How To Fail At Cybersecurity

Our series on the CISO continuum is here, here, and here. There are two themes that run through these posts:

1. You could fail at cybersecurity regardless of where you are on the cybersecurity sophistication continuum, including you folks at the high end.

2. If you fail, it is likely that you failed because you were overconfident.  

Why are you overconfident?

First, humans are overconfident. It is a well-known cognitive bias. You almost can't help it -- unless you actively work to overcome your own overconfidence.

Oh sure, you're above average in self-awareness of your overconfidence, right? (LOL)

Let's get more specific. Overconfidence can lead to failure in cybersecurity. There are two ways that could happen.

First, you as a CISO or CTO/CIO are overconfident because you're really smart and tech savvy. You have a very high degree of understanding of technical detail that maybe no one else in the organization has. People come to you for advice. All the adulation feels good. You figure, well, my system has worked so far, I'll keep it in place. And then the bad guys get better while you do not. They win, you lose. 

Second, many people have started to rely on technology to do the "thinking" for them. Consider investing as an example. A financial advisor-blogger we follow, Ben Carlson, has a recent piece on "dumb money" investing. He claims this style probably resulted from better financial education. In brief, see his chart below: money is pouring into set-it-and-forget-it target-date or index funds and out of actively managed funds.

Do you have a "set-it-and-forget-it," target-date mentality for your cybersecurity process? You might. It sounds like this: Yeah, we put a sophisticated process into place maybe a few years ago, nothing bad has happened, we're all good.

If that's you speaking, then you are failing at cybersecurity because you are overconfident. The bad guys are actively working to beat you, probably with an artificial intelligence agent, and meanwhile it's likely that you are working to avoid putting more thought or money into what seems to be "all good." Failure is apparently one of the options you think is "all good." They win, you lose. 

Drop a comment in the box about how you have addressed your overconfidence. No judgment here, we're working toward the same goal.

Ask us how we can work with you to overcome overconfidence and not gamble with your cybersecurity.