Why wasn't the security breach prevented? Seems like the question that gets asked of security breaches that make the headlines. While some cheer the focus and attention, others cringe at the assertion. The response is natural.
When something "bad" happens, people cry out for answers. Then they demand action. The need to "do something."
This reaction demonstrates the bias for breach prevention (read about it here). It creates blind spots in strategy and capability. In some cases, the misdirection of attention and resources increases the likelihood of breach. It dampens the ability to detect and respond.
Leaders responsible for security need to adopt a different mindset for success.
A breach is only a symptom?
In the introduction to Into the Breach, I shared an observation about security breaches:
"The truth is we are focusing on the wrong problem: a breach is only a symptom. Paradoxically, we face a human problem where people are not the problem. The problem is that people have been unintentionally—but systematically—disconnected from the consequences of their decisions. As a direct result, they do not take responsibility and are not held accountable. Treating a breach as the problem only makes this worse."
When introducing the human paradox in the book, I wrote that we face a people problem. I regret my poor choice of words. We face a human paradox where people are not the problem.
Realizing that a security breach is a symptom signals the need for a shift.
"For decision makers, instead of simply throwing more technology at the problem, as has traditionally been the case, the challenge of protecting information—in all forms—requires a shift in thinking and a change in behavior within our organizations. This is not bad news. Organizations stand to win big by following a strategy that both protects information and builds thriving organizations."
It sets a new bar for success. Instead of a focus on preventing breaches, the attention shifts to detection and response. Swift and accurate detection is important. Prioritized and appropriate response is essential.
Getting it right extends beyond the security team. It takes the organization working together.
That means the mindset -- and the words we use to describe it -- are vital to success.
It's time to 'anticipate breach'
The shift from the bias for prevention leads to a mindset of 'anticipate breach.'
The word is anticipate. While it signals an expectation of a breach, it does more. It makes an emotional connection. It creates an opportunity to ask questions. It sets the stage for productive conversations.
This is a powerful way for leaders to approach breaches. It is a positive approach.
But isn't everyone already breached anyway?
Some folks suggest breach is inevitable. That we acknowledge the experience of 'continuous breach.'
The notion that we exist in a state of constant breach signals failure. It suggests there is little we can do. We've lost before we even start. It causes some to question why even bother.
That's not leadership.
No one likes losing. Suggesting failure as a starting point is negative. It's self defeating. It places emphasis on the symptom of a breach. It creates unnecessary hurdles to overcome.
Embracing the mindset of 'anticipate breach' offers hope. More than a mindset, it is a tool for leaders to drive change in the organization. It is a way to ask simple questions that start important discussions.
Three questions to get the discussion started
Instead of telling someone a breach is inevitable, ask them "what happens if we get breached?"
When asking for the first time, it's common for people to wave off the suggestion. "We won't."
Acknowledge it. Then ask again, "Right. But if we did get breached, how would that impact you?" Or the project. Our customers. Whatever the focus is.
Invite them to engage in the discussion with you. Guide the conversation with these three questions:
- If something goes wrong, how fast can we detect it? How much confidence do you have? Are we looking at the right things? The most important assets and information?
- When we detect a problem, how well do we respond? While speed of response matters, getting it right matters more. Ask them what they would do. Explore the priority and steps.
- How is our prevention working? How do we know? Find out what we can block. What we need to look for. And consider how to judge what is and isn't working.
The right mindset guides proper action
Anticipate breach is a powerful, positive way to engage others and guide action.
This includes the security professionals, executives, and board members. It ranges from startups and nonprofits to established Fortune 500 companies.
When you adopt the mindset, you improve your leadership. You empower others to ask questions and offer solutions. You drive change that improves security and the business.