Cybersecurity is full of fear –we need to change this
Cybersecurity has a fear problem, and we need to talk about it as a community. To quote the sci-fi epic Dune, fear is the mind-killer. In business, fear is also the growth and innovation killer –yet all too often, cyber security has associated itself with fear, and as a result, instead of enabling, it has stifled the growth settings we need the most now. This needs to stop. But how?
For starters, we need to take a hard look at how our industry sells itself. Cyber security has long been seen as a serious, grownup business. Companies in the space double down on dark brand palettes and threatening messages, and some ambulance chases each new breach in the media with "I told you so" comments. Many promote their staff of ex-military, former spies and signal intelligence experts. Fair enough on that last point. Cyber is deeply technical and necessarily touches on these shadowy worlds and highly specialised skills. There are key technical threats, defined criminal and state actor exploits and attack vectors, as well as constantly emerging risks that require identification, education and expert handling.
But do we really need to twin professional excellence with the corrosive effect of fear? After all, our world's best athletes are often admired as much for the hope and inspiration they give us as for their deeply honed professional skills. The best cybersecurity minds I know are humble and hopeful like those athletes –they know the threats can be fearsome, but they don't let the fear get them down or impede larger growth objectives.
They avoid the classic "FUD" (Fear, Uncertainty and Doubt) approach to cybersecurity. FUD made more sense when cybersecurity was relatively new, and we were in a collective sprint against a new digital enemy. Not so much now when it's clear we're in a digital marathon and need to balance defence with a strong commitment and belief in growth.
Of course, cyber security is serious, but it's also a fascinating field that is being supported by some of the most powerful technology ever invented. Just as a sandbox allows a child to let their imagination run wild without the solid boundaries of the wooden frame, there is the opportunity to resist negativity and allow curiosity and inspiration to guide a cyber strategy and a wider technology strategy while still remaining within the "frame" of the regulatory and ethical obligations.
A positive and uplifting approach like this - one that does away with fear and negativity - can underpin a company with a truly forward-thinking and transformative approach. Overcoming the bleak negativity starts with understanding the mindset that leads senior decision-makers to look at the situation darkly and respond to the darkness and fear–selling off the cybersecurity industry.
Risk management among executive leadership and company directors is, in almost all cases, weighted towards conservative risk aversion. Nobel Prize-winning economists Daniel Kahneman and Amos Tversky observed this in their research into behavioural economics – decision-makers tend to place greater weight on the economic losses that could result from their decisions than the potential equivalent gains.
This was later confirmed empirically when economists Dan Lovallo and Tim Koller conducted research for McKinsey in 2012. That research found that, across a sample of 1,500 executives, where a risk-neutral manager should be willing to accept a 75% chance of loss for a 25% chance of gain (where the potential gain was $400 million on a $100 million investment), the group would only accept an 18% chance of loss. Only 9% of executives were willing to accept even a 40% chance of loss. Almost none, therefore, were risk-neutral.
In short, company directors and senior executives are wired towards seeing the worst in a situation. When they look at cyber security, they see nothing but risks that need to be mitigated, and this isn't helped by an industry that too often profits from validating that exact perspective. Once that mindset has taken hold, any conversation about leveraging cyber security strategically can feel like Sisyphus and his boulder – an eternal effort to push against something that simply wants to roll back down to the base of the mountain.
And yet, a truly risk-neutral executive would also see the opportunity. As Clive Humby declared back in 2006, data is the new oil. It's an incredibly valuable resource that needs to be tapped and turned into fuel for modern corporate vehicles.
This is the real challenge and opportunity for anyone in cyber security, helping senior decision-makers and the wider community see - and then weigh - the opportunity to the same degree that they see the risk.
To overcome risk aversion and direct the conversation away from dark places, it is important to address the underlying causes of the aversion. They are threefold:
Firstly, organisations aren't always aware of what data they have in the first place. It's incredibly difficult to be willing to take risks when you're looking at something blind and can't properly determine the level of risk in the first place.
Before an organisation can consider taking strategic risks with data, it first needs to fully audit its data environment, properly classify data, and understand what data is critically sensitive versus what data is of less concern and can be used with increased freedom.
Secondly, organisations need access to the full suite of skills to manage the organisation's operations. This is challenging, given that Australia already has a massive shortfall of skills in this area, and that problem is only accelerating.
Organisations cannot recruit their way out of this challenge. Each new employee will have a limited number of hours in the day to work and a narrow range of competencies. While having some in-house staff to manage the overall technology strategy is essential, organisations will need to find outsourcing partners that can cover the full suite of necessary skills and strategic capabilities and have 24/7 support to respond to the dynamic challenges of cyber flags in real-time.
Thirdly, organisations need to become better at articulating the value of the risk across all key stakeholders in the organisation. Like the child in the sandbox, organisations need to develop a sense of curiosity around what is possible with the formless and shifting resources in front of them. As an organisation, they need people who see this as a creative and nurturing opportunity rather than participate in the negative and dark conversations around it. It's important that the entire industry attracts those who are willing to dig in and start to play.
This may mean chasing the "quick wins" and low-hanging fruit to demonstrate ROI and potential gains before building a more ambitious strategy. It means bringing automation to small, "safe", and non-critical processes to demonstrate how it will work (and benefit the company) before trying to dive in with complex AI algorithms.
Being curious means being more open, and overcoming conservative risk aversion means building risk tolerance first. Our industry can signal this with lighter palettes more optimistic and resilient messaging. More importantly, we must move past fear into a place open to inspiration. We're actually there now; we just need to embrace the moment and recognise the opportunity for what it is. Greater progress and impact are always made when we approach any challenge with a curious mind —cybersecurity is no different.