I am waist-deep in the "Chief Inspector Gamache Series" - a murder mystery novel series that is mostly a psychology deep dive. The lead character, Chief Inspector Gamache, is a disarmingly steady, caring individual - unique for someone who regularly deals with the worst of what people can do to each other.
His approach to solving crimes, and for cultivating a team that can solve crimes, is through constant adherance to the following statements: I was wrong; I'm sorry; I don't know; I need help.
Much like cybersecurity, murder cases require efficient processes for not missing critical details; speed of work; a heavy burden of being right; and generally an environment in which admitting that one doesn't know an answer or needs help is not always promoted.
The statements promoted by Chief Inspector Gamache ultimately create the path to solving each case because they allow for undoing mistakes, missteps and misconstrued assumptions. Each statement is an antidote that actively reduces the overwhelming weight of not being right or not knowing the answers, or allowing for the profoundly simple quesitons of "how" or "why".
And it is through those statements that murders get solved. Chief Inspector Gamache's team is taught that it is not just ok to utter those phrases, but it is imperative to not missing a step in solving a crime. And I believe the same is true in cybersecurity - each statement creates a freedom to not miss steps in our own work in support of building resilient, sustainable cyber programs.
So, how do we begin to cultivate a culture of vulnerability in cybersecurity that reduces the overwhelm? We start with: I was wrong; I'm sorry; I don't know; I need help.
