The Case for Lean Cybersecurity Leadership
More complex hierarchies can lead to overconfidence that exacerbates risk.
News
- CEOs Recognize AI’s Potential but Fear Knowledge Gaps, Study Finds
- Core42 and Qualcomm Unveil AI Playground to Accelerate Adoption in UAE
- Customer Centricity Summit & Awards Explores Brand-Customer Relationships in KSA
- GITEX Global 2024 to Showcase Global Innovation, Investment, and Cybersecurity Trends
- The Perfectly Imperfect Start of Disruptive Innovations
- GovTech Conclave to Explore Cutting-Edge Solutions for Modern Governance
Matt Lyon/Ikon Images
Few would expect that adding resources to a critical operational area could compromise its effectiveness. But as organizations beef up their cybersecurity teams in response to the growing threat and cost of cybercrime, they may be inadvertently blunting their ability to accurately assess their own exposure to risk.
Businesses’ natural response to growing cyber risk has been to invest in and grow their cybersecurity capabilities, including creating new leadership roles for safeguarding the confidentiality, integrity, and availability of organizational data. However, our research uncovered a surprising paradox that can render such expansion counterproductive. We found that experienced security teams can exhibit a collective overconfidence that makes responses to cyberthreats less effective. While leaders might expect that adding senior-level positions to a cybersecurity team will improve its capabilities, doing so can increase this organizational overconfidence, with potentially catastrophic effects on IT security.
This phenomenon of decision-making bias stemming from overconfidence, referred to as illusory superiority, has been found in other settings as well. Under certain conditions, people — regardless of their competence level — overestimate their abilities, skills, or qualities relative to those of their peers. There are clear downsides to illusory superiority: Individuals tend to engage in more risky behaviors, underestimate the effort needed to complete a task, and disregard valuable feedback. Overestimating one’s own ability can also harm teamwork and result in suboptimal personal and group outcomes.
Our findings are based on a study we conducted with 34 executives responsible for mitigating cyber risk in which we applied the Delphi technique to reach consensus among the participants. They included CIOs, chief information security officers (CISOs), and CTOs at small and large organizations from the public and private sectors. We asked them about eight common potentially damaging types of cybersecurity attacks that their companies could face (denial-of-service attacks, strategic data breaches, personal data breaches, sabotage and ransomware, phishing and spoofing attacks, business email compromises, malware/viruses/worms, and long cons or insider attacks). We wanted to gauge the extent to which senior cybersecurity leaders view particular threats as being potentially harmful issues for their organizations, how equipped they believe their organizations are to handle each of them, and how equipped they would expect business competitors and other peer organizations to be in each case. We followed up with some additional interviews with these participants to elicit additional nuance and asked them to comment on the results of the Delphi study.
Our research yielded the following three important insights:
1. The bigger the threat, the greater the illusory superiority. We found that illusory superiority is a conspicuous problem in the cybersecurity field, across all of the abovementioned attack types. In fact, the greater the severity of a cybersecurity threat, the greater the problem of illusory superiority. In other words, the more potentially catastrophic a threat, the more confident cybersecurity leaders are in their ability to mitigate it relative to their peers. This is true even in the absence of any evidence that they are more skilled and experienced in handling such threats.
For example, we found that the threat of a significant ransomware attack — one in which swaths of critical and sensitive operational and financial data could be rendered completely unavailable — elicits greater feelings of superiority among leaders about their ability to prevent such events relative to peers’. There are several possible explanations for why this overconfidence may occur. Our respondents noted that it may be that their very real concerns are suppressed and masked by overconfidence in their communications to their superiors and the board of directors. We suspect that this is because severe threats are more frequent topics of discussion within companies, so IT security leaders inadvertently become further emboldened in their confidence the more they talk about such threats.
2. Accountability and visibility grow muddier with more hierarchy. The trend of adding more leadership positions in cybersecurity can lead to a cascading effect where each level of an organization’s cybersecurity hierarchy may assume that the level above it is accountable for mitigating cyber risk.
For example, employees using IT resources tend to assume that the safety, reliability, and security of these systems are assured by the organization’s IT department. The IT department’s rank and file in turn operate under a blanket of relative confidence that the IT manager will ensure that the system is secure and bears accountability for doing so. These managers then report to directors or C-suite officers, whom they view as being ultimately responsible for mitigating security threats and securing the necessary resources to do so.
As such, adding more senior leaders to cybersecurity teams can exacerbate this cascading effect, not only by muddying the boundaries of responsibility across the organization but also by adding more processes and bureaucracy that can slow and complicate operations and overshadow technical concerns. C-suite officers in our study reported that they are increasingly being called upon by their boards of directors to discuss such administrative issues. They said that when going before the board itself, they feel pressured to offer a reassuring picture, especially when contracts, partnerships, and investment are at stake, even if they don’t have full visibility due to fragmented or unclear accountability. “You need to project confidence … even if you are more removed from the reality of the situation,” said one survey participant.
3. Senior managers discount subordinates’ expertise. The tendency of some managers to believe that their rank in the hierarchy reflects their superior knowledge is hardly exclusive to the cybersecurity domain — but it magnifies risk when it occurs in that context.
We found that cybersecurity leaders tend to be overconfident not only relative to peers at other companies but also to other cybersecurity employees within their own organizations — and that negatively affects their ability to manage threats. When cybersecurity leaders believe that they are in a better position to identify and manage threats than other employees, they may be less likely to seek out expertise and recommendations from their internal peers, and they may sideline lower-level employees who are more technically adept. In both cases, their overconfidence can limit the organization from bringing all available resources and knowledge to bear on cybersecurity.
How to Tame Overconfidence Among Cybersecurity Leaders
Organizations that wish to build cybersecurity teams that are better equipped to deal with the growing frequency and impact of global security threats must structure their teams and organizational workflows to reduce the effects of illusory superiority. We have two related recommendations that can help improve cybersecurity outcomes.
First, right-size the senior team — which means that leaders must check their tendency to solve problems by adding complexity to the organization. For most small-to-medium-sized organizations, one security-focused C-suite leader, such as a CIO or CISO who works in tandem with the CTO or CEO, is sufficient. This executive should have a clear mandate to assess, prevent, and deal with cybersecurity incidents; strengthen the security culture; and increase the transparency of security-related issues to the board.
Second, engage in distributed and anonymous benchmarking of cybersecurity capabilities. While many organizations conduct external penetration testing and security auditing, very few produce detailed reports in order to benchmark cybersecurity attacks and exchange information with competitors or other peer organizations about the attacks they have experienced. When companies share threat intelligence with one another, they can gain a more realistic understanding of their own cybersecurity capabilities.
Ideally, a shared database of threat information would allow a group of organizations to see how others have handled specific threats, and each member would get precise metrics on how well they were performing relative to others. Heightened visibility into peer organizations’ successes in handling cybersecurity threats brings precision into self-assessments of cybersecurity preparedness, reducing the potential for overconfidence. The primary challenge to implementing such a solution, however, is that organizations are naturally reluctant to divulge information related to the threats they have faced and whether they were successful in preventing or correcting them.
Emerging technical solutions could make it easier to protect sensitive information, however. For example, a permissioned blockchain, such as Hyperledger Fabric, enables member organizations to anonymously share data with one another. Such a shared incidence-response platform could offer the increased visibility that organizations need to compare their own performance against that of their peers, which in turn could reduce the effects of unsubstantiated overconfidence and illusory superiority for cybersecurity leaders.
Overconfidence weakens an organization’s ability to handle familiar, simple threats while also significantly impairing its ability to protect itself against more complex and novel threats. As cybersecurity executives gain resources to deal with growing risks, they must be vigilant in recognizing their own biases to guard against overconfidence — and look out for the exacerbating effect of cascading organizational sludge that fragments and diminishes visibility, accountability, and effectiveness.
At the top, boards and CEOs must recognize that investing in a bigger, more complex team to address pressing issues like cybersecurity may not be as effective as simplifying excessive complexity. And organizational leaders must consider whether a secretive posture on cybersecurity is truly in their self-interest if it leaves them with a false sense of security.
