Stop Band-aiding your Cyber risk strategy with training

It wasn’t too long ago that sophisticated executives could have long, thoughtful discussions on technology strategy without even mentioning security. Today, companies have substantial assets and value manifested in digital form, and they are deeply connected to global technology networks – even as cyber attackers become ever more sophisticated and adaptable to defenses.

At most companies, boards and senior executives acknowledge the serious threats that cyberattacks pose to their business. What they are not sure of is how to create a strategy that helps them understand and address the threats, in all their forms, today and in the years ahead. And they’re asking for such a strategy every day.

Increasingly, the online world has grown complex and threatening. Many organizations are finding it hard to reconcile the level of their cybersecurity innovation investments with the cyber resilience outcomes for their business. Even worse, choosing the wrong strategy to invest in cybersecurity technologies can cost the organization far more than wasted cash; it can damage an organization’s brand, reputation, and future prosperity.

Both C-suite and security professionals should feel encouraged. Investment in innovation is increasing and managing the basics appears to be better. But scratch below the surface and there are hidden threats. Organizations face unsustainable costs, and security investments are often failing for the majority. With low detection rates and slow recovery times, it is important to find out what the leading organizations are doing differently to achieve cyber resilience. The good news is that most organizations, on average, spend 10.9 percent of their IT budgets on cybersecurity programs.

Leaders spend slightly more at 11.2 percent which is insufficient to account for their dramatically higher levels of performance. And their investments in advanced technologies, such as artificial intelligence, machine learning or robotic process automation, are rising substantially. Today, 84 percent of organizations spend more than 20 percent of their cybersecurity budgets on tools that use these three technologies as fundamental components. The finding represents a good step up from the 67 percent being spent three years ago. The increase is even more impressive with respect to the leaders. Three years ago, only 41 percent of leaders were spending more than 20 percent of their cybersecurity budgets on advanced technologies. Today, that has doubled, to 82 percent.

At first glance, the basics of cybersecurity are improving and cyber resilience is on the rise. The latest research in the market shows that most organizations are getting better at preventing direct cyberattacks. But in the shape-shifting world of cybersecurity, attackers have already moved on to indirect targets, such as vendors and other third parties in the supply chain. It is a situation that creates new battlegrounds even before they have mastered the fight in their own backyard.

At the same time, cybersecurity cost increases are reaching unsustainable levels and, despite the hefty price tags, security investments often fail to deliver. As a result, many organizations face a tipping point. There is good news for organizations wondering if they will ever move beyond simply gaining ground on the cyber attacker. Analysis by Accenture reveals there is a group of standout organizations that appear to have cracked the cybersecurity code for innovation.

The BBC recently reported that researchers have discovered major security flaws—which affect flood defenses, radiation detection, and traffic monitoring—in the infrastructure for major cities in the United States and Europe. Of those flaws, nearly ten are deemed “critical,” meaning that a cyberattack on these systems would have a debilitating impact on essential infrastructure, including power grids, water treatment facilities, and other large-scale systems. It seems like the stuff of disaster films: A major city loses power. Huge amounts of the population panic. The roads clog. Planes are grounded. Coordinating a rescue effort— even communicating with the public—would be a colossal task.

Detailed modeling of cybersecurity performance has identified two distinct groups: the first an elite group—17 percent—that achieve significantly higher levels of performance compared to the rest. These organizations set the bar for innovation and achieve high-performing cyber resilience. The second is the group forming the vast majority of our sample—74 percent—who are average performers, but far from being laggards in cyber resilience. This second group has lessons to learn from leaders while leaders, too, have further room for improvement.

Being innovative in security is different from any other aspect of the business. Caution is necessary. After all, a fail-fast approach is not an option for security where attack vulnerabilities could be catastrophic. Growing investments in innovation illustrate organizations’ commitment to prevention and damage limitation. And it is here that leaders excel. By focusing on the technologies that provide the greatest benefit and sustaining what they have, they are finding themselves moving fast and first in the race to cyber resilience.

What is one key to secure innovation?

Companies are using all kinds of sophisticated technologies and techniques to protect critical business assets. But the most important factor in any cybersecurity program is trust. It undergirds all the decisions executives make about tools, talent, and processes. Senior business leaders and the board may see cybersecurity as a priority only when an intrusion occurs, for instance, while the chief security officer and his team view security as an everyday priority, as even the most routine website transactions present potential holes to be exploited.

Leaders now show us that they scale, train and collaborate more. So, while non-leaders measure their success by focusing on the destination— improved cyber resilience—the leaders focus on how to get there using warp speed to detect, mobilize and remediate.

IBM Survey: Pandemic-Induced Digital Reliance Creates Lingering Security Side Effects” – IBM, 15 June 2021.
Individuals created 15 new accounts on average during the pandemic, with 82% reusing passwords across accounts. According to the report, user behavior showed strong preferences for convenience outweighing security and privacy concerns, leading to poor choices around passwords and other cybersecurity behaviors. This lax user approach to security, combined with rapid digital transformation by businesses during the pandemic poses a big risk to companies and provides attackers with further opportunities to propagate cyberattacks across industries. These poor personal security habits carry over to the workplace.

RockYou 2021: largest password compilation of all time leaked online with 8.4 billion entries” – Cybernews, 7 June 2021.
A massive 100 gigabyte text file containing 8.4 billion entries and passwords that was combined from previous data leaks and breaches was published on a popular hacker forum.

Hackers Breached Colonial Pipeline Using Compromised Password”Bloomberg – June 4, 2021.
Investigators suspect hackers got the password from a dark web leak. Hackers gained entry into the Colonial Pipeline networks through a dormant virtual private network account that was no longer in use at the time of the attack but could be used to access their network. This account’s passwords have been leaked with a batch of other passwords on the dark web. This account also used a simple username and password without any other means for authentication. The hackers also stole nearly 100 gigabytes of data which they threatened to leak if the ransom wasn’t paid. This hack caused a shutdown of the pipeline causing a fuel crisis on the East Coast. This shutdown lasted more than a week.

“SolarWinds hack was ‘largest and most sophisticated attack’ ever: Microsoft president” – Reuters, 14 Feb 2021.
The SolarWinds attack Hackers compromised a routine software update that gave them access to potentially up to 18,000 companies and government institutions globally. The hackers roamed around the networks of these companies for nine months before they were finally discovered. It will take months to identify the compromised systems and shut down the breaches. The breach of customer systems came through a small software vendor in the supply chain.

The above is just a couple of the recent examples of cyber breaches, from very sophisticated breaches such as the SolarWinds breach to less sophisticated breaches causing weeklong shutdowns in the Colonial Pipeline example. The hacks and breaches are becoming more frequent and more costly as attach surfaces are growing across the full supply and value chains of companies.

52% of email users failed to detect an actual phishing email. GreatHorn survey, September 2020.

Looking at these large-scale breaches, and trends that the attack surfaces are now extended throughout a companies’ supply and value chains, this puts companies at increased risk and it is clear that there is still a lot more work to be done when it comes to Cyber Risk management.

Yet, most companies still rely on the basis of employee training on phishing, basic pen testing, updating and creating more policies, more training on the policies, and some aspects of multi-factor authentication and VPN’s to try and secure the companies’ information systems.

Why do most companies still think this approach is enough and the responsibility of the IT and the Risk teams in the organization?

THIS IS NO LONGER A SUSTAINABLE APPROACH!

With the increased risk of the business being shut down for days and weeks on end due to ransomware attacks, stricter data privacy legislation and resulting fines, the cost to the business when an attack happens can potentially cripple the business for years to come or potentially shut the business down.

So, what do companies need to look at or change?

Let’s look at this question based on the current top trends around Cyber Risk to companies.

  • Ransomware continues to be one of the top threats to companies. The predominant way hackers gain access is still through phishing and simple password access. Operational processes of on- and off-boarding of employees, vendors, contractors across the company’s business network become critical. This requires a review of all digital touchpoints of all users across all systems in the company and reviewing if the security technology in place addresses the risk sufficiently. The fewer manual processes to manage digital credentials across all these touchpoints, the better. Multi-factor and zero-trust-based authentication is a must and all simple username and passwords credentials usage need to be eradicated across all systems.
  • Supply Chain attacks are growing and increasing the risk of attacks through a vendor or partner’s system that is integrated into the company’s information systems. This requires a cyber approval plan and constant auditing of the vendor and partner systems as it relates to all the digital touchpoints of their software or systems into the company’s networks and information systems.
  • The way we work has changed with a larger remote work force whose home networks and systems are outside the “Secure” corporate environment creating a higher risk of hacker access through unsecured wireless networks. The user behavior changes of more lax approaches to security and data privacy require more training and awareness and the potential deployment of additional security technologies to provide better security to the remote worker’s home networks. This also will require a review of the company’s overall policies on bring-your-own-device, employee conduct and how to govern employee behaviors. Security has now also become an HR matter.
  • Stricter compliance. The SolarWinds attack prompted new US government legislation and requirements being drafted with stricter compliance and standards around investigations of cyber events and standards for software development for companies dealing with government institutions. Companies will require CMCC (Cybersecurity Maturity Model Certification) control standards for companies working with Government institutions in the US. This model encompasses multiple domains, processes for each of these domains, capabilities and practices that measure a contractor’s capabilities, readiness and sophistication in the area of cybersecurity. New compliance standards will drive up the cost of doing business in much bigger ways than what Sarbanes Oxley has done for corporate financial reporting.
  • Stricter data and privacy legislation with more punitive fines. This requires a full evaluation of data vulnerabilities throughout the company as well as the company’s supply chain and coming up with clear plans and strategies on how to mitigate these.

Cyber Security is no longer just a “nuisance” add-on or cost. It needs to form a clear part of a company’s strategy and has become a key cornerstone in the Digital strategy of the company.

With the dawning era of The Internet of Things (IOT), cybersecurity affects the entire business model. Adequately addressing the threat means bringing together several business perspectives – including the market, the customer, production, and IT. Most often, the CEO is the only leader with the authority to make cybersecurity a priority across all of these areas. We believe that the issue of cybersecurity in many cases will require senior executive or even CEO initiative.

It is time to re-draw plans based on zero trust security principles and establish clear frameworks from the top down throughout all groups of the organization for monitoring, controlling, detecting, mitigating and responding to the increasing cyber threat.

As we have discussed earlier, as soon as one breach avenue has been foiled, attackers are quick to find other means. With the growth in indirect attacks, the spotlight falls on protecting third parties and other partners. But there are enormous challenges in managing third-party cyber risks. Large volumes of data can overwhelm the teams responsible for managing compliance.

The complexities of global supply chains, including the regulatory demands of various regions or countries, add to the strain. In our experience, many CISOs feel that the sizable number of vendors outstrips their capacity to monitor them. Given finite security resources, there is value in a data-driven, business-focused, tiered-risk approach to secure the enterprise ecosystem. This may mean introducing managed services to help the organization tackle the wider scope and scale.

By collaborating more broadly with others with the common goal of securing the enterprise and its ecosystem, organizations can not only play a responsible role in helping their smaller partners to beat cybercrime, but also they can be sure they are not bolting the front door from attackers while leaving the back door wide open.

A core group of leaders has shown that cyber resilience is achievable and can be reproduced. By investing for operational speed, driving value from these investments, and sustaining what they have, they are well on the way to mastering cybersecurity execution. Leaders often take a more considered approach to their use of advanced technologies by choosing those which help deliver the speed of detection and response they need to reduce the impact of cyberattacks.

And once they do decide to invest, they scale fast—the number of leaders spending more than one-fifth of their budget in advanced technologies has doubled in the last three years. The combined result is a new level of confidence from leaders in their ability to extract more value from these investments— and by doing so, exceed the performance levels of the non-leaders.

With two out of five cyberattacks now indirect, organizations must look beyond their own four walls to their broader business ecosystems. They should become masters of cybersecurity execution by stopping more attacks, finding and fixing breaches faster and reducing breach impact. In this way, they can not only realize security innovation success but also achieve greater cyber resilience.

Finally, cybersecurity remains much talked about, yet underleveraged as a differentiating factor on the business side. With the advent of the IoT, there is a real opportunity to move ahead and designate the security of products, production process, and platforms as a strategic priority. The breadth of the challenge spans the entire supply chain and the whole product lifecycle and includes both the regulatory and the communication strategy. For CEOs in leading IoT and Digital organizations, we believe cybersecurity should be at the top of the agenda until rigorous processes are in place, resilience is established, and mindsets are transformed.

As Stephane Nappo, Global Head Information Security for Société Générale International once said:

“The Internet of Things (IoT) devoid of comprehensive security management is tantamount to the Internet of Threats. Apply open collaborative innovation, systems thinking & zero-trust security models to design IoT ecosystems that generate and capture value in value chains of the Internet of Things.”

 

This article is the expressed opinions and collaboration between two senior-level industry board professionals on their views and perceptions on the subject matter:

MARIA PIENAAR CTIO, Corporate Innovation, Digital Transformation, Investor Private Company Board Director & Advisor Maria propels growth by speeding up discovery for companies whose leaders are frustrated by the slow pace of innovation.

Being a master networker, she extracts strategic value through tapping the latent creativity of teams and customers and catalyzes partnerships with highly innovative organizations. Her diverse leadership roles in global 100 and startup companies enable her to see the end-to-end picture and plot the most effective course for designing, launching and scaling new products and services for companies, driving customer growth. Maria co-founded Blue Label Ventures, a Corporate VC focussing on investments in Digital Health, IOT, Cyber Security, Fintech (incl. InsurTech).

Prior she was CIO at Cell C, a challenger mobile carrier, and prior held various leadership roles in Business Development, Go-to-Market Strategy, Strategic Partner Management and Product Marketing for Lucent, Nokia, Vodafone, Globalstar and various startups. Maria holds a BSC in engineering.

LinkedIn: Profile

Geoff Hudson-Searle is an independent non-executive director across regulation, technology and internet security, C-Suite executive on private and listed companies, and serial business advisor for growth-phase tech companies.

With more than 30 years’ experience in international business and management. He is the author of five books and lectures at business forums, conferences and universities. He has been the focus of TEDx and RT Europe’s business documentary across various thought leadership topics and his authorisms.

Geoff is a member and fellow of the Institute of Directors; associate of The International Business Institute of Management; a co-founder and board member of the Neustar International Security Council (NISC); and a distinguished member of the Advisory Council for The Global Cyber Academy.

He holds a master’s degree in business administration. Rated by Agilience as a Top 250 Harvard Business School thought leader authority covering blogs and writing across; ‘Strategic Management’ and ‘Management Consulting’, Geoff has worked on strategic growth, strategy, operations, finance, international development, growth and scale-up advisory programs for the British Government, Citibank, Kaspersky, BT and Barclays among others.

LinkedIn: Profile

Guest-blog: Alina-Georgiana Petcu discusses ‘When Insider Threat Turns Malicious – and How to Stop It from Happening to You’

Lockdown introduced new threat vectors for organisations in 2020, as cybercriminals redoubled their efforts to launch damaging cyber-attacks. Now that we are looking towards a post-lockdown future in 2021, it is worth exploring the cybersecurity landscape and assessing what steps we should take to protect ourselves from the pernicious threat of cyber-crime.

If there’s one thing you can say for cybercriminals, they rarely miss an opportunity. The coronavirus pandemic has offered cybercriminals a myriad of opportunities to exploit victims’ fears and uncertainties, sow seeds of false hope, and persistently cause disarray in the aid of compromising data and making money.

One year on from the first UK lockdown, we don’t expect this to change as we transition towards a post-lockdown world. The knock-on impact of lockdown is that many organisations are fighting to remain operational, and cybercriminals know this. They will continue to proactively target organisations that are struggling as a result of the coronavirus pandemic, as they recognise that budgets for IT and cybersecurity resources may well have been reduced – making them easier targets for phishing and ransomware attacks.

Today I have the distinct pleasure of introducing another Guest Blogger, Alina-Georgiana Petcu, who is a Communications and PR Officer at Heimdal Security.

Alina is a content connoisseur with a knack for everything tech, she occupies her spare time by trying to untangle the intricate narratives behind the world’s most infamous cyberattacks.

Alina is going to talk to us about the importance of when an insider threat turns malicious – and how to stop it from happening to you.

Thank you, Geoff, it is a pleasure to collaborate with you on this important subject.

The term insider threat refers to a certain amount of risk organizations are subjected to through their current and former employees alike, as well as through business associates or contractors.

These are all people with privileged access to a company’s systems, which means that they can access sensitive data regular staff members don’t have access to.

Insider threat becomes malicious the moment one of these people decides to abuse their access rights to fulfill nefarious motives. Let’s see how and why that happens, as well as how you can stop it from happening to you and keep your enterprise’s assets safe from the grubby paws of hackers.

Unfortunately, insider threat is a widespread issue in corporate cybersecurity. The Ponemon Institute’s 2020 Cost of Insider Threats Global Report recorded a 47% increase in insider threat incidents between 2018 and 2020. This type of inappropriate management of company data can be separated into three categories:
• Accidental, which means that the action was unpremeditated and was not driven by any ulterior motive.
• Negligent, which treads the line between accidental and malicious. The employee in question is not necessarily a hacker, but his intentions aren’t right either.
• And malicious, which consists of an action that is premeditated and was driven by an ulterior motive. That motive can be revenge, ego, financial gain, coercion, or ideology.

To better understand malicious insiders at a human level, SentinelOne’s Jeremy Goldstein classifies insider threat into four archetypes:
• The pawn, who is usually manipulated by a malicious third party into sabotaging the company. This is often unintentional, as it is carried out through phishing or CEO fraud.
• The goof, who is generally ignorant or arrogant regarding their position and thus acts irresponsibly within the company network, causing damage.
• The collaborator, who steals data and disrupts the activity of an enterprise in cooperation with a malicious third party.
• And the lone wolf, whose malicious intent is their own and they act independently of any other cybercriminal group.

Therefore, we can notice right off the bat that not all insider threat actors are malicious. Nevertheless, nearly half of them always are.

5 Threat Scenarios to Expect from a Malicious Insider

So, what happens when insider threat turns malicious? Here are the five scenarios you can expect, illustrated by a few real-life examples of what happened when renowned companies and global organizations went through them.

#1 A malicious insider stole data for competitive interests
• Steven L. Davis, a process controls engineer for Tennessee-based fabrication equipment designer Wright Industries, was contracted by Gillette to oversee their new shaving system in 1997. Out of discontent with his supervisor, Davis stole and sold private data about the technology to Gillette’s competitors.
• A naturalized Chinese-American citizen named Xudong Lao abused his privileges as an employee of the Illinois Locomotive Company between 2014 and 2015, illegally downloading thousands of confidential documents. He then got a job with a Chinese automotive service systems company in 2015 and supplied his new employee with these unlawfully obtained trade secrets.
• Walmart accused their technology vendor and partner Compucom of spying into the private conversations of the retail giant’s C-level executives in 2019. As per the allegations, Compucom employees gathered data that would later give the company an advantage in winning the bid with Walmart.

#2 A malicious insider covertly accessed customer data
• The National Security Agency (NSA) of the United States is responsible for several such cases. In 2003, an NSA employee allegedly monitored a woman he was involved with. She caught onto it and report the incident, which led to an internal investigation.
• One year later in 2004, it was discovered that another employee was keeping tabs on an unknown number she found in her husband’s contacts out of fear that he was cheating on her.
• In 2011, one staff member station oversees spied on the private phone calls of her partner back home, as well as on the conversations of the people she met in that respective country.

These incidents were referred to internally as LOVEINT, which is short for Love Intelligence.

#3 A malicious insider gained profit from privileged information
• In 2011, a former Bank of America employee provided malicious third parties with the sensitive banking info of an undisclosed number of customers. Fraudsters used this information to cause damages that amounted to a whopping $10 million.
• AT&T employee Chouman Emily Syrilien provided a co-conspirator with files containing the personally identifiable information of multiple clients of the telecom services provider. Syrilien was part of a larger data theft scheme involving multiple members of staff.
• An employee working for esteemed cybersecurity software provider Trend Micro accessed a database containing confidential customer information and sold it to a cybercriminal group in 2019.

#4 A malicious insider sabotaged company data and operations
• A former network engineer working at the Charleston-based oil and gas company EnerVest Operating remotely accessed systems in 2014. This had malicious intent behind it, as the engineer reset the network to factory setting, causing damages.
• Back when VP Kamala Harris was a district attorney in San Francisco in 2018, a network engineer for the San Francisco Department of Telecommunications and Information Services (DTIS) named Terry Childs refused to give up the login credentials to the entire network he had built.
• Upon receiving his termination notice in 2015, Canadian Pacific Railway employee Christopher Victor Grupe abused his still-valid login credentials into the company network and deleted some essential administrative accounts, and changed the passwords to others.

#5 A malicious insider shared confidential information with the media
• In 2014, former Microsoft employee Alex Kibkalo, who worked for the company out of Lebanon and Russia, was caught disclosing trade secrets to a French blogger. The leaked information contained, among other things, screenshots of a then-unreleased version of the corporation’s renowned Windows operating system.
• A total of 29 Apple employees disclosed confidential data about product launches in 2018. Out of them, only 12 were arrested.
• While many Tesla employees practiced ethical whistleblowing against the company in the past, one staff member shared confidential business information, such as production numbers, with journalists on Twitter.

A Checklist for Malicious Insider Prevention

If you take just one thing away from the examples I listed above, let it be this – malicious insider threat can target the best in any industry. The checklist below will help you prevent it from happening to you too. So, without further ado, let’s get into some actionable advice.

❒ Know the signs of malicious insider activity
The main purpose of malicious insiders is to steal sensitive information, which they will then misuse in one of the five ways mentioned above. When this type of threat rummages around your company network, they’re going to leave a paper trail regardless of how hard they try to hide their activity. There are three telltale signs of this:
1. Logging in at odd hours
2. Unexpected traffic spikes
3. Data transfers that are out of the ordinary
Looking out for these markers of unusual activity in your system means that you will be able to respond quickly if a malicious insider threat targets your enterprise. Thus, you can take appropriate action right away and remove the privileges of the user account that is being misused.

❒ Prevent privilege creep
The term privilege creep is a cybersecurity concept that is used to describe the accumulation of redundant access privileges, permissions, and rights on a user account that does not need them.

This tends to happen when an employee is promoted to a different position or moved to a different department.

When this happens, the staff member in question is granted new access rights that are appropriate for their tasks, while at the same time retaining the privileges from their previous position.

If overlooked, privilege creep can lead to an accidental superuser account that can be used to fulfill malicious motives.

The best way to prevent this from happening within your company network is by constantly auditing user accounts and monitoring changes. Keeping track of admin rights with a privileged access management tool is another useful route and one that can help you practice privilege bracketing within your system as well.

❒ Practice privilege bracketing
While we’re on the topic of privilege bracketing, let’s take a moment to discuss this beneficial cybersecurity practice. As I mentioned before, the main reason why malicious insiders become threatening to the safety of your enterprise data is through accounts that rack up a lot of privileges over time.

Privilege bracketing is the surest and most effective way to stop this. Based on the principle of least privilege, it involves giving user accounts the minimum access rights that are necessary for the completion of daily tasks. In this way, you can ensure that your enterprise’s private data remains private, together with any personally identifiable information stored in your corporate system.

❒ Implement the zero trust model
Coined by Forrester analyst John Kindervag, the zero trust model implies that no user account operating within a corporate network is to be trusted by default. Instead, everyone’s activity should be continuously authenticated, monitored, and validated. And yes, that includes C-level execs and employees of the company on top of third-party contractors and collaborators. The reason for this is that the practice is based around the never trust, always verify mentality.

Of course, this comes with its set challenges. Implementing the zero trust model is thus an intricate process that includes multifactor authentication, data encryption, privileged access management, cybersecurity auditing, and more.

Nevertheless, it is essential for the prevention of malicious insider threat and the #1 priority in risk mitigation for the past three consecutive years, on the authority of global research and advisory firm Gartner.

❒ Work on your company culture
You know how the old saying goes – the fish rots from the head down. This is true of corporate culture as well, meaning that your leadership within the company or a specific team can be the root cause of issues such as insider threat.

As some of the examples I’ve given above show, malicious insiders are often disgruntled employees looking to cause harm to an enterprise they think has wronged them.

The solution to this issue is pretty straightforward, and it consists of improving the company culture as a whole. If your employees are satisfied with their place of work, they are far less likely to act malevolently towards it or be manipulated by someone who wants them to.

What is more, a staff member that loves their job is far more likely to practice ethical whistleblowing and denounce coworkers that might not have your business’s best interest in mind. It’s a win-win whichever way you look at it, and all you have to do is listen. Be receptive to their feedback and take constructive criticism into your account. That is the mark of a strong leader.

Final Thoughts on Malicious Insider Threat

The human factor is an unpredictable liability in any company. You never know when an employee can go rogue or mess up without meaning to. And on top of that, malware operators and other ill-intentioned third parties are always looking for pawns to help them fulfill their nefarious purposes. For this reason, insider threat is a reality of our time, and it can damage your assets and taint your company’s reputation even when it’s unintentional.

When insider threat becomes malicious, it’s a whole other story. It is your responsibility as a leader to make sure that that doesn’t happen to your company by not only putting the right policies into place but by improving your relationship with your team as well.

Change starts from the inside out, and by that, I mean from your company culture. The technical aspect of it all is not to be overlooked, of course. Privileged access management tools, as well as data encryption, multi-factor authentication, password hygiene procedures, and so on, are essential to the digital well-being of your enterprise. The process is a challenging one, but the results are worth it. Are you ready to take your enterprise cybersecurity to the next level?

Sources
CNBC
Computerworld
DataBreachToday Asia
Federation of American Scientists
FindLaw for Legal Professionals
The Federal Bureau of Investigation
Fortune
Medium
The New York Times
The Ponemon Institute
Reuters
Slate Magazine
U.S. Department of Justice

You can contact Alina-Georgiana Petcu on Linkedin with your questions:
https://www.linkedin.com/in/alina-georgiana-petcu-166905197/

Guest-blog: Scott Hunter discusses the importance of Five High Impact L&D Ideas on a Shoestring Budget

Scott Hunter

Today’s leadership development landscape demands employees adapt to constant change. In order for organizations to take on the pressing need of reskilling and upskilling, it’s critical they’re immersed in a culture of learning. However, the way we learn is changing: employees want control of their own learning, yet they also want guidance and support from managers and learning and development teams.

The uncertain economic environment of the past few years has had a significant impact on the resources available for learning and development in many organisations. This year we are starting to see signs of greater L&D investment in parts of the private sector, but pressure on resources remains an issue for many and workloads are high. This squeeze on resources, combined with an increasing shortage of key skills, means the need for effective, targeted L&D will continue to grow.

Currently many are held back by a lack of confidence, knowledge and insight around how to harness technological tools to improve their learning and development interventions. L&D needs to build skills and expertise in this area to profit from new innovations that meet business requirements and the demands of learners.

The L&D profession faces a stimulating and challenging future in meeting organisational and learner requirements in fast-paced and busy environments. L&D teams need to continue to work collaboratively across the organisation to ensure that current and future business needs are met and that L&D is agile, effective and timely. Technological developments and emerging insights from other disciplines have great potential to aid this process – but only if the capability to exploit these tools and techniques is developed concurrently. We, therefore, need to keep an eye on the future, to understand the evolving learning landscape, while continuing to build the professional competencies we need today to drive and sustain organisational success.

Today I have the distinct pleasure of introducing another Guest Blogger, Scott Hunter, Scott is a specialist in personal influence and creative thinking.

Scott works in an exciting and ever-changing world, faced with new challenges and opportunities. Organisations today are in desperate need of creating agility and a more open capacity to learn. They need innovative solutions to meet the ever-increasing demand for change, requiring a new approach.

There is an opportunity for a holistic approach to learning and change to come to the fore. There is more demand than ever for learning that engages, adds value, drives performance and reignites organisational values and purpose.

Scott has been involved in learning for over 20 years, experiencing the good, the bad and the downright ugly. Over the last 5 years, he has focused on the changing landscape of learning and finding new ways to create development opportunities and learner journeys outside of the normal approaches.

Scott is going to talk to us about the importance of innovative learning and development and the ‘Five High Impact L&D Ideas on a Shoestring Budget’.

Thank you, Geoff, it is a pleasure to collaborate with you on this important subject.

L&D is often under budgetary and time pressures, with an ever-increasing demand to deliver solutions. This can appear like a never-ending challenge to meet these seemingly paradoxical pressures of developing employees with less money and time.

I would argue, that these challenges can be an opportunity for L&D to have an organisational wide impact, for L&D to help change the perception of what learning is within organisations. Using innovative solutions, it can be possible to guide learning in the organisation that align with business objectives and share accountability.

Learning cannot be detached from performance and, to achieve this, it is important to identify the environmental issues that need to be considered. It is not enough to just introduce new L&D activities and solutions, without considering the requirements needed to help support and the practice of new skills/behaviours in the workplace.

Here are 5 ideas for learning solutions that can be delivered with little financial or time investment from L&D, the participants or the organisation. Included are some thoughts on each idea and some potential environmental considerations for them to deliver the biggest impact.

1. Dragon’s Den (Shark Tank)

Elvin Turner, in his book ‘Be Less Zombie’, describes experiments as the rocket fuel of innovation and, let’s be honest, which organisation doesn’t want more innovation at the moment.

Experiments enable organisations to explore possible innovation, with minimal financial or time investment. They enable innovation to become less risky and more data and evidence-driven.

This is based on the Dragon’s Den TV show.

Once a month/quarter, an employee can pitch their innovation-ideas to a panel of managers in the organisation.

If the managers like the pitch, they can then agree to invest a small amount for the employee to run an experiment to test the assumptions their innovation is based upon.

To meet the criteria of an experiment it should be:

• Small
• Cheap
• Fast
• Designed for learning

This provides an ability to maximise learning with the minimum commitment of resources. Each iteration and development of the innovation is supported by data demonstrating the potential after every step.

It also provides information that can create clarity on actions or directions that will not be beneficial to the organisation.

Some of the advantages of this L&D activity:

• Increases employee understanding of the organisation
• Develops critical skills required for leadership
• Aligns innovation energy towards tangible benefits for the organisation
• Creates deeper insights into opportunities
• Creates knowledge that can be used across the organisation to make evidenced improvements
• Encourages collaboration across the organisation

Environmental considerations

• Leaders being open to the ideas from employees
• Supporting the experimentation during work time
• Reward and recognition of employees in line with learning
• Supporting employees in developing pitches
• Support in designing experimentation and metrics
• Allowing employees to be involved in the projects

2. Work Based Projects

Work-based projects can be used to align employee learning efforts to strategically identified outcomes. Creating opportunities that have tangible business outcomes. Creating the environment where employees can participate and learn simultaneously provide huge benefits.

Projects are ongoing within organisations on a regular basis and are great opportunities for employees to practice the skills/behaviours identified. These projects can be existing ones, or they can be created to specifically support the application of skills/behaviour from a programme, such as a leadership programme.

The use of projects can provide an evaluation of the application of learning, the behaviour of participants and the application of skills in a real business environment. This provides the opportunity for specific and data-rich analysis of the programme and its impact.

Some advantages of this L&D activity:

• Provides opportunities to practice skills and behaviours in a real business environment
• Provides rich data to evaluate the programme and participants
• Links tangible business outcomes to the L&D activity
• Provides the opportunity to test organisations processes and procedures
• Develops a deeper understanding of the organisation
• Encourages collaboration and cross-functional/department working
• Develop leadership skills

Environmental considerations

• Leaders support in providing time to be involved in projects
• Clarity on the deliverable of project and provision of sufficient resources
• Agreement and collection of suitable and relevant metrics
• Ongoing support and feedback during the project

3. Peer to Peer feedback sessions

The power of feedback has been well documented and is an integral aspect of performance management and coaching. However, I would suggest that most of the interactions and observations of our work are with our peers.

It seems, therefore, that gaining feedback from peers can be a great source of information to for areas of improvement, and recognition. The use of peer to peer feedback can create a more open and transparent working environment.

Also, it can provide insights into behavioural aspects of performance, which can often be missed in more traditional performance management approaches.

It can work in an organic way, where feedback is in line with recent observations and requests. Or it can be guided, perhaps to provide feedback to specific behavioural requirements of the organisation.

One example could be, that putting customers first and excellence are key pillars of the organisational strategy. L&D could then provide guidance on what areas to observe and provide feedback on during the peer to peer sessions. This links ongoing organisational feedback with identified strategic outcomes of the organisation.

Potential advantages of this L&D activity:

• Improved performance across the organisation
• Improved relationships
• Improved teamwork and communication
• Alignment of feedback to organisational outcomes
• Support delivery of behavioural change in the workplace

Some environmental considerations

• Support of peer to peer feedback in the performance management process
• Review reward and recognition policies and processes
• Support with guidelines on providing and receiving feedback
• Support from line managers to encourage the process
• Agree metrics for uptake and impact

4. Skills-based video channel

Employees want to be able to do what they need when they need it, lack of specific and often little pieces of information can create unnecessary delays. An example may be needing to create a pivot table in Excel.

Normally this may require an employee to find someone who knows how to do this and then ask them to show them. This is time-consuming and an inefficient method of knowledge sharing.

L&D can create a video channel that is dedicated to micro explainer videos of skills that are often required within the organisation. Working with line managers, L&D can identify employees who have these skills and approach them to create explainer videos.

These videos can then be tagged and hosted on an in-house server, or externally such as a closed YouTube or Vimeo channel. Content can be updated, as and when it becomes clear that skills are required, or an employee has a skill that could be beneficial.

This will provide employees with a searchable and accessible resource of skills and information, which they can easily use at the point of need.

The content could also be highlighted to groups in their employee life cycle as it may become useful. Such as reminders about interview skills, tips for performance management could be provided to line managers in the run-up to scheduled performance management reviews and assessments.

Potential benefits of this L&D solution:

• Provide access to skills as and when required
• Reduce potential delays, improve productivity
• Increase motivation and value for those employees selected to provide content
• Flexible content that is adaptable to organisational needs
• Reduce dependence on training courses, saving time and finances
• Reduce time away from work of subject matter experts

Environmental issues

• Access to the appropriate server to host videos and allow organisation-wide access
• Review reward and recognition for those submitting content
• Provide feedback for content generation
• Support of leadership in creating content
• Ensure compliance with appropriate copyright and licensing requirements
• Communication of resource

5. Microlearning activities

Microlearning is all around us and used in everyday life; allowing employees to consume information and learning quickly and effectively.

These activities can be directly linked to skills or behaviours that are required to deliver team/organisation outcomes. This provides flexibility to create content that can be delivered within specific areas of the organisation, or across the whole organisation.

These can be scheduled and used as stand-alone actions or can be used to support other programmes or initiatives.

In the ‘Influence to Innovate’ coaching programme we provide individual and group microlearning activities. One example is called ‘Lip Sync’ which was designed to help develop better listening skills. Below is an outline of the activity.

Title

Lip Sync

Rationale

To build trust, one of the most important dimensions is selflessness. However, in conversations, we often interrupt and speak over others. This demonstrates that we are more interested in what we have to say rather than what others are saying. This damages our reputation and decreases the trust others have in us.

How to Play

• During your day, when you’re invited into a conversation, pay attention to the lips of the others.
• As soon as their lips move, you must ‘Lip Sync’ by not moving your lips and letting others speak.
• Your objective today is to ‘Lip Sync’ as often as possible, ensuring that your lips do not move at the same time as others

Reflection

At the end of the day, take some time to reflect back and answer the following questions:

• What were the differences in conversations when you managed to ‘Lip Sync’ compared to when you were unable to?
• What do you think the impact on the others was?
• How might ‘Lip Sync’ help you in your work and personal relationships?
• What action can you take to improve your ‘Lip Sync’ ability?

Or if you prefer to see it in a micro-learning format, click here

As an example, you can see that this activity can be briefed quickly and the playing of the activity happens within the normal working day. It does not impact the operations of the organisation and can be completed across specific teams or the whole organisation at the same time.

The use of microlearning can help develop learning at speed and scale.

Some benefits of this L&D solution:

• Specific skills can be developed organisation-wide at the same time
• There is no requirement to be released from work
• Skills can be developed that are directly linked to team/organisation goals
• Can be used to develop behaviours in real work environment
• Can support long term learning programmes
• Improve relationships within organisations
• Can embed values at scale and speed

Some environmental considerations:

• Support from line managers in playing the game
• Support to encourage reflection on the day’s play
• Facilitating healthy discussions within teams
• Link required behaviours to performance management, reward and recognition
• Access to activities
• Enabling all employees to participate

Summary

In my opinion, L&D does not own the learning in the organisation, and can move itself to be seen as the strategic convener of learning. All the ideas in this blog were chosen against the following criteria:

• Had limited operational impact
• Had limited financial costs
• Encouraged learning, as close as possible, to the required application
• Ability to support organisation-wide learning
• Ease of linking to organisational outcomes
• Encourage multiple stakeholders in learning
• Can be easily evaluated for impact

This is not an exhaustive list, and there are many great ideas on how to create learning opportunities in the workplace.

Hopefully, these ideas have given you some food for thought, enabling you to implement some of these quickly and easily into your organisation.

These ideas may help move the conversations L&D are having in organisations and change the perception and move them to be seen as trusted strategic partners.

If you would like to chat about changing the perception of learning in organisations, feel free to reach out.

You can contact Scott Hunter with your questions:
email: scott @ theinnovatecrowd.com
web: www.theinnovatecrowd.com
LinkedIn: Scott Hunter

Moving from Cyber Risk Insurance to a Cyber Risk Management Strategy


2021 has progressed with even more challenges and promises to deliver even more changes to the pace of a fast technological environment, risk professionals need to look back and consider the lessons learned from 2020.

Have we returned to where we were, or have we moved on to a new norm?

What does the COVID-19 pandemic market data tell us that will help us to prepare for future global crises?

2020 was a rollercoaster for the financial markets. At the beginning of the year, the economy was enjoying the longest continuous growth stretch on record.

The stock market was constantly hitting new highs. The Federal Reserve was starting to bring Treasury yields back up for the first time since the Great Recession. And, then came March.…

Given that framework, the first question we want to answer is: “As risk professionals, how prepared were we for these types of market swings?”

In the insurance industry, companies rely on economic scenario generators (ESGs) to produce a wide range of plausible, cohesive futures for the variables that drive their results — for example, corporate bond and equity returns, as well as Treasury yields.

These models are not predicting specific events, like a pandemic or a war; instead, they simply attempt to estimate the likelihood of a 20% drop in the equity market over the next year.

So, to answer the question posed above, we need to test how well the ESGs that we use we’re able to predict the financial market movements we have seen in 2020.

If our models covered these types of results, then we can take comfort that we were well prepared; if not, then we have to think about how to adjust our framework to be better prepared for the next calamity.

So, where does this leave an Insurance Chief Risk Officer?

First, we should take a critical look at how well our key economic models performed at anticipating these types of extreme market movements. If our models weren’t up to the task, then we need to rethink how those models are calibrated, as this is likely to lead us to either take on too much risk or the wrong types of risks.

We also want to make sure we perform this review on both the good times and the bad times since we are using these models for much more than just risk measurement.

This now brings us to one of the widest subjects in technology today; Cyber Risk insurance, which has become very popular over the last five years with larger corporations as a means to potentially cover the unexpected cost relating to data breaches and ransomware attacks.

This is not surprising taking into consideration that Global ransomware damage costs are predicted to reach $20 Billion (USD) by 2021 according to the latest report by Cyber Security Ventures.

According to the report, this is a 57X increase in the last five years. Ransomware is expected to attack a company every 11 seconds according to the report.

Ransomware poses the biggest threat as a business is adversely impacted to a point where business is shut down. In 2019 alone, the average business downtime was over nine days. According to Bitdefender, downtime costs due to ransomware on average were 50 times more than the ransom requested from Cyber Criminals.

According to the latest IBM Security Ponemon report on the cost of data breaches, the average for data breaches in the US was $3.8 million (USD) for less than 100,000 records. The average time to identify and contain a breach is 280 days. In breaches of 1 million to 10 million data records breached, the average cost was $50 million (USD), more than 25 times the average of the cost of breaches for less than 100,000 data records.

Looking at the following top Cyber threats to companies for 2021, according to Security Boulevard, the cyber attack surface is increasing as companies accelerate digital transformation and remote work, leaving the company at higher risk for Cyberattacks.

• Cloud-based threats. As more companies move to cloud services and adopt more cloud-based tools from 3rd party vendors, this also increases the security footprint the company needs to look at protecting. It is no longer just the internal systems of the company that poses a risk.

• Insider threats. This involves internal actors (employees, contractors, vendors) with valid credentials to key business systems colluding with cybercriminals to provide them access to data that can lead to data breaches and ransom attacks.

• Remote worker end-point security using unsecured network services leading backdoors open for cybercriminals to gain access to company data and infrastructure.

• Phishing attacks employing social engineering to gain access to access credentials.

• Deep Fakes. A growing threat where artificial intelligence is used to manipulate videos that falsely represent a person to commit more advanced phishing attacks. This could generate synthetic identities to gain access to systems.

• IoT devices. Unless properly secured within the overall part of the business, the introduction of IoT devices increases the complexity and attack surface for cybercriminals to exploit. The recent Verkada cyberattack exposing video footage of over 150,000 cameras of various companies such as Amazon, Tesla demonstrated this risk.

• Malvertising where malicious advertisements including technical support scams are used to spread malware.

• Sophisticated and targeted ransomware attacks. This includes a key risk around personal staff safety.

• Social Media attacks where cyber criminals use social media platforms posing as the legitimate company in order to spread malware.

Taking into consideration that the average cost of Cyber Insurance in 2020 in the US, according to AdvisorSmith was $1,485 per year covering the liability of up to $1 million.

There are a number of factors such as company revenues, and the number of sensitive data records, to name a few, that impacts Cyber Insurance premiums.

Looking at the averages for Cyber insurance and the explosive growth in the cost of data breaches, most companies are grossly under-insured to cover the costs of potential data breaches or ransomware attacks.

Cyber-insurance may be a good option for covering some of the liability and cost in the event of a breach, however, it falls way short in minimizing the actual liability in the cost of a data breach or ransom attack to the company.

How should companies and the Board balance the cost to cover the liabilities due to cyber risk in the company?

Spend more money on insurance with higher premiums vs. more investment to implement risk management across the organization and supply chain through policies, incidence response preparedness, cyber training, and Cyber Security systems?

The latter part of the equation can be quite daunting, and the “easy” way out seems to be to rather take out the insurance, and deal with it when a breach happens.

What shall companies look at in order to solve an increasingly complex cyber governance problem when looking at the cost, and where to most effectively spend the money to mitigate the risk?

The typical cost for a cyber attack when that happens can be broken down into the following elements:

• Forensic analysis for identifying the attack source
• Unplanned IT spend to recover data, remove malware, recover from downtime, implementation of new systems to prevent similar attacks, 3rd party vendor or supply chain systems updates, other
• Public relations services
• Notification of clients, shareholders, and regulators
• Credit monitoring services (if financial data was stolen of customers)
• Loss of income
• Regulatory penalties depending on the breach

The best strategy is to as much as possible, avoid the additional cost through better governance and incidence reporting and planning and implementation of automation of security as reasonably possible.

Worldwide spending on information security and risk management technology and services continued to grow through 2020, although at a slower rate than previously forecast, according to Gartner, Inc.

Information security spending grew 2.4% to reach $123.8 billion in 2020. This is down from the 8.7% growth Gartner projected in its December 2019 forecast update. The coronavirus pandemic is driving short-term demand in areas such as cloud adoption, remote worker technologies, and cost-saving measures.

“Like other segments of IT, we expect security will be negatively impacted by the COVID-19 crisis,” said Lawrence Pingree, managing vice president at Gartner. “Overall we expect a pause and a reduction of growth in both security software and services during 2020.”

Gartner’s survey showed the top 10 categories of expenditures as follows:

1. Application Security
2. Cloud Security
3. Data Security
4. Identity Access Management
5. Infrastructure Protection
6. Integrated Risk Management
7. Network Security Equipment
8. Other Information Security Software
9. Security Services
10. Consumer Security Software

How big is your cybersecurity budget? Probably not big enough. Organisations need to invest more in their security.

Over the years, spending on cybersecurity has changed substantially. In 2019, worldwide spending for security products and services is estimated to be more than $124 billion, an increase in growth of 8.7% from last year.

Companies around the world are no longer considering cybersecurity a minor part of their spending budget, but rather a priority. One of the main reasons for this is the large security breaches that have occurred in the past few years, putting business and personal data at a higher risk than ever before.

According to IBM’s report, companies with fully deployed security automation saw a cost-saving of $3.58 million (USD) on the cost of a data breach vs. companies with no security automation.

Companies with incident response preparedness so an impact of $2 million (USD) savings on average on the total cost of a data breach.

Boards and companies should have clear plans and strategies around the following four cost centers. Where cost centers are missing, these need to be taken into consideration. Start with assessments of the status of the activities within these four key pillars for cyber governance and make these a strategic part of all budget spend and activities across the whole company, as well as 3rd party supply chain of the company.

Detection and escalation. Activities that enable a company to reasonably detect the breach.
• Forensic and investigative activities
• Assessment and audit services, including Incident Response
• Crisis management
• Communications to executives and boards

Lost business. Activities that attempt to minimize the loss of customers, business disruption, and revenue losses.
• Business disruption and revenue losses from system downtime
• Cost of lost customers and acquiring new customers
• Reputation losses and diminished goodwill

Notification. Activities that enable the company to notify data subjects, data protection regulators, and other third parties.
• Emails, letters, outbound calls, or general notice to data subjects
• Determination of regulatory requirements
• Communication with regulators
• Engagement of outside experts

Ex-post response. Activities to help victims of a breach communicate with the company and redress activities to victims and regulators.
• Help desk and inbound communications
• Credit monitoring and identity protection services
• Issuing new accounts or credit cards
• Legal expenditures
• Product discounts
• Regulatory fines

(Cost center model per IBM in the Cost of Data Breach Report)

Digital technologies are ushering in a new era and driving transformative changes in every industry, as organizations adopt these technologies to redefine how they create, deliver, and capture value.

Identifying, understanding, and addressing new risks associated with digital transformation will help businesses derive more value from their efforts in the future. What’s more, understanding how digital transformation can be applied to risk management will enable organizations to take a more balanced view of digital technologies as both a source of risk and a way to manage risk.

As your organization embarks on its digital journey, we invite you to learn more about the evolving risk landscape and new opportunities to better manage risk.

Misalignment between an organization’s goals for digital transformation and employee values and behavior creates new culture risks.


The final topic we would like to address is digital ethics, being more in tune with digital ethics and having plans and processes in place will also help organisations respond more effectively when an incident does occur.

Firms not only need processes in place to ensure that they are ready to respond quickly to address problems but also to fulfill their regulatory obligations by promptly disclosing any breach to the regulator as well as any impacted customers.

As part of their digital transformation efforts, organizations need to act responsibly and promote ethical use of technology.

They also need to have pre-established influencer relationships that they can leverage to counter any hysteria or misinformation which might arise that could interfere with their business or impact their brand.

Organisations that have a culture that takes digital ethics seriously, will behave in ways that will minimise the risk of incidents and will act in ways that help build stakeholders’ trust. Those that don’t take digital ethics as seriously will not only be at higher risk of impact but will struggle to establish such trust.

Making data ethics a key corporate value can have a significant potential upside. Implementing data privacy policies and updating crisis management plans to address data breach scenarios will minimise any downside.

At the very least, engaging with Influencers or Cyber professionals/experts early can help you be better prepared to respond to calamities, our definition of influencers is quantified as Cybersecurity specialists who play a key role in securing information systems.

By monitoring, detecting, investigating, analyzing, and responding to security events, cybersecurity specialists protect systems from cybersecurity risks, threats, and vulnerabilities.

While taking their advice or using them to independently assess or benchmark your data privacy policies and crisis management plans can be used to demonstrate best practice in these areas, which in turn can mitigate potential fines or legal exposure in the event of a calamity.

Your customers want you to take a stand on data security and privacy, and be transparent about it – seeing it as more important than either your diversity or sustainability efforts.

Each and every company, regardless of its industry, has weaknesses that hackers exploit for their own gain. Just because a business is small or not in a vertical often associated with valuable data (such as healthcare or financial services) doesn’t mean it won’t make an enticing target for an opportunistic cybercriminal.

In fact, there are a number of reasons why start-ups and small businesses are sometimes more likely than even big businesses to be targeted.

  • Customer Information: Even the smallest start-ups often store or handle customer data such as financial information, Social Security numbers, and transaction history.
  • Proprietary Data: Start-ups often carry innovative and creative ideas for products and services, as well as internal research data that could be valuable to outside parties.
  • Third-Party Vulnerabilities: Hackers also target small businesses and start-ups because they sometimes do business with larger companies as third-party vendors and can provide entry points into those more valuable networks. Target’s infamous 2013 credit card breach, for instance, happened because of vulnerabilities in a third-party vendor’s system.
  • Multiple Interfaces: Another reason for increased attacks is the growing use of Internet of Things (IoT) devices that increase the attack surface of networks. Small businesses are turning to IoT devices more often due to their lower costs and growing capabilities. Unfortunately, hackers often exploit poorly secured devices as a backdoor to access broader, more sensitive networks.
  • Lack of Finances: Since small businesses and start-ups are working on a tight budget, they don’t always place cybersecurity is not at the top of their priorities list and often neglect the latest patches and updates.

The power of digital technologies to enable new sources of revenue can be significant. Due to the proliferation of digital technologies and the particular ethical challenges they present, organizations are increasingly expected to consider ethical obligations, social responsibilities, and organizational values as guides to which digital opportunities to pursue and how to pursue them.

As discussed in the “Managing data risks for value creation” trend, responsible and unbiased collection, handling, use, and privacy are top areas for concern when it comes to data. Also, there are increasing calls for digital services that are fair and equitably accessible, promote physically and mentally healthful uses, encourage inclusion, and are geared toward socially beneficial uses.

Digital adopters want technologies that aren’t harmful or abusive and are safe and error-free. There’s an opportunity to do well by doing good—pursuing digitally responsible growth strategies that build stakeholder trust.

Finally, organizations are conscious that digital transformation involves more than technology adoption. It requires concerted efforts to define how enterprises organize, operate, and behave by aligning strategy, structures, processes, people, and technology to build a unique digital DNA.

Organizations can sidestep unnecessary risks and harness risk to power performance by adopting a risk lens and a holistic approach as part of their efforts. Below are a few guiding principles.

Conclusion; Boards can harness risk to power performance in a digital world, but only with a responsible Digital DNA and hopefully with the Digital Services Act (DSA) that will bring digital reform.

As Tom Golway, Chief Technologist in the Advanced R&D organization of Hewlett Packard Enterprise once said:

“The deeper, philosophical question is does the 1st Amendment apply to AI algorithms. Resolving this is an immediate challenge that needs open dialogue that includes a broad set of disciplines, not just technologists”

This article is the expressed opinions and collaboration between two senior-level industry board professionals on their views and perceptions on the subject matter:

MARIA PIENAAR CTIO, Corporate Innovation, Digital Transformation, Investor Private Company Board Director & Advisor Maria propels growth by speeding up discovery for companies whose leaders are frustrated by the slow pace of innovation.

Being a master networker, she extracts strategic value through tapping latent creativity of teams and customers and catalyzes partnerships with highly innovative organizations. Her diverse leadership roles in global 100 and startup companies enable her to see the end-to-end picture and plot the most effective course for designing, launching and scaling new products and services for companies, driving customer growth. Maria co-founded Blue Label Ventures, a Corporate VC focussing on investments in Digital Health, IOT, Cyber Security, Fintech (incl. InsurTech).

Prior she was CIO at Cell C, a challenger mobile carrier, and prior held various leadership roles in Business Development, Go-to-Market Strategy, Strategic Partner Management and Product Marketing for Lucent, Nokia, Vodafone, Globalstar and various startups. Maria holds a BSC in engineering.

LinkedIn: Profile

Geoff Hudson-Searle is an independent non-executive director across regulation, technology and internet security, C-Suite executive on private and listed companies, and serial business advisor for growth-phase tech companies.

With more than 30 years’ experience in international business and management. He is the author of five books and lectures at business forums, conferences and universities. He has been the focus of TEDx and RT Europe’s business documentary across various thought leadership topics and his authorisms.

Geoff is a member and fellow of the Institute of Directors; associate of The International Business Institute of Management; a co-founder and board member of the Neustar International Security Council (NISC); and a distinguished member of the Advisory Council for The Global Cyber Academy.

He holds a master’s degree in business administration. Rated by Agilience as a Top 250 Harvard Business School thought leader authority covering blogs and writing across; ‘Strategic Management’ and ‘Management Consulting’, Geoff has worked on strategic growth, strategy, operations, finance, international development, growth and scale-up advisory programmes for the British Government, Citibank, Kaspersky, BT and Barclays among others.

LinkedIn: Profile

Are corporate boards complacent with cyber risk?

Boards of directors have been working hard to fulfill their risk oversight responsibilities in a challenging environment. Regulations are changing rapidly in most industries, and vary significantly across countries.

Investors, analysts, and the public are demanding greater transparency into risk and risk management, as are creditors, counterparties, and other stakeholders. Many boards legitimately wonder not only what regulators want, but also which approaches to risk oversight actually work.

Deloitte set out to study a specific and very effective risk governance mechanism: board-level risk committees. This report revealed the prevalence of board-level risk committees (whether standalone committees focused solely on risk, or hybrid committees such as audit/risk) based on an analysis of 400 large public companies in eight countries.

In summary, these were some of the findings:
§ Board-level risk committees are well-established and widespread — present in 38% of the 400 companies analyzed. About a quarter (22%) have standalone board-level risk committees, while 16% oversee risk through hybrid board-level committees.
§ As might be expected, board-level risk committees are most prevalent in FSI companies (88%), but are also present in other industries (26%), often to a significant extent, depending on the country.
§ Local regulations affect risk oversight structures. Australia, Brazil, Mexico, Singapore, the UK, and the US have regulations that require risk committees at the board level for FSI companies (sometimes dependent on the type and size of the company).
§ Overall, 62% of all companies analyzed do not have a board-level risk committee. This largely reflects the lack of regulatory requirements for board-level risk committees in non-FSI companies in most countries.

Every week, a new data and security breach seems to be reported that appears to exceed previous breaches and hack in scale. This year we are also seeing different uses for Distributed Denial-of-Service beyond simple volumetric attacks, including what we call quantum attacks.

Quantum attacks are relatively small and designed to bypass endpoint security and avoid triggering cloud failover mitigation.

These attacks are being used for scouting and reconnaissance. In a recent incident, Neustar stopped a quantum attack that never peaked over 300 Mbps, but it featured 15 different attack vectors, went on for 90 minutes, and involved all of Neustar’s globally distributed scrubbing centers.

This attack came from all over the world and was designed to bypass perimeter hardware, using protocols to circumvent their defenses. The attackers behind such campaigns may start small, but they can quickly add botnets, attack vectors, and ports to get what they want.

If it were to be measured as a country, the facts are; cybercrime which is predicted to inflict damages totaling $6 trillion USD globally in 2021 — would be the world’s third-largest economy after the U.S. and China.

Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.

This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, is exponentially larger than the damage inflicted from natural disasters in a year and will be more profitable than the global trade of all major illegal drugs combined.

The damage cost estimation is based on historical cybercrime figures including recent year-over-year growth, a dramatic increase in hostile nation-state-sponsored and organized crime gang hacking activities, and a cyberattack surface which will be an order of magnitude greater in 2025 than it is today.

Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data, and systems, and reputational harm.

Some with more complexity in the hack such as the Solar Winds supply chain breach, and others with less complexity, such as the recent global breach of Verkada of over 150,000 security camera data by hacktivists. Once again, the data breach was global in nature and exposed again the security policy and process vulnerabilities these hackers are using to gain access to corporate data via root access.

Industry research has shown that hackers are active in corporate systems for an average of 8 months before they may do something or make themselves known. Over 76% of cyber risk is due to insider risk, involving collusion between hackers and corporate insiders. It is no longer just a “technical” hack.

What is root access? A root administrator or gatekeeper is a superuser account on a computer or network and that has complete control over all aspects of the system or network. The root administrator can access all data, software, configure, delete and change software code in the systems or network.

One of the top risks identified in cybersecurity audits today is a regulatory governance risk. This requires a legal requirement to be audited with respect to IT security, making audit and compliance metrics highly relevant and important.

Some examples include:

Audit and compliance metrics
➢ “Are we ISO-27001-compliant?”
➢ “Do we have a vendor risk management program?”
➢ “Do we have any outstanding high-risk findings open from our last audit or assessment?”
➢ “What percentage of the NIST framework are we implementing?”
➢ The NIST framework has roughly 80 questions associated with it. If a board member asks if you’re doing the NIST framework, you might say, “Today we’re doing 60% of it.”

Operational effectiveness metrics
➢ How many intrusions were detected this year?”
➢ “How quickly are we detecting, investigating and remediating threats?”
➢ “How much have we spent this year?”
➢ “How many vulnerabilities were in our network and how quickly were they fixed?”
➢ “How many compromised systems did we have compared to last year?”
➢ “Has our risk profile changed?”
➢ “How did we compare to our peers across X time span?”

Knowing the best practices on how to present cybersecurity to the board is one thing but without substantive data, you won’t have a very compelling (or helpful) presentation.

The first thing you need to keep in mind regarding metrics is context. Board members likely don’t know what it means if you say that “500,000 intrusions hit the detection system.” You need to focus on being concise with your explanation and show them how the metric impacts the health of the company.

You’ll want to focus on showing metrics over time that the management, or lack of management, processes and policies of root admin passwords. In most cases, these processes are manual at best and there seems to be little appetite to implement additional security technologies that can dramatically reduce this risk.

IT organizations have become more fragmented in nature, especially where there are differing roles for Chief Digital-, Chief Information- and Chief Information Security Officers in organizations, each having responsibility for specific aspects of the overall technology stack of the corporation.

Unless there is a close collaboration between these roles, there will remain gaps in governance of access to data, systems and networks in corporations.

Take into consideration that a corporation is part of a business ecosystem of employees, contractors, 3rd party vendors and their contractors, resellers, partners and customers. All these parties require access to corporate data, systems and networks. The management of access and data security is no longer just contained to the closed “bubble” of a corporation and its employees alone.

The cyber strategy needs to incorporate this more complex supply chain risk and how to manage this across the business ecosystem. This is especially true for management of user access into these systems.

Very few companies have checks on when employees from vendors, 3rd party contractors and partners leave, and need to be off-boarded off the corporate systems. The more manual these processes, the higher the risk that their will be dormant user credentials that hackers can exploit.

Where there is little appetite to spend more money in key IT security systems, the typical practice is to have the risk logged in the corporate’s risk register and key executives, and in some cases the board, to accept and sign off on the risk.

Another approach is to do more “training” in awareness of cyber risk and write more policies, which again is only an internal approach to the corporation and employees alone. Training tends to happen when new employees are onboarded, and perhaps retrained after yearly pen-testing.

Employees tend to step through training, which includes reviewing the policies, and then forget about it as soon as they have received the credits for the training. The more extensive the policies are, the less effective they are in having people follow and implement them.

There still seems to be a lot of complacency at board level in managing the cyber risk, or in some cases, this is non-existent at board level. The main driver is the perspective of an “insurance” approach of cyber risk management.

As long as there is an “insurance” cyber risk mindset believing that a breach has not happened and we will “insure” the risk in case it happens, the corporate will remain at high risk when a breach happens. CISO and/or CIO’s are still missing at the board table, although this is changing. This leaves a gap in poor understanding of cyber governance for the company at board level.

Don’t just leave the Cyber risk management up to the audit committee.

When cyber events happen, how do boards manage the challenges, cost and potential reputational risk?

Key steps boards can take to improve cyber governance, strategy and response to a major cyber event:
● Appoint third-party Cyber advisers as non-executive directors of the board.
● Appoint the CIO and/or CISO as members of the board
● Cybersecurity technology and services investment plan and strategy – ensure there is sufficient budget
● Establish a cyber business response plan
● Have a clear plan in place protecting the well-being and safety of employees
● Employee cyber safety reporting – especially where employees may be threatened and at risk
● Cyber incident and risk reporting as part of the monthly board agenda

Cyber risk can no longer be viewed as an “insurance” type of risk. The stakes are too high. The risk is no longer just relevant to your corporate, it involves managing the cyber risk as it relates to your full supply chain and business ecosystem.

The bottom line is that every board should periodically assess the risk oversight and governance needs of the organization and take whatever steps it deems necessary to address those needs. A board-level risk committee, whether standalone or hybrid, is one effective means of attaining the necessary visibility into risks and risk management and of exercising risk oversight. It is also one that most boards should at least consider

Not long ago, a board of directors would meet once or twice a year to be briefed on cybersecurity, check the box, and move on. Cybersecurity was little more than an afterthought, and mostly a box-checking exercise for compliance or to make sure the bases were covered in the wake of a newsworthy event. With little technical understanding at the board level, many were happy
to simply throw money at the problem and leave it to IT professionals to handle.

The Cyberspace Solarium Commission has an urgent message for the boardroom and C-suite executives: The status quo in cyberspace is unacceptable, which is spelled out in its groundbreaking 2020 Report which proposes a strategy of layered cyber deterrence to protect all U.S. businesses and governments from cybercrime and cyberwarfare.

Finally, We can all agree over the course of 2020, global cyber threats have continued to evolve at speed, resulting in a dramatic reshaping of the cybersecurity landscape. Traditional threats such as generic Trojans, ransomware and spambots were transformed.

Every company should have a CISO or cybersecurity expert on their board because cybercrime is the greatest risk to business continuity that every company faces.

Cyber should be at the center of business strategy – not technical strategy only.

The idea that we are describing, is to put a senior cyber executive in the boardroom who will wave the red flag and challenge the severity of the risk and have the main and operational board pay attention to the severity of risks. No longer can you rely upon or expect the CEO to be carrying the competency of cyber risk to the business, but to have the inclusion of Cyber experts and make better decisions on business risk, absolutely.

The question is not whether you will be attacked. The case may be that you have already been attacked or witnessed a vulnerability breach without your prior knowledge. It is when, by what, and how badly your company’s reputation or finances will be damaged. And one thing is sure in the uncertain world of cybersecurity – the wrong time to consider defence is after the attack has occurred.

James Brien Comey Jr, an American lawyer who was the 7th director of the Federal Bureau of Investigation (FBI) famously once said: “We face cyber threats from state-sponsored hackers, hackers for hire, global cyber syndicates, and terrorists. They seek our state secrets, our trade secrets, our technology, and our ideas – things of incredible value to all of us. They seek to strike our critical infrastructure and to harm our economy.“

This article is the expressed opinions and collaboration between two senior-level industry board professionals on their views and perceptions on the subject matter:

MARIA PIENAAR CTIO, Corporate Innovation, Digital Transformation, Investor Private Company Board Director & Advisor Maria propels growth by speeding up discovery for companies whose leaders are frustrated by the slow pace of innovation.

Being a master networker, she extracts strategic value through tapping latent creativity of teams and customers and catalyzes partnerships with highly innovative organizations. Her diverse leadership roles in global 100 and startup companies enable her to see the end-to-end picture and plot the most effective course for designing, launching and scaling new products and services for companies, driving customer growth. Maria co-founded Blue Label Ventures, a Corporate VC focussing on investments in Digital Health, IOT, Cyber Security, Fintech (incl. InsurTech).

Prior she was CIO at Cell C, a challenger mobile carrier, and prior held various leadership roles in Business Development, Go-to-Market Strategy, Strategic Partner Management and Product Marketing for Lucent, Nokia, Vodafone, Globalstar and various startups. Maria holds a BSC in engineering.

LinkedIn: Profile

Geoff Hudson-Searle is an independent non-executive director across regulation, technology and internet security, C-Suite executive on private and listed companies, and serial business advisor for growth-phase tech companies.

With more than 30 years’ experience in international business and management. He is the author of five books and lectures at business forums, conferences and universities. He has been the focus of TEDx and RT Europe’s business documentary across various thought leadership topics and his authorisms.

Geoff is a member and fellow of the Institute of Directors; associate of The International Business Institute of Management; a co-founder and board member of the Neustar International Security Council (NISC); and a distinguished member of the Advisory Council for The Global Cyber Academy.

He holds a master’s degree in business administration. Rated by Agilience as a Top 250 Harvard Business School thought leader authority covering blogs and writing across; ‘Strategic Management’ and ‘Management Consulting’, Geoff has worked on strategic growth, strategy, operations, finance, international development, growth and scale-up advisory programmes for the British Government, Citibank, Kaspersky, BT and Barclays among others.

LinkedIn: Profile

Sources:
Deloitte
Cyber Security Ventures
CSC Research

Guest-blog: Deana Mitchell CMP DMCP discusses the importance of wellbeing and why good mental health matters

Deana Mitchell

The coronavirus COVID-19 pandemic is the defining global health crisis of our time and the greatest challenge we have faced since World War Two.

Since its emergence in Asia in 2019, the virus has spread to every continent except Antarctica.

But the pandemic is much more than a health crisis, it’s also an unprecedented socio-economic crisis.

Stressing every one of the countries it touches, it has the potential to create devastating social, economic, and political effects that will leave deep and longstanding scars.

Experts have predicted a ‘’tsunami of psychiatric illness’’ in the aftermath of the COVID-19 pandemic. For such a large-scale event like the COVID-19 pandemic, the impact on mental health can be long-lasting.

The prevalence of common mental health disorders is expected to rise during the post-pandemic time as a result of the long-term effects of the pandemic, the restrictive measures such as social distancing and quarantine, and the socio-economic effects. This has implications for mental health services.

An inspired quote was shared with me recently ‘The darkest moments of our lives are not to be blurred or forgotten, rather they are a memory to be called upon for inspiration, to remind us of the unrelenting human spirit and our capacity to overcome the intolerable.’

People experience emotional disturbance, irritability, insomnia, depression, and post-traumatic stress symptoms immediately after the quarantine period. The long-term impact is considerable and wide-ranging including anxiety, anger, depression, post-traumatic stress symptoms, alcohol abuse, and behavioural changes such as avoiding crowded places and cautious hand washing. These psychological symptoms can last from several months up to three years after the quarantine period.

Social distancing could possibly lead to substantial increases in loneliness, anxiety, depression, domestic violence, child abuse, and substance abuse.

However, on a more positive note, COVID-19 has created opportunities for businesses to become more innovative. Facing external pressures, some business leaders are stepping out of their routines and comfort zones to become creative problem-solvers.

Along the way, they rediscovered their entrepreneurial spirit and provided us with a new sense of appreciation and gratefulness. It has offered us a new perspective on everything we have taken for granted for so long – our freedoms, leisure, connections, work, family, and friends. We have never questioned how life as we know it could be suddenly taken away from us.

Hopefully, when this crisis is over, we will exhibit new levels of gratitude. We have also learned to value and thank health workers who are at the frontline of this crisis, risking their lives every day by just showing up to their vital work. This sense of gratefulness can also help us develop our resilience and overcome the crisis in the long-term.

Today I have the distinct pleasure of introducing another Guest Blogger, Deana Mitchell CMP DMCP – Deana and myself collaborated on a book, ‘God in Business’, I have the utmost respect for Deana and her work, and I know you will enjoy hearing her experiences and advice.

Deana Mitchell is an entrepreneur, mental health advocate, and co-author.

She started her entrepreneurial journey at the age of 14. Deana holds a Bachelor of Architecture degree from Louisiana State University and has enjoyed a three-decade career in the hospitality, meetings & events industry.

As the President of the newly formed company, Genius & Sanity, her mission is to help entrepreneurs and business owners reach their potential and thrive. The focus is to find the balance between career, success, and whole self-health.

In March of 2020, Deana founded the Realize Foundation which is dedicated to creating awareness around mental health. Specifically, depression, anxiety, and suicide ideation. Deana is going to talk to us about the importance of wellbeing and ‘Why Good Mental Health Matters’.

Thank you, Geoff, it is a pleasure to collaborate with you on this important subject.

“I woke up in the hospital, realizing I was still alive…”

In May of 1997, I survived a suicide attempt. And then I spent 23 years hiding it from the world, and from myself. During those decades, instead of practicing self-care, I threw myself into work 24/7. I was used to being a workaholic, in fact, it was all I knew.

Growing up in a family of entrepreneurs, I had my first business was at the age of fourteen. In 2010, I started a venture that grew into an award-winning seven-figure company.

All came to a screeching halt in March of 2020 with the rest of the world. I found myself with no work to keep my mind occupied and no travel to keep me moving. I was learning that work was my coping mechanism. I had to focus on something, or I was not OK.

What transpired in the next few months was life-changing. There was research, many conversations, networking, learning, self-reflection, and yes therapy. The result was becoming a different person and realizing my true calling in life. Let me explain…

You see, all those years I was constantly obsessed with climbing the ladder. Driven by proving myself to everyone and anyone around me, and all the while hiding the depression and anxiety that I dealt with on almost a daily basis.

The year of COVID taught me the absolute necessity of honesty and hard conversations. There is no true success in life without some sort of failure. If being successful was easy, whether personally or professionally, it would not have the same meaning to us. There is something to say about overcoming obstacles and working hard for something. It has a deeper meaning and is more fulfilling once you get there.

Without failures and hard times, success would feel empty. I believe that God uses all the tough awful stuff in our lives for growth. Once we have experienced the bad, we can use it for good. In order for that to work, we must be willing to look inside ourselves and process the things we survive. Without self-reflection, we cannot truly be our authentic and best selves.

First, we must get honest with ourselves. I mean, really honest. In order to get there, we have to spend time alone and quiet. You must find what works for you: journaling, meditation, praying, being out in nature, listening to music… there is no right answer as everyone is different. The key is to truly connect with yourself, reflect on your life and discover the kid inside. This can be painful and freeing at the same time.

Try talking to yourself in the mirror. I have a friend that hosted a self-care challenge recently and she told us to get in front of the mirror and say, “I promise to take care of you mentally and physically every day”. I got the first two words out before the tears streamed down my face. I realized I had not taken care of myself physically or mentally in decades, possibly my entire life. I felt like a fraud.

For me, after 23 years of silence on this front, it was difficult to even remember all that I had been hiding. I am not going to lie, it was hard and there were lots of tears, but in the end, it has been more valuable than I can explain.

Talking heart to heart with old friends from childhood and college gave me the sense of the person I had lost along the way. Asking them how they remembered me, helped me find myself again. I decided how I wanted to show up in the world moving forward and I am not ashamed of my past anymore. My identity was not the career I had built, although that was the person people knew for decades.

We must look inside to understand the shortfalls and disappointments we have experienced. The wisdom you glean from being honest with yourself is immeasurable. It is freeing. Then you get to decide what to do with that information.

It will change you. Are you are feeling stuck, stressed, overwhelmed, stretched thin, and exhausted? Self-reflection and a custom plan of self-care can indeed change you into a happy, healthy, productive, rested, balanced person. It is a process, so be patient with yourself.

Next, we must get honest with the people closest to us. These conversations are hard, but I promise they will bring so much clarity and understanding. Preparing for these conversations is key.

Make sure you tell your loved one or friend that you need to have a serious conversation about something especially important to you. Make the time and space that you both need to make it productive. You cannot just schedule this as an hour in your calendar, it may need to be a whole day.

This works personally and professionally on different levels, but the person you are approaching needs context to understand what they are walking into, so they are ready, open to hearing what you want to tell them and not blindsided.

Think about the annual review you receive from your boss. You must mentally prepare for that conversation. Usually, even the criticism is constructive once you have time to digest and reflect on it. That information is painful at first but makes you stronger and better for it in the long run.

In my situation, I have the most loving supportive husband anyone could ask for, but he does not understand how my brain works. To be truthful, most of the time I do not understand how my brain works! Communication is key for him to help me get through. In the past, I hid it all. I traveled so much that it was easy to not let anyone in.

We can only hold it in and ‘go it alone’ for so long. There are people in our lives that care about us. If they knew what you were going through, they would do whatever they could to be supportive.

Having hard conversations does not end with your family and friends. It can be a business partner, employees, audiences that you speak to, or your followers on social media. If you start these conversations, there will have a ripple effect and help people in your various communities do the same.

Why do you do what you do? Does it make you happy? Do you enjoy your daily routine? I am not talking about what the people around you want you to do… or what you do to make others happy. This is not about why you make the world, or your industry better. But why do you do what you do? What is your passion? What makes you come alive? What is your life’s mission? Your true calling?

If you would have asked me those questions a year ago, I would have said I loved what I was doing. I had a wonderful husband and family, a successful business, an amazing team, and I enjoyed a plethora of colleagues all over the world. I served on several boards and was traveling all the time. It appeared that I had everything.

With the understanding I have gained over the last 10 months, the reality is that I was keeping up the appearance, so everyone saw what I just explained. But for me, I was exhausted, stressed, anxious and there was no end in sight. I was never home to spend time with the person in the world who loved me most.

The gift for me was understanding how life changes when you find your why. I lost a 20-year friend to suicide and knew at that moment I had to do something about it. That I needed to use my story to save others from the same plight. My silence did not help my friend, but the hard conversation may have.

When you understand your true calling in life and reach for it with everything you’ve got, your perception of yourself and the world changes for the better.

We all feel afraid, powerless, and alone at some point in our life. Whether it is a sick loved one or keeping our business afloat. Give yourself some grace, the world needs more kindness.

You matter, you are worth it, and you are not alone.

You can contact Deana Mitchell via the following websites and social links:

www.deanabrownmitchell.com

Linkedin – Deana (Brown) Mitchell, CMP DMCP
Facebook – @GenuisandSanity
Instagram – @geniusandsanity
Twitter – @GeniusandSanity

Foundation – www.realizefoundation.org

The four Intelligences; IQ, EI, SI, DI and why we need Wisdom Intelligence (WI)

I recently had a very in-depth philosophical discussion with a good friend and associate, Douglas, this was a fascinating discussion, one that could have easily progressed through the day and not the hour.
Emotional intelligence (EQ) is the “something” in each of us that is a bit intangible. It affects how we manage behaviour, navigate social complexities, and make personal decisions that achieve positive results. Emotional intelligence is your ability to recognize and understand emotions in yourself and others, and your ability to use this awareness to manage your behaviour and relationships.

I have written on the subject of the balance between IQ vs EI and more recently ‘why emotional intelligence is leadership, team spirit and company culture’ and Emotional Intelligence and Your Survival through the 4th Industrial Revolution.

Decades of research now point to emotional intelligence as the critical factor that sets star performers apart from the rest of the pack. It’s a powerful way to focus your energy in one direction with a tremendous result. TalentSmart tested emotional intelligence alongside 33 other important workplace skills, and found that emotional intelligence is the strongest predictor of performance, explaining a full 58% of success in all types of jobs.

Of all the people I have studied at work, I found that 90% of top performers are also high in emotional intelligence. On the flip side, just 20% of bottom performers are high in emotional intelligence. You can be a top performer without emotional intelligence, but the chances are slim.

The WEF (World Economic Forum) published a report, Future of Work 2020-2030, no big surprise that in the skills categories EI was identified as one of the key categories of skills to save your job in the decade.

The questions I am sure you are thinking:
1. What is Emotional Intelligence (EI) and why it matters?
2. What is Intelligence Quotient (IQ) and why it matters?
3. What is Spiritual Intelligence (SI) and why it matters?
4. Is there a significant relationship between EI and SI?
5. What is Decency Intelligence (DI)?
6. How does Wisdom Intelligence (WI) have a place in society?

It is clear that today’s executives are more diverse in terms of their wellbeing, age, culture, nationality and several other factors.

EI is the ability to sense, understand and effectively apply the power and acumen of emotions as a source of human energy, information, connection and influence.
SI is the set of abilities that individuals use to apply, manifest and embody spiritual resources, values and qualities in ways that enhance their daily functioning and wellbeing.
With both these intelligences happening in the workplace, the environment will be more conducive. A better working environment relates to a higher level of productivity and wellbeing of both individual as well as organizational wellbeing.

Intelligence quotient (IQ)
Total score derived from a set of standardized tests or subtests designed to assess human intelligence. The abbreviation “IQ” was coined by the psychologist William Stern for the German term Intelligenzquotient, his term for a scoring method for intelligence tests at the University of Breslau he advocated in a 1912 book.

Historically, IQ was a score obtained by dividing a person’s mental age score, obtained by administering an intelligence test, by the person’s chronological age, both expressed in terms of years and months.

The resulting fraction (quotient) is multiplied by 100 to obtain the IQ score. For modern IQ tests, the median raw score of the norming sample is defined as IQ 100 and scores each standard deviation (SD) up or down are defined as 15 IQ points greater or less. By this definition, approximately two-thirds of the population scores are between IQ 85 and IQ 115. About 2.5 percent of the population scores above 130, and 2.5 percent below 70.

If you take an IQ test, you will be presented with questions to assess the following competence:
• spatial ability, a person’s capacity to visualise space and shapes
• mathematical ability, how a person uses logic in solving problems
• language ability, the recognition of meaning from incomplete sentences and jumbled letters
• memory ability, how a person recalls information

Emotional Intelligence (EI)
Daniel Goleman in 1998, defined emotional intelligence as ‘the capacity to recognize our own feelings and those of others, for motivating our-selves, and for managing emotions well in ourselves and in our relationships.’ EI is essential for the accomplishment of day-to-day objectives of life, which is a challenge to everyone. EI is increasingly relevant to organizational development and developing people because EI provides a new way to understand and assess people’s behaviours, management styles, attitudes, interpersonal skills, and potential.

EI is an important consideration in human resources planning, job profiling, recruitment interviewing and selection, management development, customer relations and customer service, and more. EI determines the potential for learning practical skills viz. personal skills and social skills. These skills lead to superior performance at work which is based on the five elements: self-awareness, motivation, self-regulation, empathy, and adeptness in relationships.

Spiritual Intelligence is the ability to act with wisdom and compassion, while maintaining inner and outer peace, regardless of the circumstances. Spiritual intelligence is the way we assign meaning and feel connected to the power of larger than ourselves.

It has been identified as a key component of leadership by bestselling business author Stephen (2004), who observes that Spiritual Intelligence is the central and most fundamental of all the intelligences, because it becomes the source of guidance for others. Spiritual intelligence is one of the several types of intelligence that can be developed independently and contributes to psychological wellbeing and overall healthy human development (Vaughan, 2003).

The four components of spiritual intelligence are critical existential thinking, personal meaning production, transcendental awareness and conscious state expansion.
Critical existential thinking is best described as the capacity an individual to critically contemplate meaning, purpose, and other existential/metaphysical issues; to come to original existential conclusions or philosophies, and to contemplate non-existential issues in relation to one’s existence. An ability to derive personal meaning and purpose from all physical and mental experiences, including the capacity to create and master a life purpose is regarded as personal meaning production.

Transcendental awareness is the capacity to identify transcendent dimensions/patterns of the self, of others, and of the physical world during normal states of consciousness, accompanied by the capacity to identify their relationship to one’s self and to the physical world. Conscious State Expansion is defined as an ability to enter and exit higher/spiritual states of consciousness at one’s own discretion.

Decency quotient (DI)
Bill Boulding is dean of Duke University’s Fuqua School of Business who goes on to say that DI goes a step further than EI and IQ and combines SI. DQ means that a leader has a genuine desire to do the right thing for employees and colleagues. DQ means wanting something positive for everyone in the workplace and ensuring everyone feels respected and valued. DQ is evident in a manager’s daily interactions with others, as well as in setting goals for the company that meet fiscal objectives and improve lives. DQ implies your focus is on doing right by others.

Decency quotient has to start at the top. It’s essential that leaders and managers model this type of behaviour more than ever, because outside forces of polarization are working against us. The world feels like an ugly place for many people. It’s impossible for employees to check their feelings at the door, and naïve to think they can.

Leaders with DQ will better navigate what’s bleeding in from outside the office to instil a sense of common purpose and shared values at work. Employees will know the leader always has their best interest at heart. People want to work for decent people, and they will give those leaders their best. Decency is at its core a moral obligation, but it can also be key to a winning business strategy.

If business becomes intentional about decency, it can become the healing force our world so badly needs. It can be the model for how people who are very different come together to work with common purpose. It can demonstrate respect and caring that transcends difference and polarization. It can solve some of the world’s toughest problems by uniting people to find solutions.

Wisdom Intelligence
If you were to look up the word wisdom in the dictionary, you would find a simple definition: a person’s ability to act sensibly, reasonably, and correctly. Of course, that raises some questions. Doesn’t intelligence give you the ability to act reasonably in day to day life? Surely a high IQ guarantee’s the power to make good decisions?

“The only true wisdom is in knowing you know nothing.”
-Socrates-

Of course, it can, but there are also different types of intelligence. A brilliant person’s success might be influenced by their personality and maturity, as well as their own ability to care for their own well-being and that of others.

Well, intelligence and wisdom need to be broken down and analyzed to gain a clearer and useful understanding. We have to recognize what’s really important. Beyond a high IQ, becoming exceptionally wise and developing clear values that go beyond cognitive or emotional reasoning is imperative.

It is very strange to know that universities and professors around the world have just started studying the difference between intelligence and wisdom. The concept of wisdom has often been associated with philosophical or spiritual disciplines. It was considered something that the great Greek masters or Buddhist monks studied.

However, a few psychologists investigated wisdom in the last few decades. These studies, like the one led by two University of California psychiatrists, Dr. Dilip V. Jeste and Dr. Thomas W. Meeks, uncovered quite a few interesting ideas.

Some of the findings:
Exploring minds say that ‘Wisdom’ doesn’t come from personal experience.

This important idea creates a common myth. Many people think that experience grants wisdom. However, there’s not a strong and direct association between the length of someone’s life and how wise they are. This quality doesn’t always naturally come with age.

Moreover, many researchers in the fields of psychology and sociology are trying to understand the social, emotional, and cognitive processes that transform experience into wisdom. There are many other mediating variables between the two, such as the ability to reflect on one’s actions. That ability may have created the experience/wisdom myth in the first place.

Intelligence makes you more efficient and competent

Intelligent people are efficient and have high standards. Because of this, they may get frustrated when things don’t meet their expectations. They are often goal-orientated and seek concrete results.

This viewpoint can often make them anxious. This is because people with high IQs often have poor tolerance for uncertainty. That’s precisely what sets them apart from wise people. Wise people are better able to accept the unexpected and unplanned. They know how to step back and take a patient, relaxed, and insightful look at reality.

Wise people make better decisions

Of course, there are huge individual differences between people with a high IQ. While some make reasonable, responsible decisions, others might get carried away by goals and statistics, failing to take other factors into account.

However, if there’s one clear difference between people with high intelligence or deep wisdom, it’s that the second group is often more open-minded. This is because wisdom is more than just factual knowledge. Wise people have experience, are able to reason clearly, and are able to accept life’s ups and downs.

Wise people are also usually more cognizant of how situations develop over time, which helps them stay balanced.

High intelligence can be used for noble ends or, on the contrary, to manipulate, conspire, betray, or create sophisticated plans for bad reasons. However, people also use their intelligence for unselfish and noble purposes.

Wisdom, on the other hand, is connected to an authentic sense of goodness. The word itself has connotations of goodness, humanity, and a sense of spirituality that inspires others to do good as well.

There’s one more interesting difference between intelligence and wisdom. Wisdom almost always gives you a more positive view of life, your situation, and other people. This hopeful yet resolute attitude is related to the factors mentioned above, and to kindness. Looking at a situation with wisdom can give us the energy and the motivation to move forward.

At this point, you may ask yourself which is better, being very intelligent or very wise. But neither quality is better than the other. There are plenty of wise, successful people who might not be very intelligent. However, they’re still happy and effective in their day to day life.

Therefore, aspire (as much as possible) to have both qualities. Train your cognitive abilities, improve in emotional intelligence, and integrate each experience to form a more reasonable, relaxed, and optimistic perspective.

Final thought, wisdom is the art of knowing what really matters and making good decisions to improve our own well-being and, more importantly, that of others. There lies the real key.

The quest for wisdom is an age-old effort. It’s one many have recommended.

It’s been said to be as useful for finding inner contentment as it for fueling external successes. It’s a more prudent way of interacting with reality.

While not everyone’s definition of wisdom is the same, it doesn’t seem too far-fetched to distinguish it by a mode of deeper understanding. One that goes beyond just the knowing we commonly associate with the range of intelligence’s; IQ,EI, SI, DI.

When we think of the acquisition of intelligence, we think of new information inspired by a perspective-shift that tells us a truth about one aspect of reality.

Wisdom goes further than that. It strips that same information down to its essence so that it can relate the underlying principle of that knowledge to the existing information network that exists in the mind.

It’s the connectedness of this network that separates it from mere intelligence.

The more links between each pocket of information, the more valuable the whole network will be when tackling any other problem. It adds an extra dimension to each mental model contained in the mind.

Simply knowing this doesn’t make a person more equipped to soak in wisdom, but with awareness and practice, new thinking patterns and imagination can be created.

The great Aristotle once stated when discussing Metaphysics :

“It is the mark of an educated mind to be able to entertain a thought without accepting it.”

Purpose and Trust; Why we need to listen. Why we need to act.

Today’s business environment is being profoundly disrupted. Volatile markets, rapid technological advances and unexpected sources of competition are ingredients in a boiling, roiling stew of threats and opportunities, and leaders the world over are struggling to navigate this shifting landscape. Transformation is not enough. Transcendence is the new game.

You can question does purpose and trust matter?

To answer that question in brief; it only matters if it is implemented in conjunction with clear, concise direction from top management and in such a way that the middle layer within the company is fully engaged within. Even after the company is fully aligned behind a compelling purpose, leaders must continue to reinforce it from the top. You can’t just adopt it. It has to be driven, operationally and in-depth, by the CEO and the top leadership team.

A discussion and running theme that seems to be on every leadership and executive director’s mind, is ‘what is required to be an effective leader in today’s totally disruptive business world’?

Businesses of all sizes in all regions of the world are responding to a vision and set of common values across purpose and trust. Companies have reported purpose and regaining trust as a new guiding star for a world in constant change, in an interconnected operating environment that businesses face.

To distil purpose more equally throughout the companies, many firms are considering hiring chief purpose officers. Shannon Schuyler, newly hired first chief purpose officer at PwC, defines the role as, “how you connect purpose to an individual so they know what they need to do in their roles and how do you help them see personally how they connect with values and behaviours.”

The timing could not be more urgent. The world is facing a complicated web of multidimensional interconnected systemic challenges continue to rise.

When you ask employees, what matters most to them, feeling respected by superiors often tops the list. “In a recent survey by Georgetown University’s Christine Porath of nearly 20,000 employees worldwide, respondents ranked respect as the most important leadership behaviour. Yet employees report more disrespectful and uncivil behaviour each year.

The challenge is finding the right balance between the two types of respects. Owed respect without earned respect can deflate employees, who will sense that their efforts won’t be recognized or rewarded, while a focus on teamwork may, however, warrant more owed respect as a bonding tool.

A survey carried out by DataPad for International Business and Executive Management as part of some research for one of my published books, Purposeful Discussions, shows that few of us trust our leaders.

Of those who responded to the question; “Do you trust and respect your CEO”, 30% responded, “not at all” and another 39% responded, “a little”.

The survey asked employees the same question on ‘trust and respect’ in relation to their Executive Leadership, Heads of Department and their immediate line managers. The closer the manager’s role was to the respondent, the more likely it was for the employee to answer positively.

Immediate managers were trusted “a lot” by 48% of those who responded and “a little” by 36%. 16% of immediate managers are not trusted at all.

We all live and work in an era of increasing connectivity and public scrutiny: a world where societies are being reshaped and businesses disrupted by powerful global trends.

The changes driven by these trends – both alone and acting together – bring major implications for trust.

PwC in their 23rd global CEO survey showed that CEOs are putting significant emphasis on their broader purpose and culture, as issues such as sustainability, diversity and wellbeing have become business-critical.

With skills a priority, it is essential CEOs promote a company culture that complements their recruitment and retention plans by helping them attract, retain and nurture the people they have and the talent they need.

UK CEOs show a commitment to issues such as diversity and inclusion and recognising the importance of wellbeing in the workplace. Addressing such issues not only demonstrates a commitment to workplace equality, but also reflects a growing recognition that greater diversity can improve decision-making.

However, it is surprising given the attention this matter has been getting that a significant proportion of businesses are yet to really focus on this issue.

To succeed in this fast-changing environment, businesses need to have a clear purpose that enables people to understand why a business does what it does. This purpose needs to look beyond the generation of financial returns to encapsulate how the business serves society.

Articulating – and embracing – such a purpose has never been more important. Why? Because today, in the wake of events that shook people’s trust in organisations of all types, attitudes and expectations of business are undergoing fundamental shifts. Having a shared recognition and understanding of why a business exists is key to bridging the trust deficit and shaping a new relationship between business and wider society.

When trust disappears, many things can change. Businesses can go on the defensive, and stop communicating, collaborating and innovating. And that’s just the start. Customer loyalty may diminish; it may get harder to attract, retain and motivate talented staff; regulation may increase, adding cost and effort for everyone; and businesses may lose their license to be listened to.

Together, all these factors can dampen growth, creating quantifiable impacts on share price, cost of capital and liquidity. The effects on morale innovation and behaviour are harder to measure but potentially even more damaging in the long-term.

Jason Lanier is one of the most celebrated pioneers of digital innovation in the world, and also one of the earliest and most prescient critics of its current trajectory. Jason is author of 2018’s ‘Ten Arguments for Deleting Your Social Media Accounts Right Now’, which is as clear and definitive an account of the damage companies like Twitter and Facebook and Google do to society and to our individual psyches as you’ll ever read.

The book felt relevant again right now, I said, in a way that made my bones actually vibrate. Lanier had been early to the idea that these platforms were addictive and even harmful—that their algorithms made people feel bad, divided them against one another, and actually changed who they were, in an insidious and threatening manner. That because of this, social media was in some ways “worse than cigarettes,” as Lanier put it at one point, “in that cigarettes don’t degrade you. They kill you, but you’re still you.”

His most dispiriting observations are those about what social media does to politics – biased, “not towards the left or right, but downwards”. If triggering emotions is the highest prize, and negative emotions are easier to trigger, how could social media not make you sad?

If your consumption of content is tailored by near limitless observations harvested about people like you, how could your universe not collapse into the partial depiction of reality that people like you also enjoy? How could empathy and respect for difference thrive in this environment? Where’s the incentive to stamp out fake accounts, fake news, paid troll armies, dyspeptic bots?

Right now, Lanier said, most of the systems on the internet are set up to exploit us, to harvest our creative ideas and our data without compensation. That the prevailing attitude in Silicon Valley is basically: “There’s no reason for you to know what your data means, how it might be used, you can’t contribute, we don’t know who you are, we don’t want to know you, you’re worthless, you’re not going to get paid, it’s only valuable once we aggregate it but you know nothing, you will know nothing, you’re in the dark, you’re useless, you’re hopeless, you’re nothing.

Leaders today are constantly in the spotlight and are often called upon to earn authority without control. Economic and social change demands leadership by consent rather than by control. What we perceive as good leadership tends to be created by leaders, followers, and the context and purpose of the organisation, thus it is a collective rather than individual responsibility.

Trust is a key ingredient of successful leadership. Trusted leaders are the guardians of the values of the organisation. Trust can release the energy of people and enlarge the human and intellectual capital of employees. In a trusting environment when we are committed to our shared purpose we play active roles both as leaders and as followers.

We talk a lot about trust these days because it tends to be a precious and scarce resource.

You could question the word empathetic leadership. Leaders with empathetic leadership listen attentively to what you’re telling them, putting their complete focus on the person in front of them and not getting easily distracted. They spend more time listening than talking because they want to understand the difficulties others face, all of which helps to give those around them the feeling of being heard and recognized.

Empathetic executives and managers realize that the bottom line of any business is only reached through and with people. Therefore, they have an attitude of openness towards and understanding of the feelings and emotions of their team members.

When we listen to the emerging needs of the workplace we step into the most relevant and useful roles and make relevant and valuable contributions both when leading and when following. Members of organisations who are sensitive to people’s reactions trust themselves and each other. They build and nurture trusting relationships and allow the future to emerge organically.

No heroic leader can resolve the complex challenges we face today. To address the important issues of our time we need a fundamental change of perspective. We need to start questioning many of our taken for granted assumptions about our business and social environments.

Leaders serve as role models for their followers and demonstrate the behavioural boundaries set within an organisation. The appropriate and desired behaviour is enhanced through culture and socialisation process of the newcomers. Employees learn about values from watching leaders in action. The more the leader “walks the talk”, by translating internalized values into action, the higher level of trust and respect he generates from followers.

Final thought, to help bridge the trust gap we recognise that organisations need to work with each other and with wider society to identify practicable, actionable steps that businesses can take to shape a new relationship with wider society: a new ‘settlement’ based on mutual understanding and a shared recognition of the positive role that business plays in people’s lives.

To create such a settlement, businesses need to see themselves as part of a diverse, interconnected and interdependent ecosystem – one that involves government, regulators, individual citizens and more. Trust within and across this ecosystem is key to its long-term sustainability and survival. That’s why trust needs to be restored to the heart of the business world.

As Stephen M.R. Covey once said:

“Contrary to what most people believe, trust is not some soft, illusive quality that you either have or you don’t; rather, trust is a pragmatic, tangible, actionable asset that you can create.”

Why a Resilient Organisation is… Team Leadership

There are just a few elemental forces that hold our world together. The one that’s the glue of society is called trust. Its presence cements relationships by allowing people to live and work together, feel safe and belong to a group.

Trust in a leader allows organisations and communities to flourish, while the absence of trust can cause fragmentation, conflict and even war. That’s why we need to trust our leaders, our family members, our friends and our co-workers, albeit in different ways.

In 2020, resilient leadership has been tested in the extreme, and the challenges continue. As I write this, many countries around the globe are contending with the resurgence of COVID-19 and the prospect of continued, new, and extended lockdowns—against a backdrop of social, political, and economic upheaval that makes the terrain even harder to navigate.

Challenges for leaders won’t end with a COVID-19 vaccine. Underlying societal issues that have long been simmering below the surface are raising questions and imperatives that will last long after the pandemic ends. The implicit social contract between institutions and stakeholders is rightfully being questioned.

We are in an unprecedented era of the need for leadership to step up. Rapid, disruptive change is today’s normal. To cope, leaders need to be agile and resilient. For years, the focus has been on speed and agility. But globalisation, technology and social-political changes are disruptive. They require resilient leaders, emotionally intelligent people able to absorb complex change and help others move forward to achieve success.

Resilient organisations have sound leadership at all levels and strong cultures founded on trust, accountability, and agility. They have a foundation of meaningful core values that all members of the team believe deeply in and a sense of team unity beyond what you find in many organizations. They also have a tendency to show consistent and better-than-average profitability year after year.

Resilient leaders are well-prepared for change. Regardless of the type or magnitude of the transformation an organisation is facing, one of the ultimate goals is to prepare the company for long-term strength and agility – a core function of leadership and management in the 21st century. The goal is not to simply navigate today’s needed changes but also to create a resilient organization poised for more change. A team that is ready for the next battle – whenever that may be.

In a previous life, I spent time with Navy Seal’s team 3 and 6, their mantra is clear ‘I serve with honour on and off the battlefield. The ability to control my emotions and my actions, regardless of circumstance, sets me apart from other men. Uncompromising integrity is my standard. My character and honour are steadfast. My word is my bond.

I am not saying all business leaders need to be trained by special forces, but the learnings for survival have transferable learnings in business. Below I have listed the ultimate Navy SEAL guide to exceptional success and achievement – combining the key advice from some of the most storied and prolific members of this elite force. Learn their lessons, follow their lead – and you’ll find you’re more likely to succeed.

1. Develop mental toughness.
Roughly 75 percent of people who make it into the initial six-month SEAL training course, known as Basic Underwater Demolitions/Seal Training (BUDS), wind up washing out. In his book, Navy Seal Training Guide: Mental Toughness, author Lars Draeger says there four pillars of mental toughness: goal-setting, mental visualization, positive self-talk, and arousal control. We’ll tackle them in turn.

2. Set (and achieve) micro-goals.
SEALs, according to Draeger, learn to focus on one thing at a time, avoiding all distractions. They do that by determining the overall objective, breaking it down into smaller pieces, and repeating as needed until they get to minute-by-minute pieces. That’s the kind of planning that allowed Navy SEALs to capture and kill Bin Laden and also the same kind of strategy that can help you achieve your goals.

3. Visualize success (and overcoming failure).
During SEALs training, there’s an exercise in which students are required to accomplish a series of difficult tasks…
underwater…
while wearing SCUBA gear…
while instructors attack them and try to destroy their equipment and keep them from breathing.

Become flustered, and you fail. So, the successful ones learn not to visualize ahead of time how they’ll handle each calamity. As the folks at Examined Existence wrote:

Navy psychologists discovered that those who did well and passed the exercise the first time used mental imagery to prepare them for the exercise. They imagine themselves going through the various corrective actions and they imagine doing it while being attacked. Once the exercise (and the attack) happens, the mind is ready and the [SEAL] is in full control of their physical and mental faculties.

4. Convince yourself you can do it.
As entrepreneurs, how many times do we hear that you should fake it until you make it? That’s part of how you get through SEALs training, apparently. The folks from Examined Existence summed it thusly:
Those who graduate from BUDS block all negative self-talk … and … constantly motivate themselves to keep going. … They remind themselves that should be able to pass no problem because they are more physically fit than their predecessors. They remind themselves to go on and not quit, no matter what.

5. Control your arousal.
Arousal. Heh-heh. We’re talking here about all kinds of sensual distractions – thinking about the lost love back home, or the things they could be doing besides training, or even the warm bed they had to leave in order to go through the day’s training.

Once more, Examined Existence:
When our bodies feel overwhelmed or in danger, [we] release … cortisol and endorphins. These chemicals … cause our palms to sweat, our minds to race, our hearts to pound, and our bodily functions to malfunction. This is the body’s natural response to stress, developed over millions of years of human evolution. But SEALS learn to control this natural response to arousal so that they are poised even under the most stressful of circumstances.

6. Be aware.
The next two are pretty basic, but I guess if you’re a Navy SEAL, it’s why they work. If you want to be in a position to overcome danger, be aware of your surroundings.

So, few other people pay attention to their surroundings anymore. In fact, I should take a photo of the slow-moving people I see on the subway each morning, immediately and obliviously checking their devices as they get off the train.

“Get your head out of your phone. … Just look up,” former Navy SEAL Dom Raso told TheBlaze . “It’s just a very, very simple thing to do and no one does it anymore, and it’s really scary.”

7. Avoid bad stuff.
This one also is obvious – so much so that former Navy SEAL Raso seems pretty upset about that others don’t do it. And it goes against the uninitiated, who might believe that a Navy SEAL’s first reaction is always to fight.

“Avoid, avoid, avoid,” he said. “I want to avoid any [bad] situation before it happens.”

8. Practice humility.
Given that last bit of advice, the next one makes sense. Success as a Navy SEAL leader means recognizing that you’re not the solution to every problem. Fail to recognize that, and you’re likely to flat-out fail.

“What it has to do with is the fact that the person is not humble enough to accept responsibility when things go wrong, accept that there might be better ways to do things, and they just have a closed mind,” says Jocko Willink, coauthor of Extreme Ownership: How U.S. Navy SEALs Lead and Win. “They can’t change, and that’s what makes a person fail as a leader.”

As his co-author, Leif Babin added: “No leader has it all figured out. You can’t rely on yourself. You’ve got to rely on other people, so you’ve got to ask for help, you’ve got to empower the team, and you’ve got to accept constructive criticism.”

9. Find your three mentors.
Tim Ferriss, author of ‘The Four-Hour Work Week’ among other giant mega-bestsellers, interviewed General Stanley McChrystal, along with McChrystal’s aide, former Navy SEAL officer Chris Fussell, who offered him some key advice:

You should always have three people that you’re paying attention to within your organization:
– Someone senior who you would like to emulate
– A peer who you think is better at the job than you are
– A subordinate who is doing your previous job better than you did

“If you just have those three individuals that you’re constantly measuring yourself off of and who you’re constantly learning from,” Fussell said, “you’re gonna be exponentially better than you are.”

10. Do small things right.
The last items on this list come from a speech that Admiral William McRaven, a Navy SEAL commander who was in charge of the raid that killed Bin Laden, gave in Texas last year.
His first commandment – a fairly famous one, in fact – is that you should make your bed in the morning.

Why? Because if you do that, “it will give you a small sense of pride and it will encourage you to do another task and another and another. By the end of the day, that one task completed will have turned into many tasks completed. Making your bed will also reinforce the fact that little things in life matter.”

11. Be smart about assessing others.
Next up: Don’t adopt others’ knee-jerk assessments. McRaven talked about being in SEAL training and reflecting on a crew of physically small classmates, none of whom was more than five-feet-five.
“The big men in the other boat crews would always make good-natured fun of the tiny little flippers the munchkins put on their tiny little feet prior to every swim,” he said. “But somehow these little guys, from every corner of the Nation and the world, always had the last laugh – swimming faster than everyone and reaching the shore long before the rest of us. SEAL training was a great equalizer.”

12. Suck it up.
This is probably the part of military training that people who’ve never gone through military training think of–the part they’ve seen in the movies where sadistic drill instructors put you through hell. McRaven talks about a punishment during SEAL training known as a “sugar cookie.”

The student had to run, fully clothed into the surf zone and then, wet from head to toe, roll around on the beach until every part of your body was covered with sand. … You stayed in that uniform the rest of the day – cold, wet and sandy.

The point of that training? To learn that when you’re uncomfortable and discouraged, sometimes you just have to suck it up and get through it.

13. Sometimes, go head first.
Another McRaven story. The record for going through the SEAL obstacle course in the fastest time had stood for years. One of the trickiest parts was to maneuver yourself safely but quickly into a rope obstacle known as the slide for life.

The record seemed unbeatable, until one day, a student decided to go down the slide for life–head first. Instead of swinging his body underneath the rope and inching his way down, he bravely mounted the TOP of the rope and thrust himself forward.

It was a dangerous move–seemingly foolish, and fraught with risk. Failure could mean injury and being dropped from the training. Without hesitation–the student slid down the rope–perilously fast, instead of several minutes, it only took him half that time and by the end of the course, he had broken the record.

The point? It’s the same in business and in any facet of life. Sometimes if you want to excel, you simply have to accept the risks and dive in anyway.

14. Take on the sharks.
Long before the television show, Navy SEALs learned to be afraid of sharks. There’s a part of their training when they have to swim in the waters off of San Clemente, California, which they are told is a breeding ground for sharks.

But you are also taught that if a shark begins to circle your position–stand your ground. Do not swim away. Do not act afraid. And if the shark, hungry for a midnight snack, darts towards you–then summons up all your strength and punch him in the snout and he will turn and swim away.

This is the story of life. Bandits and bullies are all around. Usually, the only way to beat them is to take them head-on.

15. Identify the moment that matters.
One of the keys to success is consistency – but of course, we all know that there are some moments that simply matter more than others. One of the toughest during SEAL training involves training to attack an enemy ship – by swimming two miles alone underwater and, in the dark, approaching it from below.

“The steel structure of the ship blocks the moonlight – it blocks the surrounding street lamps – it blocks all ambient light,” McRaven explained. “To be successful in your mission, you have to swim under the ship and find the keel – the centre line and the deepest part of the ship.”

The “darkest part of the mission” is the hardest – and the most important. We all have them in our lives.

16. Be happy.
Truth to tell, SEAL training sounds flat-out sadistic at some points. During his training, McRaven talked about his entire team being forced to stand in freezing water up to their necks, while their instructors told them they wouldn’t let them out until five trainees gave up – and quit the entire course.

Their reply? They started to sing.

“The chattering teeth and shivering moans of the trainees were so loud it was hard to hear anything and then, one voice began to echo through the night – one voice raised in song,” he said. “The song was terribly out of tune, but sung with great enthusiasm. One voice became two and two became three and before long everyone in the class was singing. We knew that if one man could rise above the misery, then others could as well.”

Standing in the surf and mud and freezing cold still sucked, but it sucked a little less McRaven said, and that’s how they made it through – because they gave each other hope.

17. Persevere – don’t ring the bell.
One way that SEAL training is a lot like the rest of the world is that there is an easy way to quit. You can simply give up, ring a brass bell in the middle of the compound in front of all of your peers, and walk away.

All you have to do to quit – is ring the bell. Ring the bell and you no longer have to wake up at 5 o’clock. Ring the bell and you no longer have to do the freezing cold swims. Ring the bell and you no longer have to do the runs, the obstacle course, the PT – and you no longer have to endure the hardships of training. Just ring the bell.

The vast majority of trainees ring the bell. The very few who don’t become U.S. Navy SEALs. They face even greater challenges, and someday people write about their example.

“If you want to change the world,” McRaven says, “don’t ever, ever ring the bell.”

This YouTube video translates the focus, How Navy SEAL Hell Week builds indestructible teams – Brent Gleeson


Elite Navy Seal teams demand very high levels of performance, but in assembling their teams, team members value trust even more highly than pure performance. A trustworthy person will be selected to join a Seal team, even if that means giving up a little bit of performance. On the other hand, individuals who are extraordinarily high performers but not trustworthy, diminish the team’s chances for success. Untrustworthy individual high performers are toxic to team performance, and not selected.

Therefore, re-establishing trust is even more critical now. Far from being a static, unchanging force, trust is dynamic and flows in multiple directions. The characteristics of being trusting and being trustworthy require us to make choices to invest in relationships that result in mutual value. Trust is a tangible exchange of value; it is actionable and human across many dimensions.

Let’s examine how we can invest in, rebuild, and renew trust.

Trust is personal: A call for leaders
In the words of British writer George Eliot, “Those who trust us, educate us.” Truly building trust with our stakeholders—understanding their concerns and their priorities—involves a willingness to listen, to learn, and to hear. Building trust requires leaders to make conscious daily choices, and especially to act on those choices.

Through mutual trust. When we as leaders trust our stakeholders, we enter an exchange that engenders opportunity: We prove our trustworthiness, and stakeholders empower our strategic choices and innovations. In essence, mutual trust creates a followership that allows us to break new ground, to traverse the seismic changes taking place and emerge, thriving, on the other side of crisis.

With vulnerability and honesty. Business leaders who are willing to acknowledge what they don’t know are more likely to create trust with their stakeholders than those leaders who mistakenly believe their greatest source of influence is knowledge—or at least acting as though they know. A similar paradox exists for organizations responding to a one-time breach of trust. Stakeholders are likely to regain—and even strengthen—trust in the organization when leaders admit the mistake, are apologetic, and are transparent in how they move forward.

Authentically, and where it matters most to your stakeholders. Intent connects the leader to their humanity and the importance of acting with transparency. But at the end of the day, intent is just a promise; leaders must be able to act on that promise, and do so competently, reliably, and capably. And they must be able to do so in the areas—whether physical, emotional, digital, or financial—that matter most to their stakeholders at that given time.

By connecting as humans. Leaders who aspire to be trusted by their stakeholders take responsible actions that consider and, where possible, acknowledge the needs of each of those stakeholders. This requires an understanding of what is important to different stakeholders, and an ability to walk alongside them rather than an attempt to “walk in their shoes.”

At an institutional level, value-creation discoveries, mindset shifts, collective agility bring together resilient organisations and their ecosystems into an interconnected web of resiliency and strength.

At an individual level, five of the most common traits in resilient leaders are adaptability, preparedness, collaboration, responsibility, and ethics to meet today’s challenges; preparedness connects tomorrow’s resources to potential future scenarios; collaboration connects the whole system; and both responsibility and ethics connect individuals, organizations, institutions, and society.

Final thought, trust-based leadership should also be understood through the lens of its influence over other leadership theories. Being trusted is a core part of other leadership styles and a strong trust foundation is required for styles such as transformational and charismatic leadership.

While the strong trust outlook is required for these leadership theories, trust leadership places the biggest emphasis on implementing trust values to every aspect of leadership.

Can a company be successful and competitive on the market and at the same time trusted?

Eric Greitens, a former Navy Seal and Naval Officer once said on resilience:

“We all have battles to fight. And it’s often in those battles that we are most alive: it’s on the frontlines of our lives that we earn wisdom, create joy, forge friendships, discover happiness, find love, and do purposeful work.”

Predictions for the start of 2021

The phrases used to describe the events of 2020 have now become a little cliché – but there’s no doubt it has been a very challenging year for every individual and every business on a global scale. From a deadly pandemic to a global movement for racial justice, the year 2020 has certainly experienced its fair share of world-shifting events.

Let’s take a look at some of the major events that took place in 2020

Australian bushfires; The country faced one of its most devastating wildfire seasons as the blazes continued from December 2019 into the new year and burned a record 47 million acres, displaced thousands of people and killed at least 34 people.

Prince Harry and Meghan Markle quit royal life; The Duke and Duchess of Sussex shocked both sides of the pond on Jan. 8 when they announced they were stepping down as “senior” royals.

COVID-19 pandemic; The World Health Organization announced Jan. 9 that a deadly coronavirus had emerged in Wuhan, China. In a matter of months, the virus has spread across the globe to more than 20 million people, resulting in at least 751,000 deaths.

Stock market crash; The coronavirus pandemic triggered a global recession as numerous countries went into lockdown. The Dow Jones industrial average suffered its worst single-day point drop ever on March 9.

Black lives matter protest; The police-involved killings of George Floyd, Ahmaud Arbery and Breonna Taylor this year sparked a wave of peaceful — and sometimes violent — demonstrations and riots across the world to demand an end to police brutality and racial injustice. More protests erupted in August when 29-year-old Jacob Blake was shot by a Kenosha, Wisconsin, cop and paralyzed from the waist down.

Kim Jong Un death rumours; The North Korean supreme leader fueled speculation that he was either gravely ill or dead after he missed events commemorating his grandfather Kim Il-sung on April 15. He re-emerged 20 days later in photos released by state media at a ribbon-cutting ceremony. The despot, however, faced a new wave of scepticism over his health in August when a South Korean official claimed all of the appearances were faked and he was in a vegetative state.

Beirut explosion; A massive explosion at a Beirut port, sparked Aug. 4 by the accidental detonation of 2,750 tons of ammonium nitrate, killed at least 190 people and injured thousands of others

West Coast wildfires; Deadly wildfires erupted from California to Washington state, burning millions of acres and displacing hundreds of thousands of people since mid-August.

Joe Biden becomes President-elect; Joe Biden became the 46th president of the United States on Nov. 7, defeating President Trump with a critical assist from his birth state, Pennsylvania, which delivered the votes to propel him to victory and end one of the most contentious elections in recent memory.

COVID-19 in the UK: The UK becomes the first country to approve the new Pfizer/BioNTech vaccine. 800,000 doses are planned for arrival in the coming days, with a further 40 million in 2021, enough to vaccinate 20 million people. The BBC reports that the jab is “the fastest vaccine to go from concept to reality, taking only 10 months to follow the same steps that normally span 10 years.

Around the world, we see many examples of resourceful responses to the world events in 2020, with companies changing their strategy to produce hand-sanitizers, protective gear, gowns and other supplies for hospitals, staff retrained to help out in hospitals, ventilators and life-saving medical devices, the list goes on.

The crisis created opportunities for businesses to become more innovative. Facing external pressures, some business leaders are stepping out of their routines and comfort zones to become creative problem-solvers. Along the way, they rediscovered their entrepreneurial spirit.

Beyond existing firms, some sectors of the economy are likely to grow. New technologies can offer numerous opportunities as the crisis transforms the products or services they can offer. Service businesses in particular are likely to see a lot of innovation in how services are created, packaged and sold.

Recent trends in China offer a glimpse of what is feasible for businesses. For example, online shopping and entertainment received a major boost during the coronavirus shutdown via online platforms like Alibaba, WeChat and their associated ecosystems.

In the health-care sector, health-related smartphone apps are proliferating. Artificial intelligence is helping hospital emergency rooms, while virtual reality has moved from an entertainment tool to a valuable resource for technical training and maintenance.

Companies that become competent and move quickly in these areas during the crisis will have a strategic advantage over their competitors in the post-pandemic economy.
In 2021, we will face challenges both familiar and unforeseen—but we will also see shoots of rejuvenation as the world thaws from lockdown. Here are some predictions of how the next year will play out.

Remote work will persist through 2021 and beyond
One of the most significant shifts for many workers in 2020 was the swift adoption of remote work. While some companies expected newly remote workers to return to the office, this is no longer a reality. Many businesses will not expect workers to come to the office five days a week, if at all, and companies will shrink or reconfigure office spaces accordingly.

“The reality is, employees will not be returning to the same office they left behind,” a 2020 remote-work study by PwC indicates. “There will be fewer people, restricted collaboration spaces and rotating shifts — all of which will require teams to find new ways to connect and collaborate. More than anything else, this need for connections is likely to shape what the office is going to represent.”

Salaries could be adjusted for remote workers

Along with the adoption of remote work during the pandemic, many employees took this opportunity to relocate. Some companies have already indicated that they will likely cut salaries to match cost-of-living expenses, which could be a significant corporate initiative in 2021.

“We predict a tidal wave of comp adjustments in 2021 as many tech and professional services workers go remote and move away from company HQs,” Glassdoor Chief Economist Andrew Chamberlain notes in the Glassdoor Workplace Trends 2021 report. “Once the dust settles on millions of employee relocations, we expect a wave of pay adjustments in 2021 for fully remote workers, whether or not they move to new cities.

Once local labor markets have adjusted to a wave of newly remote workers, the equilibrium pay for workers who’ve left expensive, congested metros like San Francisco and New York for smaller cities will almost certainly adjust downward.”

Some employers might require vaccination to come back in person

As the pandemic continues, some hope is on the horizon with promising vaccines from Pfizer and other companies. These vaccines could help employees safely come back to work in-person, and some companies are considering making the vaccine mandatory.

“A couple of my corporate clients are leaning toward making the COVID vaccine mandatory,” Rogge Dunn, a Dallas labor and employment attorney, told CNBC. “Under the law, an employer can force an employee to get vaccinated, and if they don’t take it, fire them.

Companies will reduce virtual activities and meetings

While businesses adopted virtual meetings fervently in 2020 as a way to help keep teams connected, they may not be so tied to them in 2021. As remote work becomes more of a norm, business owners could reduce these instances in order to give employees more time back to work.

“The Zoom happy hour has hit its expiration date, [with] too many long days of virtual meetings for months,” Nani Vishwanath, people team manager at Limeade, told TechRepublic. “[Employers will] gift employees with time back in 2021, such as cancelling recurring meetings or blocking a day for ‘no meetings’ and encouraging your team to recharge.”

Employees expect more diversity and company culture

Following major social and racial justice movements in 2020, companies should expect more scrutiny from employees and partners when it comes to diversity. For example, large asset manager BlackRock said it intends to push companies it has invested in for greater ethnic and gender diversity. This scrutiny will happen at the employee level as well.

“[Companies are] looking at what their policies say about company culture, what they’re willing to tolerate, what that does to employee morale, attrition and retention of employees, their reputation and ability to attract new talent and also their public perception,” Jennifer Schelfer, partner at Arnall Golden Gregory LLP, told the Atlanta Business Chronicle. “Employees are really expecting to see these initiatives in place and to see genuine support, especially from upper-level management.”

Business travel will be significantly reduced

As the pandemic continues into 2021, don’t expect travel for U.S. businesses to make a massive comeback in 2021. At the recent New York Times’ Dealbook conference, Microsoft co-founder Bill Gates predicted a significant drop in business travel, and for there to be a “very high threshold” for companies that can conduct meetings from home.

“My prediction would be that over 50% of business travel and over 30% of days in the office will go away,” Gates said at Dealbook conference. “Some companies will be extreme on one end or the other. … We will go to the office somewhat [and] we’ll do some business travel, but dramatically less.” Companies will reduce virtual activities and meetings

While businesses adopted virtual meetings fervently in 2020 as a way to help keep teams connected, they may not be so tied to them in 2021. As remote work becomes more of a norm, business owners could reduce these instances in order to give employees more time back to work.

“The Zoom happy hour has hit its expiration date, [with] too many long days of virtual meetings for months,” Nani Vishwanath, people team manager at Limeade, told TechRepublic. “[Employers will] gift employees with time back in 2021, such as cancelling recurring meetings or blocking a day for ‘no meetings’ and encouraging your team to recharge.”

Economic growth could return to pre-pandemic levels by the end of 2021

For businesses that have made it through 2020, many are wondering if the economy will come back in the next year. A December 2020 survey of the National Association for Business Economics (NABE) suggests the economy very well could roar back in the second half of 2021.

“73% percent of panellists believe that the economy will have returned to pre-pandemic GDP levels by the second half of 2021,” reports the NABE. “The 73% is a dramatic improvement from the October survey in which 38% of panellists believed that a full recovery would occur before 2022.”

Retraining and reskilling workers will be a 2021 priority
As the pandemic has put pressure on companies to lay off lower-skilled workers that can be replaced by automation or technology, some companies will also work to retrain and reskill employees.

“Cost-effective options — such as retraining, reskilling and redeployment — will continue to grow in popularity next year,” Michelle Anthony, chief revenue officer at LHH, told BenefitsPro. “Employers will be more committed to building a workforce of the future by helping employees acquire new skills so the companies can absorb downturns and market shifts without having to resort to the costly fire-and-hire cycle.”

Finally, it’s clear the post-pandemic future will be different. What’s happened during the crisis will have a lasting impact on society. Current signs of entrepreneurial initiative and goodwill give us some cause for optimism. The future I envision post-COVID is one where people and businesses are prepared and enabled through technology.

Whether it is to continue business operations or maintain access to essential needs, the digital economy will play a crucial role in all aspects of our lives. This is the brave new world we will have to create together, and now is the time to empower and work with entrepreneurs to help build it.

As Brian A. Wong – Vice President, Alibaba quoted by saying:

“SMEs are the backbone of any society for job creation and economic contribution. They are the pathfinders during the journey to economic recovery.”