BSidesSF 2023 - The Big “P” Problem in Cybersecurity (Stacey Champagne)

all right good afternoon everybody thank you for joining me for my talk my name is Stacy champagne and I am the founder and CEO of hacker and heels it's my goal to revolutionize the cyber security industry by helping more women launch grow and land positions of power and influence across the field today I speak from my own experience as a senior manager of global Insider threat investigations and one of the big three data Insight companies um you know having done and I'm still currently working in cyber security for almost eight years now but of course what I share today does not represent my employers if you go on LinkedIn and go figure out immediately what who I you

know who I work for I'm not representing them today I'm only here to represent myself in hacker and heels and also um you know hear thanks to the Fantastic organization secure diversity Who provided me with this opportunity so big thanks to them and all that they're doing for promoting gender equity in cyber security so I think I have a pretty good idea as to why you all are joining me today because you know and I know that we have a big problem it is a 10.5 trillion dollar problem which is the total estimated cost of cyber crime by the year 2025 it's also a 3.4 million people problem which is the amount of people needed to

fill open cyber security roles worldwide but you know this this isn't another talk about the cyber security Talent shortage uh you know sometimes honestly it sounds like you know the points don't matter everything's made up um you know that's a debate for another time as to how many roles are actually out there and whatnot but um you know today we're actually we're going to talk about this guy or maybe it's this guy we're gonna talk about wait actually it's definitely this guy we're gonna talk about this guy no wait I'm getting a little ahead of myself so let me just go back a bit we have a big problem we have a problem that is affecting

almost half of everybody at this event when you do the math it's actually a problem that's affecting over 2.1 million cyber Security Professionals worldwide it's affecting people like this person and this person and this person can I let you in on a little secret actually let's do this in a minute everyone's gonna close their eyes if they feel comfortable to do so and on the count of three I want you to raise your hand I want you to raise your hand if you've ever thought to yourself what the heck am I doing here and I don't mean like here right now at besides San Francisco I just mean like in cyber security in your job you know where you can do

all your work perfectly and you'll still end up breached or paying a ransom where even if you're not on call um you know you're basically always are and where you're continually expected to do more and be perfect with sub-optimal staff and tools all right so everybody close your eyes ready close your eyes keep them closed I want you to raise your hand in three two one all right now if you're raising your hand I want you to keep it up so keep your hands up and then I want everybody to open their eyes and look around the room so those of you who are raising your hands thank you for your honesty I hope you recognize that you're not

alone these feelings and these doubts you might have are not unique to you and for those who didn't raise their hand you know if it's not you that's potentially eyeing the exit odds are you probably know someone who has quit cyber security altogether due to the burnout and I'm gonna say it is all because of this guy no these guys Peters Peters okay so some of you all maybe have picked up with where I'm going with this and look it's not all Peter's faults there's certainly more Nuance that we're gonna get to but you gotta admit when you start to string things together there's a compelling case that Peters do play a role the big problem the big p problem in

cyber security is a little something called the Peter Principle all right so in 1968 we have a guy his name is Lawrence J Peter he published this book called the Peter Principle which set out to answer the question why is incompetence so maddeningly rampant and so vexingly triumphant and the the book goes on to try to explain how incompetent and it's accompanying symptoms syndromes and remedies to find the world and the work that we do within it in this principle which Dr Peter alleges is based off of quote hundreds of cases of Occupational incompetence found that in a hierarchy every employee tends to rise to his level of incompetence given enough time and enough levels in the

hierarchy basically you know an employee does well and they get promoted they do the next level job well they get promoted again and then the next job same thing they keep going up and up until they're no longer at a level performing where they're deserving of a promotion and let's be honest they end up reaching a point where they just they suck at the job they're in and now I'm positive there's at least one of you in here that is thinking to yourself I know that person I know that person that you might even work for that person and you are feeling A Rush of relief because there is finally something to explain why your manager is driving you

crazy but I gotta say when the Peter Principle was first introduced it was never actually empirically tested with data so it's kind of made up at least you know much much much later like 50 years later we finally in 2018 we had Harvard Business Review Forbes are both posting about a a study of you know over 50 000 sales people and their managers across like you know over 200 firms and and they did this study and they they focused on sales because um you know it's an ideal setting for testing the Peter Principle because it's so easy to identify you know who are the high performing sales people and who are the managers and for the sales people

you've got their sales records for the managers you can measure their managerial ability by how much they help you know improve the performance of their direct reports so how much you know are there people selling and so this study sought to answer the question do organizations really just pass over the best potential managers by promoting the best individual contributors now between you and me do we really need a study to kind of tell us what we all kind of already know do we like let's just be honest um I mean really what do you think uh raise your hand if you think organizations pass over the best potential managers by promoting the best individual contributors who thinks that

exactly so I'm happy to give all of you who did raise their hands the validation that at least according to the study they do the study found that first off sales performance is highly correlated with promotion and management so you know each higher sales rank as you go up and up you're you know doing more and more your rise and more and more as an IC you you get about 15 higher probability that you're going to then be promoted into a Sales Management role now the problem with this is when these high performing individual contributors were promoted into these positions of management the performance of the teams that they reported to declined seven and a half percent so you know to kind of

play this out in some terminology that we're all familiar with let's say you were like an IC level 2 and then you were promoted to a manager role and you know the team that you were once part of perhaps that that team now reports to you and they're going to take a performance hit and that that performance hit is even more if you were you know let's say in ic level four if you were an even higher uh performing individual contributor and you were promoted to manager bigger declining your team's performance and this study said that it didn't matter if these people were promoted like within their own team so like you know someone you know

um you know if the previous manager left and um you know one of the high performing ICS took over um or if they were asked to manage an entirely different team uh that they never worked at you know part of as an IC before and so these researchers concluded that you know consistent with the Peter Principle we find that promotion decisions Place more weight on current performance than would be justified if firms only tried to promote the best potential managers the most productive worker is not always the best candidate to be a manager yet firms are significantly more likely to promote top Frontline sales workers into managerial positions as a result the performance of the new managers

supporting it declines relatively more after the managerial position is filled by someone who is a strong salesperson prior to promotion the professors go on to state that these findings underscore the possibility that promoting based off of lower level job skills rather than managerial skills can be extremely costly and this makes sense because now you have a person who has built fantastic relationships with clients they're no longer the face of those accounts and instead they're directing others on a team you know they're trying to tell them how they did what they did and they're having a hard time using management and Leadership skills that they never previously had to demonstrate in their individual contributor roles so indeed's career guide has a list of

these key skills for an individual contributor versus a manager and you'll see that the individual contributor roles list things like decision making technical knowledge active listening team orientation whereas the manager role lists project management strategic thinking conflict resolution motivation these are different skills we know that an employee's relationship with their manager has a huge influence on workplace experiences take for example women in cyber Security's 2023 state of inclusion of women and cyber security report which found that leadership and direct managers are the top two sources of experience of exclusion that is people not policies are the most common sources of experience of exclusion in the workplace and then what's a conversation without you know about the state of the

workplace without bringing up quiet quitting so another study found uh you know included almost 3 000 managers rated by over 13 000 direct reports and found that the least effective managers have three to four times as many people who fall in that quote quiet quitting category compared with the most effective leaders so 14 of their direct reports were considered quietly quitting and only 20 percent were willing to give extra effort but now you take the converse of that and you've got you know you take the managers who were the best at balancing results with relationships they saw that 62 of their direct reports were willing to go and give that extra effort where that and only three percent of them were

considered quiet quitting so zanger and folkman who were the offer authors of this article in which this study is cited in found that quote many people at some point in their career have worked for a manager that moved them towards quiet quitting there this comes from feeling undervalued and unappreciated it's possible that the managers were biased or that they engaged in behavior that was inappropriate employees lack of motivation was there for a reaction to the actions of their manager and most mid-level career employees have also worked for a leader for whom they've had actually a strong desire to do everything possible to accomplish goals and objectives occasionally working late or starting early was not resented

for this key point the manager inspired them now I'd ask how many people in here feel that their manager is an inspiration to them but that might put anyone who's here and attending the conference with potentially their manager of their cyber security team in a slightly awkward spot so I'm not gonna do that and honestly like this isn't a meant to be a talk of like 20 minutes of roasting cyber security managers in fact I have a lot of empathy for Peters of the world you know they're trying to get ahead make a living just like all of us put roofs over their head food on the table it's an increasingly expensive World um so I'm not going to you know blame

Peters out there for taking the opportunity and instead I really want to focus on the systems and beliefs that enabled Peter to get there in the first place so you know I don't have any concrete stats but I just know from my experience you know when I landed in my first management role I I didn't have any Management training now I'm super you know um Vigilant and going out there and getting books and training and paying my own money and time and whatnot to build up my leadership skills but not everybody has that intrinsic motivation or mindset or self-awareness to continue that Learning and Development not everybody can see their own opportunities for growth adequately

solicit and apply feedback for their own performance and honestly like most people are afraid of speaking to one another with radical Candor so yo if you haven't heard the saying uh Kim Scott Apple and Google executive which she sums it up basically as like saying what you think while also giving a damn about the person you're saying it to and research from Gallup finds that only about one in ten people possess the talent to manage and yet we act like this is something that everyone can and should do and so we end up with managers who are bad who don't know they're bad and then we have people who won't tell them that they're bad and then even

worse the manager you know has been at the company for a while and if there's an opening at the next level they might even just get promoted because no one knows what to do with them right so companies don't know how to hold managers accountable for their performance as a manager and understandably so right when so many companies just don't even know how to manage and measure performance in general and quite frankly even if they did figure it out I I don't know if they would actually care because let's be honest if if they actually cared if the people in power actually cared we would want to have more women in positions of leadership and power because companies

with women leaders outperform companies don't nominated by men and two we'd have the ability to choose where we would like to work as opposed to being forced back into offices five days a week or you know any number of days higher than zero because you know there's more than enough studies that show the benefits of remote work for day-to-day operations in a variety of roles including many in cyber security so you know we know that managers play a critical role in the workplace we have plenty of studies and stats but just like the companies don't want to invest in entry-level Junior cyber security Talent neither do they want to invest in the talent that they already have

so instead we're just going to keep repeating the mistakes of the past stack ranking trying to force a healthy Culture by cutting the bottom 10 performers um you know it just it's just going to keep going on and you know you think that meritocracy might be able to save some of this but if you believe in meritocracy you know I have a bridge to sell you but you know instead of hanging on the bridge please just go read a book so this approach to Performance Management just perpetuates the need to climb up the ladder to avoid the alligators into higher roles and inevitably management that just doesn't make sense for 9 out of 10 people

now you know this this zero-sum Winner Takes all masculine capitalistic Approach at the end of the day just doesn't serve the vast majority of society and so we need a new approach for me I would argue that it's a feminist approach which I like Canada's description which you can read here values diversity inclusion for achieving transformative change sustainable development um response to lived experiences and so forth and so when we're when we're not focused on forcing everyone into a single track of success but instead finding ways for people to be successful where they are and where they want to be based off of their own unique skills values and circumstances our companies and societies will be better for it

now I don't have time to really get into it today but I can tell you that there are four distinct profiles of people's relationships to their careers and their firestarters collaborators drivers and side Hustlers these are passion profiles they were created by um Rachel East and Kristen Walker they're from Clarity on fire they're coaches with Decades of experience and they really focus on people's relationship in accordance with time money and passion I really recommend checking them out and learning more about these um but basically you know at the end of the day we can't keep managing people like they're all the same that they all want the same things that they do what they want to do for for you know the same

reasons capitalism expects everyone to Aspire to a corner office but we're just seeing in real time that that's not sustainable so you know it brings me back to Peter Peter's not having a good time but like at the end of the day Peter has a team and so how could we help out Poland Peter's team Peter has a collecting of people who have ideas and experiences and how to accomplish the very things that they're being asked to deliver people who with the rare exception generally want to do good work they are ready they're waiting and they're willing to be called in and they're actually dying to be called in because they don't want Peter to say yes

to another senseless project or drive the team in the wrong direction for miles and miles because they won't stop and ask for direction the people on Peter's team they're the equivalent of like I don't know the exasperated passenger in the movies during a family road trip and so just getting to the point of it here to fix the Peter Principle and cyber security three things recognize that not everybody wants to or should be a manager provide managers at all levels with greater support and accountability and compassionately realign managers who don't meet expectations I'd love to talk more about this with you on the side so feel free to hit me up and thank you so much for listening

[Applause] amazing thank you Stacy do we have any questions in the back

so this is sort of the flip side of not every good I see should be a manager because I agree um what are things that you think should be considered both on should someone like when reflecting on their own path like should I go into management and also how should they identify other people and be like hey maybe you should go into management because you'd be good at it yeah that's a great question you know it it really all starts with because because management inevitably involves leadership of people usually at most places right you gotta have people reporting to you or whatnot if you're if you are someone who um you know are have have room to grow in

regards to developing empathy and trying to put yourself in other people's shoes and stuff like that like maybe people management maybe management isn't the right position for you right um you know if you're someone who arguably like has a lot going on in their life and you know work is part of your life and work is paying the bills but it's not your whole life and it's you know and you have other things and other commitments and things that you're worried about you also when you step into a manager role you have the lives of several other people in your hands like let's just be honest about it like a big the whole reason why we all do

what we do is to get a paycheck to be able to put a roof over our heads and stuff like that and so just as much as you need to be on with your career and making sure that you know you're taking care of yourself you're also going to have a certain responsibility to these people who report to you and if that's not something that you know sounds exciting or fulfilling for you then don't do it right but like the problem is we've set up uh you know our organizations and whatnot and expectations society and the way that we look at other people and how we talk about other people is that like if you

can't manage people then you're a failure right like if you step into that role and you realize it's not for you like you're a failure or you're doing something wrong or you're not performing as you should be when the reality is it's like it has nothing to do with your performance it has everything to do with the misalignment of your values and you know what's important to you and and where your strengths are and stuff like that so you know if someone who shows deep care for other people like that's a pretty good indicator of potentially um you know being being a good candidate for management um you know especially if someone is good at organizing and leading and being

strategic and being able to um you know capitalize on people's strengths and whatnot like all great skills um you know the problem comes into play when you just if you're someone who just would rather like you don't know how to explain things you'd rather just jump in yourself and do it yourself and solve it yourself and not talk to anybody or anything like might not management I might not be right for you but again like that's okay and we need to do more as a workplace culture to make it okay to not be a manager and still reach different levels of success and Define and have more than one definition of what success is oh

all right awesome thank you very much another round of Applied please thank you you [Applause]