Assessing Human Capital Risks In InfoSec

Twenty-seven year veteran of the United States Navy, Former Navy SEAL, and Founder of the Gethin Group, Ronald Mahrs appeared on episode #84 of TF7 Radio this week to talk about the importance of behavioral risk and coaching in cyber security, assessing human capital risks, and why organizations should invest in protecting its reputation and interests when it comes to personnel selection.

Mahrs joined host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies, to also talk about what kinds of people problems he has seen during his special operations career and how the screening process is essential to choosing the right personnel to handle sensitive data in your organization. Mahrs provided insight into how the assessment and selection of Special Operations leaders translates to the private sector and how the assessment process is used to identify workforce strengths and potential vulnerabilities that can be used as a predictive tool for performance.

Following retirement from active military service, Mahrs began expanding his academic knowledge by enrolling in George Mason University's MBA program, where he graduated as Student of the Year in 2018, and then applied for his second master's degree in risk management with New York University Stern School of Business, and has recently completed those requirements for his expected graduation this month, in May of 2019.

Having gained great interest in the assessment and selection methods utilized for the world's best counter-terrorism intelligence organizations, Mahrs founded The Gethin Group, a strategic leadership and human capital risk assessment company in Virginia. The Gethin Group applies assessment knowledge obtained from decades of the use in Special Operations and intelligence communities, all of which began with the efforts of those who created the OSS during World War II.

The Gethin Group now staffs some of the best former Special Operations psychologists, national intelligence operational behavior science clinicians, and career tier one combat leaders. Their goal is to assess and develop people, creating environments of profound growth for their customers. They increase human performance potential while reducing enterprise risk associated with aberrant behaviors.

Leadership And Assessing People For Risk

Mahrs explained that when you join these organizations that are highly selective (like Seal Team 6), people are intentionally trained. He said you realize that “not only is there a need to assess and select people in the appropriate way, but there’s a reason, there’s a method to the madness of getting people in organizations to be truly effective, to really believe in the brand.”

“If you don’t believe in the brand, then catastrophe can obviously present itself,” he added. The organizations are proactive on reducing risk instead of being reactive. A lot of times what Mahrs saw was organizations that didn't take it seriously. They didn't take assessing and selecting seriously. “Whether it's military, private sector, it doesn't matter, because people are people: If you don't take that seriously, then you're going to be reactive, which means that the bubble has already come to the surface. The person that is going to do bad things has already done them by the time you're catching it, and now you're just trying to reduce your downside risk, which a lot of times it's too late,” he said.

See Related: “From The Battlefield To Boardroom”

Rettas then asked, “How does an organization really create an effective culture by human capital selection?” Mahrs replied:

-Be intentional. If it is not intentional, then it’s more than likely you’re going to cause potentially grave harm to the organization from a cultural standpoint.

-Embrace a proper reward system. The culture is based on what the organization rewards and what it punishes. If you don't emplace a proper reward system and if you don't punish what is considered improper or unethical, then it becomes systemic.

Reducing Enterprise Risk With Human Capital

Mahrs started The Gethin Group which is a team basically comprised of about a dozen psychologists. All of the psychologists are from either Special Operations backgrounds or national intelligence backgrounds. These are the best behavioral science people at determining who presents the most risk to an organization according to Mahrs.

What that does is it creates a team of professionals, between the Special Operations leaders and the psychologists, that work together to provide both an intuitive base and a scientific base for assessment. And not only in selecting people, but developing them and providing them with insight and a means to avoid some potential blind spots that they might have. It also helps companies to put people in the best position who might be either high risk or where they're responsible for information or sensitive data that if disclosed, will bring down a firm.

Rettas agreed, “I think there are a lot of blind spots in information security, to your point. When we talk about cyber security and the importance, a lot of times you have people with security clearances who handle obviously sensitive information. They deal with some of the biggest risks that an organization has. These risks are material risks that have a high probability of happening and a huge consequence if they do.”

See Related: “Security Control Gaps Are Not Risks”

Rettas continued, “You've created this team that specializes in behavioral risk in coaching, and you're talking about the assessment of human capital and the risk associated with those assessments. What does this tell people about an organization that invests in protecting its reputation and interests?”

Mahrs explained that what it does is provides a natural entry barrier to the organization to keep out those who might otherwise be more susceptible to aberrant behavior or doing things that are derived out of true malfeasance.

He added that when you go through the selection process (like Mahr did for the counter-terrorism organization) it’s very insightful. “You find out real quickly that you may suck at some things, and that's okay. But what that does is it arms you with some significant data that if I know that I'm not good at these certain areas or if I've got some blind sides, that I can mitigate those by being around people who don't possess them. I can then create a more effective team by bringing and being around people who are, they have different strengths and different vulnerabilities. That's the basic nexus of why the Special Operations teams are so successful.”

Mahrs advises that firms:

-Keep track and catalog what it is that makes leaders most effective in their particular organizations.

-Establish a baseline. Mahrs recalled looking back at case studies where firms that experienced some kind of human capital aberrant behavior that resulted in a substantial downside. There was some type of behavioral drift that occurred with the individual, but they never caught it. They never caught it, because they didn't access the people to begin with, and they didn't have a baseline.

-Know and understand the strengths and vulnerabilities of the employees. In cyber security, you have people who are in high trust positions that you have to understand in order to do some intentional risk management.

-Provide additional development to make sure they are performing not only at a top level, but they understand their own vulnerabilities by giving a little bit of insight and coaching.

The Challenges Within Cyber Security

Rettas pivoted to performance as well mentioning that there are a couple things in cyber security that we're struggling with right now: 1. We're trying to get new people into the industry, and 2. We have to cross-train them with new skills.

“I can't get over these managers out there who won't select someone who doesn't have all the experience and everything exactly the way they need and speaks exactly like they do. They're not willing to invest the time to take someone from an adjacent industry and train them to do some of the things that they need them to do in a cybersecurity space in their organizations,” Rettas said.

He asked, “When you assess people to identify their strengths and potential vulnerabilities, do you also use the information as a predictive tool for performance and placement, which is really two different things — so that the performance of a specific job, and the placement in a job where they might be more suited?”

Mahrs said that it is the basis of when you’re assessed and selected to come into these Special Operations units. “You want to get a sense of who the person is and what their strengths are, because you really want to leverage those strengths and you want to take the good people and you want to make them great. You can't do that unless you know what you're dealing with.” Mahrs also works with the psychologists and executive coaches to take those people and refine them and make them more aware. “If you're aware that you have some potential vulnerability, then you can then as an individual mitigate these things,” he added.

Rettas noted that there are three steps to the selection of certain human beings to perform certain functions within cyber security:

1. The elimination of the insider threat coming into the organization.
2. The selection of the best person for the job out of a group of people.
3. The placement factor – where you save mass amounts of people that we need to move into different verticals of cyber security where they would best fit and have the best chance of success to add to the value of an organization.

“When you understand behavioral science and the systems and how to make people effective, what that does is it makes you a better leader, because now you can pick and choose people for specific teams that have a specific purpose, and they're much more effective,” said Mahrs. If you care about the people enough, you can absolutely create a very high performance team that functions in high-stakes situations.

The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub.

To listen to this and past episodes, click here.

See Related Task Force 7 Recaps