“Reason can answer questions, but imagination has to ask them.”Ralph Gerard, American psychiatrist

What happens to an organization when its leadership has committed a failure of imagination in the area of cybersecurity? For the answer to this question, look no further than the many class-action lawsuits, lost customers and revenue, and diminished market value associated with high-profile data breaches and cyber risks — not to mention the intensified scrutiny from regulatory bodies, such as the U.S. Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC) and state attorneys general.

In the event of a data breach, a failure of imagination might influence business leaders to ignore the factors that caused the attack. It might also lead to a misperception about the chief information security officer (CISO)’s budget, level of visibility within the organization and ability to gain executive support to enact meaningful changes throughout the enterprise. Finally, a failure of imagination could cause board directors to assume that management is on top of cyber risks when, in fact, top leadership has abdicated all responsibility for security.

A False Sense of Security

“You can’t depend on your eyes when your imagination is out of focus.”Mark Twain

There are many possible excuses for the lack of engagement, governance and proper management of cyber risks. In some instances, CISOs themselves are to blame for hiding the sad state of cybersecurity affairs from the rest of the organization. Security leaders might do this to preserve their position on the organizational chart, or the company might foster a culture in which problems are swept under the rug.

In other cases, the chief information officer (CIO) or CEO might spread a false sense of security by censoring negative reports, sandboxing the scope of audits or sugarcoating how unprepared the organization truly is. While attending a conference some months back, I heard that some general counsels and board directors had specifically asked their reports to keep them in the dark regarding cybersecurity gaps.

But, assuming that there isn’t a willful attempt to cover up cybersecurity issues by top leadership, how can CEOs, chief financial officers (CFOs) and board directors improve their engagement around cyber risks? By learning again to think like a kid, empowered by curiosity and imagination.

The Power of Curiosity

“I don’t know anything, but I do know that everything is interesting if you go into it deeply enough.”Richard Feynman, American physicist

Curiosity brings about a thirst for applied knowledge and a desire to find answers to burning questions. It influences people to look at the ordinary and ask why it is that way and not some other way.

Curious executives will question what they’re told, and seek to understand and validate the veracity of statements provided to them. Instead of taking cyber risk and IT audit reports at face value, top leaders should probe deeper and gauge the level of confidence behind the numbers and statements. When informed that an update to a particular security tool has plugged the latest hole in a organization’s armor, for example, a curious business leader would ask whether the tool has been properly configured, tested and deployed correctly. This is a great step forward, but curiosity itself can only go so far.

Embracing Imagination to Address Cyber Risks

“Imagination will often carry us to worlds that never were, but without it we go nowhere.”Carl Sagan

If curiosity influences us to ask “why,” imagination enables us to dream about “what if” and “what else.” Much like a post-breach report that connects all the dots of a cyber incident, with imagination, we can expand a small crack in our vessel into a major tear that can sink the whole ship. The power of imagination is such that nothing is taken for granted: Walls become Swiss cheese, and border fences collapse or turn into ladders.

In the cyber realm, imagination causes top leadership to consider the impact of multiple systems going down, the organization’s own data being held for ransom, or a disorganized data breach response that does more damage than the attack itself. A failure of imagination can cause someone high up in the organization to fall for a phishing email or other social engineering ploy.

Avoiding a Failure of Imagination

“An understanding of the natural world and what’s in it is a source of not only a great curiosity, but great fulfillment.”David Attenborough, English broadcaster and naturalist

The combination of curiosity and imagination allows top leadership to become engaged with and consider all the angles related to cybersecurity. Imagination influences them to dream up new ways of connecting these dots, and curiosity urges them to wonder what would happen if they did so. This potent one-two punch empowers the organization to probe areas of complacency and bolster security capabilities throughout the enterprise.

By fully embracing both imagination and curiosity, business leaders can replace the false sense of security with clear visibility into the organization’s cyber resilience posture and the effectiveness of its controls. But true cyber resilience also requires one more trait: courage. Executives need imagination and curiosity to consider all the risks the organization faces and courage to ask uncomfortable questions along the road to cyber resilience.

What would those questions look like? Here’s a peek:

Instead of Asking:

Ask:

Can XYZ happen to us?

What is the full range of cyber events that are plausible (and their consequences)?

How well-equipped are we to detect such an event?

Could events go undetected or be miscategorized, resulting in a larger negative impact?

How well can we respond to such an event?

In what ways might we fail to properly respond to an event? What would be the consequence(s) of a failure in our response?

How well can we recover from this type of event?

Could this event be terminal to our business? Could the event, or the actions we take to respond, create irreparable damage to our business unit or organization?

Scroll to view full table

If practiced as part of a broader enterprise risk management framework, curiosity and imagination, combined with clear, honest and frequent communication, can help business leaders be honest with themselves about the risks the organization faces and its ability to deal with them. It might be a rocky road, but the final destination — improved security and cyber resilience — is well worth any bumps and bruises sustained along the way.

More from CISO

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…

Laid Off by Big Tech? Cybersecurity is a Smart Career Move

Big technology companies are laying off staff as market conditions change. The move follows a hiring blitz initially triggered by the uptick in pandemic-powered remote work — according to Bloomberg, businesses are now cutting jobs at a rate approaching that of early 2020. For example, in November 2022 alone, companies laid off more than 52,000 workers. Companies like Amazon and Meta also plan to let more than 10,000 staff members go over the next few years. As noted by Stanford…