Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly made a strong pitch on Feb. 17 for the agency’s push to create an underlying culture of organizational success that she said is critical to creating optimal performance at the nation’s cyber defense agency.
Speaking at the Munich Cyber Security Conference, Easterly reviewed the recent work of agency leadership toward that goal, and recounted her own lessons learned from running intelligence programs for the U.S. Army during the Iraq War in 2007, and later helping to set up U.S. Cyber Command.
Key attributes in the first effort, she said, included “an environment of experimentation and entrepreneurialism and teamwork and creativity,” along with leeway from leadership “to fail fast and take risks.” The latter effort, Easterly recounted, was one based on “trust, teamwork, collaboration, imagination, [and] creativity, ultimately leading to the successful stand up of United States Cyber Command.”
The common thread in those experiences, she said “is not about operational success, it’s about the environment that allows that success to be possible – in a word, culture.”
“As the saying goes, culture eats strategy for breakfast,” Easterly said, borrowing a phrase from management guru Peter Drucker.
“And in my view, it’s the key to success in the field of cybersecurity, because ultimately cybersecurity is not about technology,” Easterly said. Rather, “It’s about people, and unlocking the power and potential of people [and] situating them in great organizational culture.”
Ongoing Efforts at CISA
At CISA, she said, one very big question is how to grow a diverse cybersecurity workforce and incentivize the current workforce – which may include “some exhausted, and some burnt out” – to stay in the field.
“The answer is that we as leaders have to create organizational cultures where people love what they do, respect their colleagues, are empowered by their leaders, and feel like they’re making a difference every day,” she said.
“Among the organizational imperatives of this job, I’ve spent a significant amount of the last seven months directly engaged with my workforce to co-create a culture of core values and core principles that define what we expect from each other, and what we aspire to be,” she said.
“The themes include trust, teamwork, collaboration, imagination, inclusion, innovation, empowerment, resilience, and a fundamental recognition that no asset is more important to an organization than our people,” Easterly said. “It doesn’t matter where in the world that organization is, it’s a universal truth.”
In practice, Easterly said, that means instituting “a culture that recognizes the importance of creating an environment of psychological safety where everyone feels they can be their authentic self, where they feel empowered and supported and cared for, and always treated with dignity and respect.” Toward that end, she said CISA is putting together psychological safety workshops across its workforce.
The CISA director said the agency’s culture-improvement efforts feature a host of other steps, including focusing on mental health, making many positions telework-friendly, allowing employees to embed gender pronouns into email addresses, promoting mindfulness apps, and implementing 360-degree feedback programs.
“It’s a culture that recognizes the importance of not just welcoming diversity, but truly celebrating it,” she said. “Because diversity – neurodiversity, ability, diversity of gender identity, of sexual orientation, of race, national origin, age, background – all equals diversity of thought, and that makes us better puzzle solvers.”