Moving Beyond the Dangerous Denial Phase as Individuals and Organizations

I spent 25 years in the Washington, DC area, and during that time I became a National Public Radio junkie. I guess I still am. I recently listened to a report on a comprehensive study about how people in the workplace react to the news about a coworker that’s been diagnosed with breast cancer.^[i] The results of the study shocked me. The worse the diagnoses and the closer employees physically worked to the diagnosed coworker, the less likely those working in close proximity were to seek cancer screening.

Similarly, as the conversation about the complexities, costs, and potential breaches is elevated to senior management, all too frequently, the more senior management learns, the less they want to know. I liken this to the person who frets over potentially getting cancer, while simultaneously avoiding cancer screening because they don’t want to hear bad news. Debates on screening methods aside, most would agree that this is a very dangerous approach regarding personal health. Taking “the less we know the better” approach when it comes to an organization’s information security health has broader implications on stakeholders and customers. Suffice it to say, this goes beyond a personal choice: It’s an inherent organizational responsibility.

There is a tendency to wait until something really bad happens before action is taken. Leadership wants to know the magic answer to questions like: When will be we secure? How many people and how much does it cost to secure the enterprise? There’s a perception that information security professionals are dodging these questions, and this perception can negatively impact an organization’s willingness to invest and take information security seriously. When senior leadership hears that providing a guarantee that the organization is secure isn’t possible, there’s a tendency to take chances and adopt the following mindset: What’s the point? We don’t want to bother screening to determine the health of our information security posture. If you can’t guarantee that we don’t have a problem, we don’t want to know. When it comes to personal health, if studies show a tendency to take an aversion to receiving bad news, why would it be any different for an organization to do the same?

Unfortunately, the geographical scope of cybersecurity attackers and their adversaries is expanding rapidly. Consequently, statistics show that the “hope nothing happens approach” is more and more likely to backfire. Organizations need a comprehensive approach that views information security programmatically. I frequently speak with (ISC)² members to elicit constructive feedback on how we can improve our products and services. Peppered into this feedback is a common theme that their respective organizations often do not take information security serious. They’ve hired a few security professionals, acquired some monitoring tools with limited staff available to review logs and take corrective action, etc.  It’s a common theme amongst our global membership. They struggle with a fairly pervasive management view that information security is a “once and done” endeavor, when in reality, it requires a systemic approach with sustained commitment (which comes in many forms). However, fundamentally it’s a sustained financial commitment and behavioral change within the organization. The information security professional deals with the inherent perception that security limits the business as opposed to enabling it.  This perception looms large in organizations that haven’t been or are unaware that they’ve been compromised. Just ask retailers and other industries whose security breaches have been widely covered in the media if they see security as an enabler or a roadblock to business operations. Granted, having an information security program does not guarantee that the enterprise will be secure: But not having an information security program can clearly lead to impacts that can threaten the viability of the organization.  Suffice it to say, information security breaches can end careers and ruin businesses.

Allstate Insurance has effectively weaved the concept that mayhem is all around us into their advertising campaigns. Creatively, they’ve also included some humor by having the guy that represents mayhem doing crazy things that put property owners at risk. Allstate hit a nerve with customers by creating a sense of urgency with fear (i.e., the term mayhem gets attention), and they add some levity with a consistent character making poor and/or careless decisions. It’s effective marketing in my opinion.

The information security profession has a similar challenge to effectively raise awareness about the enterprise being surrounded by cybersecurity mayhem. We often use the “we’re only as strong as our weakest link in the chain” mantra to explain information security. Today, the links in our enterprise chain involve people, devices, systems, networks, and access points to information assets. Unbeknownst to many organizations, external entities that wish them and their customers harm know the weakest links in their chain better than they do. When mayhem does strike, hopefully those being attacked will be “in good hands” in the form of qualified employees who are adequately resourced and trained.

Inspiring a safe and secure cyber world takes on many forms. From educating our children to educating senior management in our respective organizations about the value proposition of an information security program, our message needs to resonate with a broad and diverse audience. It’s going to take time to change the perception that information security means rules and policies that hinder business to information security being a business enabler. With the types of attacks we’ve seen recently, making the case that information security is fundamental to staying in business should no longer be a stretch.  However, we also need to be cognizant that people make up an organization and the collective individual psyche doesn’t typically respond well to bad news. That’s a barrier through which we all need to work.

Organizational denial that bad things are not happening 24/7/365 in the world of information security is not a wise business plan. Finding ways to present the value proposition of information security that resonate with leadership is critical. Moving the organization from a “we don’t want to know” to a “we need to know” mentality is essential in today’s cybersecurity threat landscape. Toward this end, we all need be persistent and stay the course. Hope is not a plan when it comes to information security.

[Source: (ISC)² Blog]