5 Reasons Why How You Select Your Presidential Candidate Is Also Making Your Organization Insecure
The 2016 Presidential election season stretch is before us and like you, I am bombarded by news of how great one candidate is and how awful the rest are. I see daily battles on social media between friends and colleagues where both sides know the effort is futile. Show me an example of a mind changed and I’ll show you the surprised look on my face. I am fascinated with the psychology of behavior on why educated and intelligent people can differ so greatly on their political stance. This puzzling behavior is not limited to politics. My organization helps companies manage their risk through information security and over the years I have started to see similarities with security programs failing and how people select and defend their political candidate. Over 140 behavior biases have been identified that influence decision makers away from rational thought… here are five!
Confirmation Bias/Biased Assimilation – People often seek opinions and facts that already support their own beliefs and will ignore facts that contradict them. If you believe security programs are not worth the investment, I can guarantee you will find sources that agree with you!
Herding Instinct – A fundamental human trait is to seek acceptance and to conform with others. In the security world, maybe it seems like everyone is jumping on intrusion detection, or mobile device management. A common phrase may be that for senior managers, “the only thing worse than making a career limiting mistake is being the only one doing it”. It makes more sense for many to just do what everyone else is doing and not make waves. Obviously, this can have catastrophic consequences.
Status Quo Bias – Most people stick to the familiar and understood approaches even when they are proven inadequate or ineffective. On top of that, research suggests that the worry over loss is much stronger than the excitement over possible gain! It is difficult to change behavior even when that behavior doesn’t give you the results you want.
False Consensus – People tend to overestimate the support others have for their views, experiences and beliefs. False consensus can lead to underestimating important threats and moving forwarded with doomed strategies. By not accurately estimating risk to your organization, you put your information at risk.
Overconfidence – Research shows that people have exaggerated confidence in their ability to make estimates. Strangely, people avoid estimating a wide range of outcomes, thus prefer to be precisely wrong other than vaguely right. Security programs that are based on the over-confidence of senior management can be filled with vulnerabilities.
What can you do to rise above bias when making information security strategy decisions (oh, and Presidential ones!)
- Consume information from sources that you don’t typically consume. At the minimum, you will defend your position and at the other end of the spectrum maybe even change your mind! Gasp! COBIT, NIST and ISO all provide different approaches to building information security frameworks. The best professionals pull concepts from several areas.
- Talk to people outside of your normal circle to get a much needed fresh perspective. This could be other security professionals within an association, other information executives at non competing companies. Check out your local ISSA.org chapter or find a security focused group in your area!
- Research and evaluate new strategies and thoughts on your subject. Check out organizations such as ISACA (http://isaca.org), NIST or SANS.org for the latest IT security best practices.
- Seek out feedback! Don’t assume you already have buy in and support for your project! Senior management, board and steering committee buy in in critical so make sure you get it!