As both a technology specialist and someone who has spent many years studying the human science of psychology, I have witnessed a parallel between how humans behave when facing a psychological threat, and how many CISO’s and IT Leaders behave when facing the potential threat of a data breach. Ultimately, information technology is a product of the human mind so perhaps this is not too surprising. But perhaps we can gain some insights from psychology that can be useful, and within this article I outline how the powerful human forces of fear and acceptance can play a key role in our cyber resilience strategy and what to look out for as common pitfalls in your strategic thinking in this realm.
Many years ago, during my psychology degree, I studied the stress response, writing my thesis around the effectiveness of various coping mechanisms of stress. It’s human nature to focus on trying to prevent something unpleasant and the human body has developed a “fight or flight” response to respond to threatening events, which is often the cause for many people to suffer from a chronic stress response and anxiety. These symptoms can be incredibly debilitating for some people and they were born during our evolution where this response, which raises cortisol levels in the bloodstream can lead to action, to flee from the bear chasing us through the woods. In modern times, we still feel the same feelings, but our environment is very different. When we have unpleasant experiences in modern times, we often protect ourselves from these psychologically threatening events with defence mechanisms, such as avoidance. This can sometimes be effective in warding off the initial threat, but by doing so, we are not preparing ourselves for a time when we cannot avoid this situation and when this happens, the situation can cause considerable psychological damage. This coping strategy of avoidance is only affective when we can control the variables.
To draw parallels in the cyber-security realm, cyber security and IT leaders have built a fortress, of prevention technologies, with firewalls, identity and access management systems, and the likes, which are all effective at avoiding the threat of a cyber attack. All of this is needed to protect their organisations valuable data from falling into the wrong hands, and hence it is a wise strategy to pursue. I am not questioning this, it has to be done, and it is an important aspect of security and the first defence against malicious intruders. However, this alone is of no use if you do eventually get breached, and you face a situation where you are now faced with a threat where you are not in control of the variables, and this can cause considerable business and reputational damage, let alone a lot of stress for IT leaders and CISO’s alike.
Coming back to the human condition, if someone is struggling with chronic stress due to finding it difficult to cope with external factors, sometimes it is helpful to understand where the issue is coming from, so that they can identify the root cause and start to do something about it. Often counselling or cognitive behavioural therapy can be useful in this instance. A good therapist will delve deeply into thoughts, feelings, and how these may result in specific behaviours, and this can sometimes provide someone with an “aha” moment, where they can link an external stimulus, to a thought, and then onto a behaviour. This can be effective at changing behaviour and reducing your stress response.
Once again, the similarity from an cyber security perspective is the instigation of observability tools to identify and analyse where there may be potential breaches. Using SIEM systems to collect and analyse event logs can detect potential threats that could be a root cause to a possible breach. Utilizing vulnerability management systems to identify systems, networks and software that may have potential holes that need to be plugged. All of this exploration work is very effective at understanding where the root cause of a breach may occur, and hence gives an organisation the way forward to plug these gaps, to change behaviours and avoid the loss of critical data.
Anticipatory anxiety is where there is a fear of an upcoming event that has not happened, and when this feeling occurs, there are a number of coping mechanisms that an be effectively employed. One primary mechanism recommended is to take action in a concrete manner. To do everything you can do to be prepared for the upcoming event. For instance, if you are anxious of a future public speaking event, then prepare for the talk, practice, make notes, and give yourself the best possible chance of success. But sometimes that is not enough, and you also need to focus on bringing your thoughts back to the present, calming the nervous system through the mind, and this can be achieved through the practice of meditation. Meditation is an effective tool for slowing down your breathing, for focusing on the now, and can also be good for developing a level of acceptance. Developing acceptance of the upcoming event can reduce anticipatory anxiety and make you perform much better on the day.
The same is true of cyber resilience. Acceptance that you are most likely going to be the target of a breach, and being prepared as possible for that eventuality is a not just good for the mental health of our CISO’s, but also an effective strategy, as its puts the mindset into “response mode”. The CISO and IT leadership are now thinking about a cyber incident response plan, and thinking not just about having critical data backed up, but thinking about the process you will need to go through to recover, and testing this on a regular basis. By running red team exercises to simulate attacks, CISO’s can be more prepared for how critical business processes can continue to run or can be recovered after a potential breach.
In my experience as a CIO in the global IT marketplace the mindset of acceptance and preparing for the eventuality of a breach is probably the one area that is least practiced. I empathize with those who are focusing more on prevention, visibility and containment, as all of this needs to be done and budgets are limited. But it is equally critical to focus on a cyber resilience plan, and this plan may go beyond simply documenting a process, but should start with a business impact analysis of critical business services and functions, linking these to key applications and infrastructure, and then ensuring that all of these components can be recovered in the event of a breach within a recovery time objective that is consistent with business requirements. For instance, when hit with a cyber attack, you cannot delete or alter that primary environment until a full cyber forensics is completed and law enforcement have been notified, so how do you continue to run your business during what could be weeks to months of not having your environment available. An immutable backup, although important, will not protect you from this eventuality.
Within Ergo, although I’m not a practicing psychologist, I am part of an extensive team of cyber and infrastructure specialists that can help your organisation be prepared for a potential cyber incident, to give your business the best chance of continuity during what will be a very difficult and stressful time. We can help you with advisory, planning, implementation and ongoing managed services for private, public and multi-cloud environments. Please give us a call so we can help you be prepared.
