April 30, 2018 By Christophe Veltsos 4 min read

“Reason can answer questions, but imagination has to ask them.”Ralph Gerard, American psychiatrist

What happens to an organization when its leadership has committed a failure of imagination in the area of cybersecurity? For the answer to this question, look no further than the many class-action lawsuits, lost customers and revenue, and diminished market value associated with high-profile data breaches and cyber risks — not to mention the intensified scrutiny from regulatory bodies, such as the U.S. Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC) and state attorneys general.

In the event of a data breach, a failure of imagination might influence business leaders to ignore the factors that caused the attack. It might also lead to a misperception about the chief information security officer (CISO)’s budget, level of visibility within the organization and ability to gain executive support to enact meaningful changes throughout the enterprise. Finally, a failure of imagination could cause board directors to assume that management is on top of cyber risks when, in fact, top leadership has abdicated all responsibility for security.

A False Sense of Security

“You can’t depend on your eyes when your imagination is out of focus.”Mark Twain

There are many possible excuses for the lack of engagement, governance and proper management of cyber risks. In some instances, CISOs themselves are to blame for hiding the sad state of cybersecurity affairs from the rest of the organization. Security leaders might do this to preserve their position on the organizational chart, or the company might foster a culture in which problems are swept under the rug.

In other cases, the chief information officer (CIO) or CEO might spread a false sense of security by censoring negative reports, sandboxing the scope of audits or sugarcoating how unprepared the organization truly is. While attending a conference some months back, I heard that some general counsels and board directors had specifically asked their reports to keep them in the dark regarding cybersecurity gaps.

But, assuming that there isn’t a willful attempt to cover up cybersecurity issues by top leadership, how can CEOs, chief financial officers (CFOs) and board directors improve their engagement around cyber risks? By learning again to think like a kid, empowered by curiosity and imagination.

The Power of Curiosity

“I don’t know anything, but I do know that everything is interesting if you go into it deeply enough.”Richard Feynman, American physicist

Curiosity brings about a thirst for applied knowledge and a desire to find answers to burning questions. It influences people to look at the ordinary and ask why it is that way and not some other way.

Curious executives will question what they’re told, and seek to understand and validate the veracity of statements provided to them. Instead of taking cyber risk and IT audit reports at face value, top leaders should probe deeper and gauge the level of confidence behind the numbers and statements. When informed that an update to a particular security tool has plugged the latest hole in a organization’s armor, for example, a curious business leader would ask whether the tool has been properly configured, tested and deployed correctly. This is a great step forward, but curiosity itself can only go so far.

Embracing Imagination to Address Cyber Risks

“Imagination will often carry us to worlds that never were, but without it we go nowhere.”Carl Sagan

If curiosity influences us to ask “why,” imagination enables us to dream about “what if” and “what else.” Much like a post-breach report that connects all the dots of a cyber incident, with imagination, we can expand a small crack in our vessel into a major tear that can sink the whole ship. The power of imagination is such that nothing is taken for granted: Walls become Swiss cheese, and border fences collapse or turn into ladders.

In the cyber realm, imagination causes top leadership to consider the impact of multiple systems going down, the organization’s own data being held for ransom, or a disorganized data breach response that does more damage than the attack itself. A failure of imagination can cause someone high up in the organization to fall for a phishing email or other social engineering ploy.

Avoiding a Failure of Imagination

“An understanding of the natural world and what’s in it is a source of not only a great curiosity, but great fulfillment.”David Attenborough, English broadcaster and naturalist

The combination of curiosity and imagination allows top leadership to become engaged with and consider all the angles related to cybersecurity. Imagination influences them to dream up new ways of connecting these dots, and curiosity urges them to wonder what would happen if they did so. This potent one-two punch empowers the organization to probe areas of complacency and bolster security capabilities throughout the enterprise.

By fully embracing both imagination and curiosity, business leaders can replace the false sense of security with clear visibility into the organization’s cyber resilience posture and the effectiveness of its controls. But true cyber resilience also requires one more trait: courage. Executives need imagination and curiosity to consider all the risks the organization faces and courage to ask uncomfortable questions along the road to cyber resilience.

What would those questions look like? Here’s a peek:

Instead of Asking:


Can XYZ happen to us?

What is the full range of cyber events that are plausible (and their consequences)?

How well-equipped are we to detect such an event?

Could events go undetected or be miscategorized, resulting in a larger negative impact?

How well can we respond to such an event?

In what ways might we fail to properly respond to an event? What would be the consequence(s) of a failure in our response?

How well can we recover from this type of event?

Could this event be terminal to our business? Could the event, or the actions we take to respond, create irreparable damage to our business unit or organization?

Scroll to view full table

If practiced as part of a broader enterprise risk management framework, curiosity and imagination, combined with clear, honest and frequent communication, can help business leaders be honest with themselves about the risks the organization faces and its ability to deal with them. It might be a rocky road, but the final destination — improved security and cyber resilience — is well worth any bumps and bruises sustained along the way.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today