“Reason can answer questions, but imagination has to ask them.” — Ralph Gerard, American psychiatrist
What happens to an organization when its leadership has committed a failure of imagination in the area of cybersecurity? For the answer to this question, look no further than the many class-action lawsuits, lost customers and revenue, and diminished market value associated with high-profile data breaches and cyber risks — not to mention the intensified scrutiny from regulatory bodies, such as the U.S. Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC) and state attorneys general.
In the event of a data breach, a failure of imagination might influence business leaders to ignore the factors that caused the attack. It might also lead to a misperception about the chief information security officer (CISO)’s budget, level of visibility within the organization and ability to gain executive support to enact meaningful changes throughout the enterprise. Finally, a failure of imagination could cause board directors to assume that management is on top of cyber risks when, in fact, top leadership has abdicated all responsibility for security.
A False Sense of Security
“You can’t depend on your eyes when your imagination is out of focus.” ― Mark Twain
There are many possible excuses for the lack of engagement, governance and proper management of cyber risks. In some instances, CISOs themselves are to blame for hiding the sad state of cybersecurity affairs from the rest of the organization. Security leaders might do this to preserve their position on the organizational chart, or the company might foster a culture in which problems are swept under the rug.
In other cases, the chief information officer (CIO) or CEO might spread a false sense of security by censoring negative reports, sandboxing the scope of audits or sugarcoating how unprepared the organization truly is. While attending a conference some months back, I heard that some general counsels and board directors had specifically asked their reports to keep them in the dark regarding cybersecurity gaps.
But, assuming that there isn’t a willful attempt to cover up cybersecurity issues by top leadership, how can CEOs, chief financial officers (CFOs) and board directors improve their engagement around cyber risks? By learning again to think like a kid, empowered by curiosity and imagination.
The Power of Curiosity
“I don’t know anything, but I do know that everything is interesting if you go into it deeply enough.” — Richard Feynman, American physicist
Curiosity brings about a thirst for applied knowledge and a desire to find answers to burning questions. It influences people to look at the ordinary and ask why it is that way and not some other way.
Curious executives will question what they’re told, and seek to understand and validate the veracity of statements provided to them. Instead of taking cyber risk and IT audit reports at face value, top leaders should probe deeper and gauge the level of confidence behind the numbers and statements. When informed that an update to a particular security tool has plugged the latest hole in a organization’s armor, for example, a curious business leader would ask whether the tool has been properly configured, tested and deployed correctly. This is a great step forward, but curiosity itself can only go so far.
Embracing Imagination to Address Cyber Risks
“Imagination will often carry us to worlds that never were, but without it we go nowhere.” ― Carl Sagan
If curiosity influences us to ask “why,” imagination enables us to dream about “what if” and “what else.” Much like a post-breach report that connects all the dots of a cyber incident, with imagination, we can expand a small crack in our vessel into a major tear that can sink the whole ship. The power of imagination is such that nothing is taken for granted: Walls become Swiss cheese, and border fences collapse or turn into ladders.
In the cyber realm, imagination causes top leadership to consider the impact of multiple systems going down, the organization’s own data being held for ransom, or a disorganized data breach response that does more damage than the attack itself. A failure of imagination can cause someone high up in the organization to fall for a phishing email or other social engineering ploy.
Avoiding a Failure of Imagination
“An understanding of the natural world and what’s in it is a source of not only a great curiosity, but great fulfillment.” — David Attenborough, English broadcaster and naturalist
The combination of curiosity and imagination allows top leadership to become engaged with and consider all the angles related to cybersecurity. Imagination influences them to dream up new ways of connecting these dots, and curiosity urges them to wonder what would happen if they did so. This potent one-two punch empowers the organization to probe areas of complacency and bolster security capabilities throughout the enterprise.
By fully embracing both imagination and curiosity, business leaders can replace the false sense of security with clear visibility into the organization’s cyber resilience posture and the effectiveness of its controls. But true cyber resilience also requires one more trait: courage. Executives need imagination and curiosity to consider all the risks the organization faces and courage to ask uncomfortable questions along the road to cyber resilience.
What would those questions look like? Here’s a peek:
Instead of Asking:
|
Ask:
|
Can XYZ happen to us?
|
What is the full range of cyber events that are plausible (and their consequences)?
|
How well-equipped are we to detect such an event?
|
Could events go undetected or be miscategorized, resulting in a larger negative impact?
|
How well can we respond to such an event?
|
In what ways might we fail to properly respond to an event? What would be the consequence(s) of a failure in our response?
|
How well can we recover from this type of event?
|
Could this event be terminal to our business? Could the event, or the actions we take to respond, create irreparable damage to our business unit or organization?
|
Scroll to view full table
If practiced as part of a broader enterprise risk management framework, curiosity and imagination, combined with clear, honest and frequent communication, can help business leaders be honest with themselves about the risks the organization faces and its ability to deal with them. It might be a rocky road, but the final destination — improved security and cyber resilience — is well worth any bumps and bruises sustained along the way.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato