April 30, 2018 By Christophe Veltsos 4 min read

“Reason can answer questions, but imagination has to ask them.”Ralph Gerard, American psychiatrist

What happens to an organization when its leadership has committed a failure of imagination in the area of cybersecurity? For the answer to this question, look no further than the many class-action lawsuits, lost customers and revenue, and diminished market value associated with high-profile data breaches and cyber risks — not to mention the intensified scrutiny from regulatory bodies, such as the U.S. Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC) and state attorneys general.

In the event of a data breach, a failure of imagination might influence business leaders to ignore the factors that caused the attack. It might also lead to a misperception about the chief information security officer (CISO)’s budget, level of visibility within the organization and ability to gain executive support to enact meaningful changes throughout the enterprise. Finally, a failure of imagination could cause board directors to assume that management is on top of cyber risks when, in fact, top leadership has abdicated all responsibility for security.

A False Sense of Security

“You can’t depend on your eyes when your imagination is out of focus.”Mark Twain

There are many possible excuses for the lack of engagement, governance and proper management of cyber risks. In some instances, CISOs themselves are to blame for hiding the sad state of cybersecurity affairs from the rest of the organization. Security leaders might do this to preserve their position on the organizational chart, or the company might foster a culture in which problems are swept under the rug.

In other cases, the chief information officer (CIO) or CEO might spread a false sense of security by censoring negative reports, sandboxing the scope of audits or sugarcoating how unprepared the organization truly is. While attending a conference some months back, I heard that some general counsels and board directors had specifically asked their reports to keep them in the dark regarding cybersecurity gaps.

But, assuming that there isn’t a willful attempt to cover up cybersecurity issues by top leadership, how can CEOs, chief financial officers (CFOs) and board directors improve their engagement around cyber risks? By learning again to think like a kid, empowered by curiosity and imagination.

The Power of Curiosity

“I don’t know anything, but I do know that everything is interesting if you go into it deeply enough.”Richard Feynman, American physicist

Curiosity brings about a thirst for applied knowledge and a desire to find answers to burning questions. It influences people to look at the ordinary and ask why it is that way and not some other way.

Curious executives will question what they’re told, and seek to understand and validate the veracity of statements provided to them. Instead of taking cyber risk and IT audit reports at face value, top leaders should probe deeper and gauge the level of confidence behind the numbers and statements. When informed that an update to a particular security tool has plugged the latest hole in a organization’s armor, for example, a curious business leader would ask whether the tool has been properly configured, tested and deployed correctly. This is a great step forward, but curiosity itself can only go so far.

Embracing Imagination to Address Cyber Risks

“Imagination will often carry us to worlds that never were, but without it we go nowhere.”Carl Sagan

If curiosity influences us to ask “why,” imagination enables us to dream about “what if” and “what else.” Much like a post-breach report that connects all the dots of a cyber incident, with imagination, we can expand a small crack in our vessel into a major tear that can sink the whole ship. The power of imagination is such that nothing is taken for granted: Walls become Swiss cheese, and border fences collapse or turn into ladders.

In the cyber realm, imagination causes top leadership to consider the impact of multiple systems going down, the organization’s own data being held for ransom, or a disorganized data breach response that does more damage than the attack itself. A failure of imagination can cause someone high up in the organization to fall for a phishing email or other social engineering ploy.

Avoiding a Failure of Imagination

“An understanding of the natural world and what’s in it is a source of not only a great curiosity, but great fulfillment.”David Attenborough, English broadcaster and naturalist

The combination of curiosity and imagination allows top leadership to become engaged with and consider all the angles related to cybersecurity. Imagination influences them to dream up new ways of connecting these dots, and curiosity urges them to wonder what would happen if they did so. This potent one-two punch empowers the organization to probe areas of complacency and bolster security capabilities throughout the enterprise.

By fully embracing both imagination and curiosity, business leaders can replace the false sense of security with clear visibility into the organization’s cyber resilience posture and the effectiveness of its controls. But true cyber resilience also requires one more trait: courage. Executives need imagination and curiosity to consider all the risks the organization faces and courage to ask uncomfortable questions along the road to cyber resilience.

What would those questions look like? Here’s a peek:

Instead of Asking:

Ask:

Can XYZ happen to us?

What is the full range of cyber events that are plausible (and their consequences)?

How well-equipped are we to detect such an event?

Could events go undetected or be miscategorized, resulting in a larger negative impact?

How well can we respond to such an event?

In what ways might we fail to properly respond to an event? What would be the consequence(s) of a failure in our response?

How well can we recover from this type of event?

Could this event be terminal to our business? Could the event, or the actions we take to respond, create irreparable damage to our business unit or organization?

Scroll to view full table

If practiced as part of a broader enterprise risk management framework, curiosity and imagination, combined with clear, honest and frequent communication, can help business leaders be honest with themselves about the risks the organization faces and its ability to deal with them. It might be a rocky road, but the final destination — improved security and cyber resilience — is well worth any bumps and bruises sustained along the way.

More from Risk Management

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today