Dueling Hats:
In the bustling world of financial institutions, where the roles are many and the hours few, the challenge of embedding robust cybersecurity practices can feel daunting. For many in leadership positions, juggling multiple hats often leads to a reactionary stance, with proactive cybersecurity initiatives taking a backseat. It's hard to stay focused on information security when you're wearing multiple hats. It's hard to be proactive when you're stuck in a whirlwind of reactivity. Yet, the quality of the questions we pose can pivot our approach from firefighting to strategic progress.
Asking the Right Questions:
It's interesting how questions work; they guide our focus, often steering us toward answers, sometimes even without our full awareness. That's why it's crucial to ask the RIGHT questions, ensuring our mental energy is directed toward productive solutions.
Rather than dwelling on the daunting "How can I possibly manage all my roles and all of this cybersecurity stuff too?", reframing the question can illuminate the path forward. By shifting to "How can I make consistent progress on our Information Security Program while fulfilling my other responsibilities?" or "Who can assist me in fortifying our Information Security Program?", we transition from a place of overwhelm to one of opportunity and solutions.
Embracing Reality with WOOP:
The first question frames the task as insurmountable, setting us up to wrestle with reality—a battle we will ALWAYS lose. In contrast, the second question seeks solutions within the context of reality, acknowledging constraints while exploring possibilities. When aiming to achieve anything, it's essential to be realistic so we always want to "rub it up against reality".
To navigate this shift effectively, the WOOP methodology, which comes from Gabriele Oettingen's book Rethinking Positive Thinking, offers a structured, science-backed approach (https://woopmylife.org/en/science). It encourages us to articulate our Wish, envision the Outcome, identify Obstacles, and devise a Plan. Let's walk through a fictional scenario with Lisa, a COO juggling multiple roles and Information Security Officer responsibilities at a small financial institution.
WOOP stands for: Wish, Outcome, Obstacle, Plan.
Wish:
- A goal, project, task, interaction, etc. I wish to....
- make consistent progress on improving our Information Security Program.
Outcome:
- The benefits of this would be....
- less pressure and not having to scramble to complete something halfway before an audit or an exam,
- closing out open audit findings,
- clearing those Examination items requiring attention,
- a stronger Information Security Program
Obstacles:
- What's my reality? What, inside me or external to me, could prevent me from achieving my wish?
-
- Not having enough time.
- I know I always get sucked into my day and at the end of the day realize I never made it around to working on "that thing" I planned on working on.
- I don't know where to start.
- There is so much to do and so many issues to resolve, it all seems overwhelming to me.
- I have too many "hats".
- With all of my roles, it seems like someone constantly needs me and it's hard to juggle everything at once.
- I don't know enough about Cybersecurity.
- I'm just a COO that somehow ended up with the IT & ISO duties. I don't have any formal training, only what I've picked up and learned over the past few years.
- I use this as an excuse to procrastinate.
- Not having enough time.
Plan:
- What can I do to move past these obstacles?
- Deep Work: I can create a dedicated block of time to work on the Information Security Program.
- I can be creative before reactive (https://www.heroic.us/plus-one/creative-vs-reactive) and work on this first thing in the morning before getting sucked into the whirlwind.
- I'll set a target of working on it for 1 hour a day with a minimum of 15 minutes.
- I'll communicate to my team so they know that I'm not to be disturbed during the first hour unless it's an emergency.
- In my first deep work time block (https://calnewport.com/deep-habits-the-importance-of-planning-every-minute-of-your-work-day/), I'll make a list of EVERYTHING that needs to get done.
- I'll go through and prioritize these items on what I think is important and then ask someone else what they think.
- I'll focus on The ONE Thing (https://the1thing.com/mastering-the-foundations-of-the-one-thing/), the highest priority item each day until it's complete, then I'll move to the next one.
- I know I can't do it all and I don't know it all, so I'll ask who can help me?
- Who can I delegate some of my duties to?
- Who can help me on my current Information Security priority?
- Is there a partner I can outsource the task to?
- Is there someone I know at another Institution that's dealing with the same issues?
- Is there a peer group, partner, or consultant I can ask for advice or direction?
- Is there someone who has a training resource to help educate me more?
- Who can help hold me accountable to my priority list?
- Who can I delegate some of my duties to?
- Deep Work: I can create a dedicated block of time to work on the Information Security Program.
WOOP there it is!
Lisa's WOOP strategy transforms an overwhelming situation into a manageable and strategic action plan. By dedicating focused time and seeking collaborative support, she aligns her day-to-day actions with her overarching security goals.
The narrative of "too much to do and not enough time" is a common refrain across financial institutions. However, methodologies like WOOP empower leaders to break the cycle of reactivity, offering a blueprint for integrating effective cybersecurity practices amidst diverse responsibilities. Whether you're an executive, an IT professional, or an Information Security Officer, adopting this approach can catalyze significant progress in your security initiatives. This is a great tool to use for any big goal (work or personal) or even down to your next meeting.
Embark on your WOOP journey today. Identify a goal, envisage the positive outcomes, confront the barriers, and carve out a clear action plan. Embrace the synergy of strategic questioning and structured planning to fortify your institution's cybersecurity landscape. Explore more, experiment with WOOP, and share your success story (https://www.linkedin.com/in/tonybushong/) as you redefine what's possible in your multifaceted role.