In life, depending upon the type of work and industry that we choose to be in, we are always evaluated against some sort of metric, or what is more favorably known as “Key Performance Indicators”, or “KPIs” for short.  It does not matter whether you are a world-renowned heart surgeon, or an even an airline pilot; you are being graded by a common set of standards.

Apart from my current gig in being in Cybersecurity, I have had numerous positions in technological business development.  This involved a lot of cold calling and setting up meetings for the sales guys.  Luckily, I really never had a quota per se (such as how many calls I made per hour, or how many appointments I booked on a weekly basis). 

But I was being overall graded at a more macro level, and if the long haul I wasn’t meeting that, things would hit the fan.

And believe me, they did.  There were many reasons for this, but I gave it my best efforts in each and every time that I had a sales related job.  A lot of the times, I just never got the full support I needed from the upper management at the places I was working at, or they simply had visions that were just too “astronomical”. 

For example, reaching out only to C-Level Execs to set up meetings, and within the first meeting, expecting to have a multimillion-dollar deal fall into your lap.

Whether it is fair or not, we will always be graded against something, even if we agree or not with it.  This trend of being evaluated against a set of KPIs is now transcending down towards the IT Security teams throughout Corporate America, and it is causing an increased level of stress in an already extremely stressful environment. 

This is according to a recent market research project conducted by a Cybersecurity known as Thycotic, which is entitled “The Cyber Security Team’s Guide to Success”.  More details about this study can be seen here, at this link:

According to it, more than 50% of the respondents polled indicated that they simply cannot align their job daily job tasks with what the corporate mission statement, and an alarming 44% don’t even know their own department goals are.  Here are some other key findings:

*89% of the respondents know that they have certain KPIs that are to be met, but don’t know what they specifically are (they just simply assume that it is mitigating a certain number of Security related breaches);

*45% of don’t even know how past Cybersecurity initiatives have even made a dent in protecting the company that they work for, and a scary 30% of them don’t even care about it;

*52% of the respondents have reported that if they don’t meet their assigned KPIs, it will mean that their reputation will get impacted, and even face a decreased budget in the next fiscal year;

*Apart from the quotas that they are supposed to meet, the next most stressful factor is meeting the sheer number of compliance and regulatory demands;

*40% of the respondents believe that they get no support whatsoever from the upper levels of management, which is essentially the C-Suite.

My Thoughts On This

When I first read this, I was completely aghast at these findings.  Meaning, I was astonished, and quite frankly, even had a sense of anger about it.  It’s not at all towards the IT Security teams, but to the C-Suite who come with crazy rules of measurement and the sheer lack of communications on their part.  Look, let’s face it. 

Apart from the sales guys that are out on the field, the IT Security team probably has the next most difficult job (personally, I think its even more than being a sales rep).

At this point in time, why is the C-Suite even imposing KPIs or quotas on their Cybersecurity teams?  Put that kind of pressure on the sales reps, whose main job is to bring in revenue into the company.  The IT Security team has enough to deal with, in terms keeping the IT Assets and the Personal Identifiable Information (PII) out of complete reach from the Cyberattacker. 

So, to the C-Suite, I totally fail to understand why you impose quotas on them?

Just the fact if they can keep up with what they are tasked to do is a miracle in of itself, given the sheer lack of skilled Cybersecurity workers in today’s labor market.  So, get rid of these stupid quotas, and let your IT Security Team do what they do best – they are not sales guys, they are the protectors of the empire. 

Also, this study paints yet another very painful finding – which is the sheer lack of communications of from the upper brass down to the IT Security team.

I still fail to understand why this exists.  This is directly aimed at the CIO and the CISO specifically:  How hard is it for you to have a meeting with the entire IT department, and lay out your vision as to how the Cybersecurity Threat Landscape should be dealt with??? 

If your company is too large, and has offices worldwide, meet with the IT Security Managers, so that they can relay this information down to the employees?  This must be done on at least on a regular basis.  During these uncertain times, it is now important than ever to provide 100% support to your Cybersecurity workers.

Also, once again this is aimed point blank to the C-Suite:  Why are you cutting budgets in the face of increased Cyberthreats?  Yes, I get that money is tight, but trimming it out of the IT Security budget is no way to go, when 2020 is only expected to get worse, especially with grave fears that our nation’s Critical Infrastructure could the next major target, across all levels.

And, why are you holding your IT Security team completely responsible for the regulatory compliance and making sure that the right controls are in place?  This is not just a job for them, but it is also meant to be shared in full of the Accounting and Finance departments of your organization as well.  So, why isn’t this being done?

Interestingly enough, the survey even asked the respondents what their definition of “success” really means in their current Cybersecurity roles.  Here is what it discovered as well:

*Being valued by the enterprise – 41%; 

*Meeting performance targets set by the board – 40%;

*Preventing enterprises from being the next ‘cybersecurity incident’ headline – 37%; 

*Meeting compliance demands – 37%; 

*Just keeping everything running smoothly – 36%; 

*Achieving consistent pay increase and/or bonuses – 31%; 

*Knowing that ‘nothing bad happens’/that there are no major security incidents or downtime – 27 percent;

*Not losing their job/holding onto their job – 16 percent.


From these extra findings, it truly does appear the average, normal Cybersecurity worker just wants to feel appreciated by their respective C-Suite, and they really do have the best interests of the company that they work for at heart, at least from the Security perspective.  So once again to the C-Suite, just do the following for your Cybersecurity team:

*Get rid of quotas and KPIs (it means nothing here, in my opinion);

*Openly communicate your ideas and visions, so that everybody is on the same page;

*Show that you overall value your employees and commend them also from a financial perspective for a job well done.

The bottom line is that we just all want to be appreciated in the work we do for the people that hold us responsible – even just a small amount of praise can go an extremely long way.