April 30, 2018 By Christophe Veltsos 4 min read

“Reason can answer questions, but imagination has to ask them.”Ralph Gerard, American psychiatrist

What happens to an organization when its leadership has committed a failure of imagination in the area of cybersecurity? For the answer to this question, look no further than the many class-action lawsuits, lost customers and revenue, and diminished market value associated with high-profile data breaches and cyber risks — not to mention the intensified scrutiny from regulatory bodies, such as the U.S. Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC) and state attorneys general.

In the event of a data breach, a failure of imagination might influence business leaders to ignore the factors that caused the attack. It might also lead to a misperception about the chief information security officer (CISO)’s budget, level of visibility within the organization and ability to gain executive support to enact meaningful changes throughout the enterprise. Finally, a failure of imagination could cause board directors to assume that management is on top of cyber risks when, in fact, top leadership has abdicated all responsibility for security.

A False Sense of Security

“You can’t depend on your eyes when your imagination is out of focus.”Mark Twain

There are many possible excuses for the lack of engagement, governance and proper management of cyber risks. In some instances, CISOs themselves are to blame for hiding the sad state of cybersecurity affairs from the rest of the organization. Security leaders might do this to preserve their position on the organizational chart, or the company might foster a culture in which problems are swept under the rug.

In other cases, the chief information officer (CIO) or CEO might spread a false sense of security by censoring negative reports, sandboxing the scope of audits or sugarcoating how unprepared the organization truly is. While attending a conference some months back, I heard that some general counsels and board directors had specifically asked their reports to keep them in the dark regarding cybersecurity gaps.

But, assuming that there isn’t a willful attempt to cover up cybersecurity issues by top leadership, how can CEOs, chief financial officers (CFOs) and board directors improve their engagement around cyber risks? By learning again to think like a kid, empowered by curiosity and imagination.

The Power of Curiosity

“I don’t know anything, but I do know that everything is interesting if you go into it deeply enough.”Richard Feynman, American physicist

Curiosity brings about a thirst for applied knowledge and a desire to find answers to burning questions. It influences people to look at the ordinary and ask why it is that way and not some other way.

Curious executives will question what they’re told, and seek to understand and validate the veracity of statements provided to them. Instead of taking cyber risk and IT audit reports at face value, top leaders should probe deeper and gauge the level of confidence behind the numbers and statements. When informed that an update to a particular security tool has plugged the latest hole in a organization’s armor, for example, a curious business leader would ask whether the tool has been properly configured, tested and deployed correctly. This is a great step forward, but curiosity itself can only go so far.

Embracing Imagination to Address Cyber Risks

“Imagination will often carry us to worlds that never were, but without it we go nowhere.”Carl Sagan

If curiosity influences us to ask “why,” imagination enables us to dream about “what if” and “what else.” Much like a post-breach report that connects all the dots of a cyber incident, with imagination, we can expand a small crack in our vessel into a major tear that can sink the whole ship. The power of imagination is such that nothing is taken for granted: Walls become Swiss cheese, and border fences collapse or turn into ladders.

In the cyber realm, imagination causes top leadership to consider the impact of multiple systems going down, the organization’s own data being held for ransom, or a disorganized data breach response that does more damage than the attack itself. A failure of imagination can cause someone high up in the organization to fall for a phishing email or other social engineering ploy.

Avoiding a Failure of Imagination

“An understanding of the natural world and what’s in it is a source of not only a great curiosity, but great fulfillment.”David Attenborough, English broadcaster and naturalist

The combination of curiosity and imagination allows top leadership to become engaged with and consider all the angles related to cybersecurity. Imagination influences them to dream up new ways of connecting these dots, and curiosity urges them to wonder what would happen if they did so. This potent one-two punch empowers the organization to probe areas of complacency and bolster security capabilities throughout the enterprise.

By fully embracing both imagination and curiosity, business leaders can replace the false sense of security with clear visibility into the organization’s cyber resilience posture and the effectiveness of its controls. But true cyber resilience also requires one more trait: courage. Executives need imagination and curiosity to consider all the risks the organization faces and courage to ask uncomfortable questions along the road to cyber resilience.

What would those questions look like? Here’s a peek:

Instead of Asking:

Ask:

Can XYZ happen to us?

What is the full range of cyber events that are plausible (and their consequences)?

How well-equipped are we to detect such an event?

Could events go undetected or be miscategorized, resulting in a larger negative impact?

How well can we respond to such an event?

In what ways might we fail to properly respond to an event? What would be the consequence(s) of a failure in our response?

How well can we recover from this type of event?

Could this event be terminal to our business? Could the event, or the actions we take to respond, create irreparable damage to our business unit or organization?

Scroll to view full table

If practiced as part of a broader enterprise risk management framework, curiosity and imagination, combined with clear, honest and frequent communication, can help business leaders be honest with themselves about the risks the organization faces and its ability to deal with them. It might be a rocky road, but the final destination — improved security and cyber resilience — is well worth any bumps and bruises sustained along the way.

More from Risk Management

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today