Instead of pointless debates on the same cybersecurity subjects, change the outcome by changing what is listened to, says leadership columnist Michael Santarcangelo. (iStock via Getty Images)

We have an opportunity — perhaps a responsibility — to bring fresh energy, ideas and approaches to the tired topics of security and drive real, lasting and positive change.

There are some topics in the security industry that just feel tired. The sort of subjects that grab attention without successfully changing the situation at all, let alone making a positive difference. We keep digging in because we know there is progress we can make. We just need to find it.

Out of the blue a few weekends ago, Rich Mason and Allan Alford suggested we record a podcast discussing some of these tired topics. We quickly introduced a challenge: spark and drive positive change. We reckoned that sometimes these conversations end up creating loops where we get stuck, and maybe we could shift perspectives and offer some different approaches.

Our first episode ran an hour long — and you can listen to it here. We then got together again last week and recorded a follow-up to tackle a few more issues, and you can listen to that one here.

Here are some topics we tackled:

  • Who should the CISO report to?
  • Users as the weakest link
  • Talent Shortage
  • CISO Burnout
  • Imposter Syndrome
  • Awards Marketing
  • Bad Vendor Behavior

Why we need to retire tired topics (and do better)

The endless, pointless debates on these topics drain us without leading to a positive outcome.

Often, these tired topics become the soundtracks in our head. What we tell and feed ourselves frames how we experience the world and influences what we do (and how the world experiences us). If we continue to think negative thoughts, we often stunt the growth and progress we can make.

Worse, the lack of progress often results in friction that erodes value, destroys trust and burns people out.

During office hours, Philip introduced the book “Soundtracks” by Jon Acuff and suggested we explore the soundtracks holding us back by introducing new soundtracks. The key is identifying the soundtracks we need to change.

That’s precisely the purpose of the podcast discussion and the challenge we face as security leaders.

Our energy is better spent bringing security and business closer together. Exploring ways to connect the value of security to business results. And learning to influence, without authority, to ease the process of change in our organizations and industry.

How do we get started changing the soundtrack?

The first step is paying attention to the inner monologue that exerts surprising control over our thoughts and actions. The good news is pattern recognition is a common trait for security professionals, and we can help each other.

Once we figure out the soundtrack we want to change, we need to explore it. This is where we seek to understand what we’re telling ourselves, explore why we’re doing it, and explore how changing the soundtrack benefits us.

When working with other leaders, I like to start with three questions:

  1. What problem are we trying to solve?
  2. What are the ideal and acceptable outcomes?
  3. How do we want to approach this?

By working together, we can learn with and from each other. We can test ideas, celebrate results, and change the soundtracks in our heads, and in our industry.