Should cybersecurity overconfidence be on your threat radar?
When you run a new piece of research into the state of enterprise cybersecurity, there is an extent to which you are confirming assumptions and expectations. This is not unimportant work: identifying the truth in trends and how significant they are helps us to weight them accurately and so make better decisions. Nonetheless, one can predict from the outset what respondents will report back about: the growing rate of attacks; the extensive damage that breaches cause financially, operationally, and reputationally; and the ratcheting up of pressure from business leaders to find new strategies.
Imagine our surprise, then, when Kyndryl’s 2023 state of IT risk report found that 88% of IT decision makers are confident in their organization’s preparedness for disruption. In fact, 65% rated themselves as being ahead of other organizations, and just 8% said they were even somewhat lagging their peers in preparedness.
Such optimism stands in contrast to the fear and doubt that typically headlines such research. It is also, needless to say, mathematically impossible for this to be an accurate reflection of these organizations’ relative levels of preparation. Our findings grow yet more surprising when we note that, amongst the same respondents, 92% report having experienced an adverse event in the last 24 months.
It would be hasty to state that this constitutes a crisis in itself: there are many nuances, both technological and psychological, to how a respondent might rate their organizational confidence, and confidence is not inherently detrimental to performance. However, given the very real possibility of overconfidence leading to under-preparation, it is worth thinking about some of the possible reasons for this discrepancy that every IT leader can and should identify and correct for.
Unknown unknowns
The foundational step for any cybersecurity strategy – and often one of the most difficult steps – is engagement and alignment with the business at large. In short, security teams need to know and understand what it is that they are protecting: the most sophisticated tools and procedures matter little if users are doing work and sharing data on unmonitored platforms.
A failure to exhaustively audit the digital estate, bringing non-IT voices to the table to share back the ground truth about operations, can leave teams supremely confident about the risks they know and utterly blind to the risks that matter. A conversation that engages every part of the business on a level playing field also helps to ensure that best practice and safe behavior is disseminated holistically, not just to those most inclined to pay attention anyway.
Incorrect overcorrection
There is an ironic possibility that the finding about 92% of businesses having suffered an adverse event does not contradict our findings about confidence at all: what if, having fixed a flaw which led to a breach, teams end up feeling more confident than they did before anything went wrong?
Implementing a new tool or process which ensures that a recent stressful situation doesn’t happen again naturally comes with a sense of pride and relief. It would be a serious mistake, however, to assume even unconsciously that the next event will look anything like the last one. Falling victim to malware might well inspire a new malware defense strategy, but remember that the next problem could just as easily be a denial of service attack or an insider threat.
The real inside threat
Speaking of insider threats, it must be noted that IT teams are not immune to the mistake of giving greater attention to the more dramatic or exciting threats which exist. There is a reason why fictional stories involving cyber threats are more likely to feature insider attacks or nation-state activity than server misconfigurations or failures in network switching equipment.
The simple truth, however, is that most adverse events do not come about through deliberate attacks. Things like data center outages and failed software updates may feel different on an emotional level, but from a business resiliency perspective their impact on productivity, reputation, and revenue is absolutely of a kind with cybersecurity events. In our survey, the sixth most common cause of events was, simply, “human error”: if such things are not explicitly accounted for, your confidence may be misplaced.
Adopting a critical eye
Finally, we should acknowledge that our respondents are working, day by day, in a context that encourages a sense of confidence. In an increasingly metrics-driven environment, it is easy to pull up dashboards full of statistics proudly announcing the health status of security platforms: 99% of systems patched within a week, 99% of endpoints covered by anti-malware solutions, and so on.
For many areas of IT, scoring 99% on a metric would be viewed as excellent performance. For resiliency, though, it is the 1% that really matters: one in every hundred systems unpatched, one in every hundred endpoints exposed. Learning to adopt a critical eye even when all systems seem to be reporting green is a vital – and all too often overlooked – skill.
When does confidence become overconfidence?
As I mentioned earlier, confidence is not necessarily a bad thing. Organizations should aspire towards a state where they know that the inevitable future disruption is something that can be recovered, and a well-designed cybersecurity strategy can achieve that goal.
To err, though, is human – as is a tendency to prefer comforting information over true information. If you are part of the 65% that consider themselves leaders in cybersecurity preparedness, it might be time to reassess your priors, or even bring in an independent perspective to do so for you.
We’ve listed the best SSO and identity management software