The Case for Lean Cybersecurity Leadership

Few would expect that adding resources to a critical operational area could compromise its effectiveness. But as organizations beef up their cybersecurity teams in response to the growing threat and cost of cybercrime, they may be inadvertently blunting their ability to accurately assess their own exposure to risk.

Businesses’ natural response to growing cyber risk has been to invest in and grow their cybersecurity capabilities, including creating new leadership roles for safeguarding the confidentiality, integrity, and availability of organizational data. However, our research uncovered a surprising paradox that can render such expansion counterproductive. We found that experienced security teams can exhibit a collective overconfidence that makes responses to cyberthreats less effective. While leaders might expect that adding senior-level positions to a cybersecurity team will improve its capabilities, doing so can increase this organizational overconfidence, with potentially catastrophic effects on IT security.

This phenomenon of decision-making bias stemming from overconfidence, referred to as illusory superiority, has been found in other settings as well. Under certain conditions, people — regardless of their competence level — overestimate their abilities, skills, or qualities relative to those of their peers. There are clear downsides to illusory superiority: Individuals tend to engage in more risky behaviors, underestimate the effort needed to complete a task, and disregard valuable feedback. Overestimating one’s own ability can also harm teamwork and result in suboptimal personal and group outcomes.

Our findings are based on a study we conducted with 34 executives responsible for mitigating cyber risk in which we applied the Delphi technique to reach consensus among the participants. They included CIOs, chief information security officers (CISOs), and CTOs at small and large organizations from the public and private sectors. We asked them about eight common potentially damaging types of cybersecurity attacks that their companies could face (denial-of-service attacks, strategic data breaches, personal data breaches, sabotage and ransomware, phishing and spoofing attacks, business email compromises, malware/viruses/worms, and long cons or insider attacks). We wanted to gauge the extent to which senior cybersecurity leaders view particular threats as being potentially harmful issues for their organizations, how equipped they believe their organizations are to handle each of them, and how equipped they would expect business competitors and other peer organizations to be in each case.