As a former CISO who talks to a lot of company officials, board members, and other cybersecurity leaders, I'll let you in on what keeps them up at night. Actually, that's one of the phrases that drives me the most insane. Here is what they are really concerned about.

It's not what you'd think or what we say when asked for an official response — not Pirate Panda, Mummy Spider or any other funny advanced persistent threat names; or even any of the more mundane issues like patching or access control that keep us from making real progress in protecting our companies.

It's people. It's the team members that we trust and depend on to actually do the front-line work of protecting the enterprise. Sometimes they are identifying risks, installing or patching systems, responding to an incident or, often, many of the above at once. Even in small firms people who deploy apps do not handle incidents.

Like any C-suite executive, CISOs worry about attracting and retaining talent, preparing the workforce for the challenges facing the business, and creating a culture that embraces diversity to drive innovation. Those three things matter more than anything else.

When you look at it a bit closer though, that's where things start to really come into focus and raise the insomnia-inducing questions:

I see a lot of companies that invest in technology, AI this or ML that, but they lack the fundamental foundation of a solid team. They haven't invested in their people. They failed to earn and build trust. I believe that one of the best ways to build trust is to walk a mile in someone else's shoes, to experience their day-by-day and to be trained on how to help them.

I often think of things in a really basic sense of input and output. Training, and especially cross-training, is insanely powerful when team members are able to experience, train and work together with team members where they are either an upstream supplier or a downstream consumer. For example, on one of my SOC teams, I built and trained my SOC analysts to deliver exactly what the network and endpoint control owners need for each incident containment playbook. The dividend was a 40% reduction in MTR (mean-time to respond).

Not only are you creating a more robust and balanced team, you're creating a team that is able to anticipate what the other person may need. You're expanding their field of expertise and helping to foster relationships so they can help each other. 

By investing in training, and specifically cross training, you are infusing the DNA of your organization with one of the most powerful force-multipliers out there. 

Organizations will continue to shift and adjust to emerging technologies and market demands. One of the best things we as leaders can do is to continually train our staff so that when it's necessary to shift they are ready.

Here are five steps for enterprises to take:

Yes, technology is great. Without the people, though, it misses the mark. Without a well balanced and trained team, it usually fails to reach its potential and sometimes fails completely. 

I once took over a team that had never received management support for professional training. Soon after I was on board, we made a major pivot in our technology stack. The team was unable to support the new technology because they were  decades behind in security thinking. It wasn't an age thing; it was a readiness thing. It was a training thing. We had to make some hard choices and people left the company because management failed them. That was one of the most profound realizations for me. 

By investing in people, at the right time, with the right training, I could help ready them for a future where I wasn't able to protect them as their leader. It's why I'm so passionate about it now.

Related Content:

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for detail on conference information and to register.