3 minute read

Acknowledging own biases or functional fixations is the first step in recognising and prioritizing the cybersecurity challenges faced by the organization and then to implement the necessary security measures.

Introduction

Let us suppose you have to spend the yearly budget for cybersecurity. How will you go about planning the expenditure? Most of the cybersecurity executives will pick up the expenditure list from the last year, look for any additional demands by the team members and finalize the expenditure. In no time the budget will be exhausted and you are still left scrounging for more resources.

The problem is that we are too comfortable with the information that is already available with us. The daily stress, fatigue or cognitive laziness makes us take decisions which are not best suited to the given circumstances. We are well aware of the rapidly changing cyber threat landscape. The cybersecurity products, tools and procedures of the past may have lost their sheen with many even bordering obsolescence. The attack surface is changing with ever evolving product lines and asset classes. The compliance requirements are changing. Endpoints are operating in untrusted if not hostile environments. Increased adoption of work from home culture. Supply chain infections due to ever increasing dependency on third party libraries and software. APIs turning rogue or being compromised. Adoption of hybrid cloud and on-prem environments.

It can be really treacherous especially in the cybersecurity domain to make decisions based purely on intuition or from what we already know. As a first step we need to understand what causes our thinking to make poor decision choices, then only we can nudge ourselves to make better choices.

Biases Everywhere

Intuitive Judgment. Our brains have created mental shortcuts based on our past experiences and associations. It’s what makes our thinking automatic and intuitive. It is what makes us avoid car accidents. These shortcuts give rise to biases. However, these are not the only sources of biases.

Deliberate thinking gone awry. We might be focusing on the wrong things. We might fail to seek the relevant information and base our decisions on the irrelevant data.

Strategies to overcome the biases in Cybersecurity

Brainstorming the future scenarios

We need to think about the various possible future scenarios and derive appropriate conclusions. We can perform various table top exercises or breach simulations to gear up and work out procedures and methodologies when we happen to encounter such an outcome in the future. We can have the mindset of assumed breach to work out limiting the impact. Carry out threat hunting to gain better visibility into our security mechanisms. We can also employ the concept of premortem, in which you imagine a future failure and then try to figure out the cause.

Deliberating on the Options

With the limited time, budget and resources, we need to prioritize the implementation of the security measures to protect against the most commonly exploited attack vectors and vulnerabilities. Whenever there is news broadcast on some esoteric security breach, it is quite natural that our attention will be drawn towards it. However, we should keep the focus on the threat surface unique to our business requirements and spend our efforts on prioritizing the same rather than going after the esoteric edge cases which might not be even relevant to our business environment.

Keeping the end goal in sight.

We need to keep our objectives always in sight to make intelligent security decisions. Our energies should be focused on improving and streamlining the process and procedures that are most relevant to our own business needs through automation and reduction of manual intervention. We still grapple with the need for manual intervention for meeting the compliance and security requirements of many of our managed endpoints.

Implicit Trust

Many times the cybersecurity executives have an implicit trust in the IT teams as they are perceived as the experts. However, there is a need to seek additional information to make our own decisions.

In the end it is almost impossible to overcome the biases but we can have procedures in place and nudge ourselves to make decisions in the right directions.

Acknowledgements

IIM Certificate

The lecture on how individual biases can impact the decision making of the leaders was conducted by Professor Kajari Mukherjee of IIM Indore during the Management Development Program.

References

  1. Soll, Jack B., et al. “Outsmart Your Own Biases.” Harvard Business Review, hbr.org, 1 May 2015, https://hbr.org/2015/05/outsmart-your-own-biases.

  2. Grindstaff, Lynda. “Through Your Mind’s Eye: What Biases Are Impacting Your Security Posture? McAfee Blog.” McAfee Blog, www.mcafee.com, 19 May 2021, https://www.mcafee.com/blogs/other-blogs/executive-perspectives/through-your-minds-eye-what-biases-are-impacting-your-security-posture/.