Jazz Improvisation Applied to Implementing Information Security Programs for Businesses. A lesson in leadership.

Presentation for University of North Carolina-Wilmington 6th Annual Cybersecurity Conference

Oct 3, 2024

I started my IT career as a Communications Officer in the Marines, managing teams across single-channel radio, satellite communications, packet, and circuit switching. Fascinated by cybersecurity, I transitioned to a role as a cybersecurity analyst for the Marine Corps, preparing bases for DISA Cyber Readiness Inspections. After moving to the private sector, I quickly rose from an analyst to a services portfolio manager. From there, I took on the challenge of building an IT and InfoSec program for a defense manufacturer, ensuring compliance with 800-171 standards. Today, I run my own compliance-focused technology managed services company—supporting compliance efforts from SaaS companies pursuing SOC 2 or ISO 27001 to defense contractors preparing for CMMC.

A significant part of my success as a cybersecurity professional stems from my education as a musician.

I know what you’re thinking—how is this at all applicable to cybersecurity? We tend to think in absolutes. That 1+1=2, and that’s the only way to do it. But 4-2=2, and so does 8/4. If our goal is to get to “2,” does it matter how we get there as long as we arrive?

This presentation is meant to challenge your perspective because being a creative in a hard-skills space is something adversaries excel at.

BLUF: In cybersecurity, success isn’t just about tech or protocols—it’s about improvisation. Like music, it’s about creativity, adaptability, and leading your team to make the most of what you have. Throughout my career, I’ve learned that the principles of improvisation apply just as much to cybersecurity as they do to music and even combat.

Today, we'll explore practical strategies to help you use improvisation to foster a more agile, responsive cybersecurity culture. By fostering a culture of adaptability and empowering your teams to think outside the box, you can build security programs that aren’t just effective but agile enough to evolve as new threats emerge.

You’ll leave today with practical strategies to help your team respond better to challenges, maximize resources, and ultimately create a security program that truly works. Let’s dive in and see how improvisation can transform your approach to cybersecurity.

Stages of Capability and Maturity in Cybersecurity: Cybersecurity maturity is a journey. From crawling—focusing on vulnerability management and patching—to walking, where frameworks like SOC 2, NIST CSF, or ISO 27001 come into play, and then running with adaptive security. At each stage, capabilities must develop in parallel to meet expected targets. But remember, progression is subjective—it depends on each organization’s context and needs.

For me, it's a continuum of capabilities that need to be developed in parallel to meet expected targets. Once we reach these targets, we move up the maturity model to tackle more complex issues. By developing our organizations holistically, we can measure maturity by defining metrics that allow us to target improvement.

The Problem: Today, we focus on the hard skills of the professionals we develop for our talent pipeline. I ask you, is this enough?

When we think about cybersecurity, it's easy to picture technical skills—firewalls, malware analysis, and threat detection. But the truth is, soft skills are just as important to success. And this resonates with me because these soft skills have strong parallels in music, particularly improvisation.

Let’s break this down and explore how these skills in cybersecurity also show up in music.

Soft Skills Comparison:

1. Effective Communication:
2. Teamwork and Collaboration:
3. Leadership and Conflict Management:
4. Empathy and Active Listening:
5. Critical Thinking and Problem-Solving:
6. Adaptability and Creativity/Innovation:

So, when we talk about soft skills in cybersecurity, we’re really talking about the skills that make us better musicians, collaborators, and leaders. It’s about navigating complexity, connecting with others, and adapting—whether it's a surprise chord change or a cyber threat.

Music Education and Cybersecurity Skills Development:

• Stage 1 - Foundational Skills (Hard Skills): Technical Discipline, Analytical Skills, and Content Creation. For instance, my experience as a pianist taught me the importance of self-discipline and repetition. This is like mastering a new cybersecurity tool—understanding its strengths, weaknesses, and utility.
• Stage 2 - Collaborative Skills (Soft Skills): How many here have played in an orchestra? In ensembles, I learned to follow a leader, listen across the ensemble, and work as a team to produce one sound. The same goes for cybersecurity—understanding team roles, interpreting policies, and achieving goals collectively.
• ISO 27001 Framework as an Orchestra Analogy: Organizational controls, people controls, physical controls, and technological controls are like sections in an orchestra. Each control type requires discipline and collaboration, just like sections of musicians working together to play a piece of music.

Box- Literal Read Down:

• NIST CSF, CMMC, SOC 2, ISO 27001 are large compositions. Each framework and domain is like the key signature, tempo, and notes of a piece of music. The Players: Conductor: CISO Sections: Teams Section Leads: Directors Instrumentalists: Team Members Audience: Clients, Customers, Stakeholders, Board

The Challenges in Cybersecurity and Music:

1. Business Appetite/Audience: Think of the business as your audience—do they even want the music you're playing?
2. Resource Limitations: Personnel, equipment, and education are your instruments.
3. Reality Check: Where does your organization sit? Can you get by with less while achieving the goal?

When multiple cybersecurity teams work together, it's akin to an orchestra performing. But unlike a fixed composition, cybersecurity never ends—it evolves.

Level 3 - Jazz Improvisation as a Cybersecurity Approach: Mastering the Art of Adaptive Security

At this level, the goal is to achieve adaptive security—the ability to respond fluidly to threats as they emerge. If the earlier stages were about building capabilities and forming teams, Level 3 is about taking those skills to a new level, fostering a mindset of improvisation, rapid adaptation, and creative problem-solving.

Jazz Improvisation as an Analogy for Adaptive Security: Jazz is unique because it thrives on structure and freedom simultaneously. The musicians know the rules, the scales, and the key signatures. Yet, they're not confined by them. In the same way, at this stage, cybersecurity professionals must know the frameworks, standards, and protocols inside and out—but not be constrained by them. Instead, they must use this foundational knowledge to adapt dynamically to whatever comes their way.

Think of a jazz ensemble: Each musician has spent years mastering their instrument, learning the technical aspects, and studying music theory. Yet, in the moment of improvisation, they let go of the rigid structure to explore, create, and innovate. In cybersecurity, adaptive security operates the same way—professionals need to have deep technical and strategic knowledge but must be prepared to pivot instantly in response to a shifting threat landscape.

Key Aspects of Level 3 - Adaptive Security (Improvisation):

1. Creative Problem-Solving and Thinking on Your Feet: Just as a jazz musician might hear an unexpected chord from another player and adjust instantly, cybersecurity professionals need to adapt to unanticipated threats, changing conditions, or unforeseen vulnerabilities. Example: When a new zero-day vulnerability is discovered, your team should be able to creatively leverage existing tools, collaborate quickly, and implement a stop-gap measure before a formal patch or mitigation is available.
2. Collaboration and Real-Time Communication: Jazz musicians are constantly in a state of non-verbal communication—listening deeply to one another, responding to subtle shifts in melody or rhythm. In cybersecurity, this translates to real-time collaboration and sharing information across teams (e.g., SOC, incident response, network defense). There must be a fluidity in how your team communicates. Instead of rigid, siloed discussions, encourage an open dialogue where ideas are exchanged quickly, and solutions are crafted together—very much like a jazz band harmonizing on the fly.
3. Experimentation and Risk-Taking: Jazz is about taking risks—trying new phrases, unexpected notes, or unusual rhythms. Adaptive security requires the same level of comfort with experimentation. You won't always know if a particular defense strategy will work, but you must be willing to experiment and iterate rapidly. This is also where red teaming, ethical hacking, and penetration testing come into play. These activities mirror the improvisational nature of jazz by actively seeking to explore weaknesses, find unguarded pathways, and develop creative ways to test defenses.
4. Learning Through Practice and Iteration: Jazz musicians often "jam" together—improvising, practicing, and learning through every session. This iterative approach is vital for adaptive security. Cybersecurity drills, tabletop exercises, and “purple teaming” (a blend of red and blue teaming) simulate real-world attacks and force teams to practice their improvisational skills in handling incidents. Example: Regularly scheduled incident response simulations allow your team to work under pressure, test their skills, and learn how to adapt their strategies in real-time—much like a musician who learns to adapt their solo in a live performance.
5. A Culture of Trust and Competence: In jazz, there's an implicit trust among musicians that each will perform at a high level and support one another. For an organization to operate at an adaptive security level, the same trust and competence must be present. Team members must trust that each person knows their role, has the necessary expertise, and will act in the best interest of the whole. This extends to leadership as well. A leader in an adaptive security culture isn’t micromanaging every detail but instead serves as the "bandleader"—setting the tone, guiding the performance, and allowing the team to execute their roles creatively and effectively.
6. Building and Refining a Unique "Sound": Every jazz musician develops their own style and sound over time. In cybersecurity, your organization should strive to develop a security "personality"—a unique way of approaching defense that’s tailored to your specific industry, threat landscape, and culture. This is about not just implementing generic best practices but refining your approaches, technologies, and processes to suit your organization's needs. It means being willing to innovate and tweak traditional cybersecurity strategies to find what works best for your situation, just as a jazz musician might bend a note or phrase to fit their style.
7. Blending Frameworks and Creating a Seamless Security Program: A jazz ensemble often blends various genres, rhythms, and harmonies to create something unique. Similarly, an adaptive security program isn’t about rigidly sticking to one framework or standard; it's about blending elements of multiple frameworks (e.g., CMMC, NIST, SOC 2) to form a holistic and agile security program. Understanding that cybersecurity frameworks are guideposts rather than rigid structures allows for flexibility in designing a security posture that can adapt as the organization and threat landscape evolve.

Conclusion - Building Toward Adaptive Security Through Improvisation: Achieving Level 3 maturity is not about mastering every aspect of cybersecurity independently; it's about weaving them together seamlessly, much like a jazz performance. The end goal is to have a team that can anticipate each other’s needs, adapt to evolving challenges, and maintain a culture of continuous improvement.

Just like jazz musicians who understand that every performance is different, cybersecurity professionals at this level realize that every threat is unique. The key is not to prepare for a specific attack but to build the agility and mindset to respond effectively to any threat that may arise.

In practice, this means:

• Fostering a culture of trust and creative collaboration.
• Encouraging rapid iteration and the ability to learn on the fly.
• Being willing to challenge the status quo, experiment with new techniques, and leverage tools creatively.
• Building a team that’s comfortable with the unknown and prepared to "jam" with whatever comes their way—be it a new threat, a policy change, or a resource challenge.

By embracing improvisation, cybersecurity teams become more than just defenders—they become agile problem-solvers, creative thinkers, and ultimately, more effective in managing and mitigating risks in an ever-changing digital world.

Closing Thoughts: Our challenge as cybersecurity professionals is to think outside the box, to blend creativity with protocol, and to harmonize across teams as musicians do. By fostering a culture of adaptability, honing both hard and soft skills, and allowing space for creativity, we can lead our organizations to build security programs that are not only effective but agile and evolving.

Let’s practice and play together—improvising, learning, and building cybersecurity programs that are in tune with the threats we face.