top of our field, but it would make it easier to stack our teams for long-term success.