Recently, at an event in Las Vegas, one of the speakers polled the audience. When he asked the question, “How many people lost money gambling?”, about 90% of the hands in the room went up. When he asked the question, “How many people won money gambling?”, about 10% of the hands in the room went up. To anyone who understands basic probability and the business model of Las Vegas, this is not a surprising result. A casino would not stay in business long if it didn’t win most of the time.
Given this, why is it that we often find ourselves interacting with people boasting of their gambling wins, while we almost never find ourselves interacting with people telling stories of their gambling losses? It would seem to be a contradiction to what we know to be the truth, wouldn’t it? The answer to this question, of course, is that our sample is biased. If I were to win $10,000 gambling, I would be quite proud and would want to share my success with others. But if I lost $10,000 gambling, I would likely be quite embarrassed and keep it private.
In information security, the sample bias results in statements like “all of our people are above average”, “our false positive rates are quite low”, “the maturity of our security program is amongst the most mature in our vertical”, and others. For some organizations, these statements may be partially or wholly true. But, as the law of large numbers teaches us, it simply cannot be that these statements are true for the majority of organizations. Instead, the sample bias can trick an organization into thinking its security is better than it really is. Or, alternatively, the pressure to exude good security and confidence in one’s security program can cause an organization to be dishonest with itself, its leadership, its board, its peers, its partners, and its customers. In the end, this can have dire consequences, as anyone who reads the news can see.
Given this, what can organizations do to counter the sample bias and its effects to ensure they continue to progress and improve their security posture? While there are a number of topics one could discuss, I’ve picked out a few of them that I suspect will be relevant to many organizations.
Culture
First and foremost, an organization that successfully counters the sample bias and its effects is one that shies away from groupthink and encourages honesty. This allows the organization to constructively identify weaknesses in its security program and confront them head on. Most organizations want to encourage this type of culture, but it is easier said than done. It’s important to consider that this type of culture must exist at every level within the security organization. Even one bad pocket can radically change the dynamic.
It likely comes as no surprise that every security program has its strengths and weaknesses. It’s important to remember that acknowledging a weakness is not in itself a weakness. Rather, it is the first step towards strengthening and improving that weak spot and should be regarded as a positive. It may not be easy to take a look in the mirror and examine what we are not doing well, but it is extremely important. After all, if we are not honest with ourselves, we cannot really be honest with everyone else.
Self-awareness
Self-awareness is an organizational trait that builds on the organizational culture mentioned above. Realizing and acknowledging that capabilities need to improve is often half the battle. Self-awareness comes with a dose of humility that allows us to learn from others that have come before us. There are a lot of lessons that others have learned in the past. We can and should leverage these lessons, but in order to do so, the listener needs to be receptive to the input. There is no shame in acknowledging the need to improve. Quite the contrary — it is to be applauded.
Self-awareness can often be a challenge inside a security organization. Sometimes we become so busy with the day to day that we forget to come up for air and evaluate where we are strategically. Other times, we become so familiar with our processes and procedures that it becomes difficult to identify areas for improvement. Yet other times, we become insulated from external influences, preventing us from accurately assessing the maturity of our own security programs. Whatever the reason, maintaining organizational self-awareness is extremely important when looking to counter the sample bias and its effects.
Humility
Of course, identification of issues and weakness inside the security organization is no guarantee that they can be remedied. As the saying goes, the devil is in the details.
In my career, I’ve noticed that a little humility goes a long way towards successfully improving areas marked for improvement. Why is humility so important? There are likely many reasons, but among them is the acknowledgement that the organization is not performing a given function as well as it could be. There is nothing wrong with this acknowledgement – in fact, it’s a positive and the first step on the road to improvement.
Letting one’s guard down and retracting one’s puffed out chest is important when looking to improve. That allows for internalization of constructive criticism and the implementation of ideas that can improve the organization’s security posture.
It may sound counter-intuitive, but admitting weakness is actually a strength. By being truthful, honest, straightforward, and earnest, we empower ourselves to grow and improve, both as individuals and as organizations. This is an important cultural aspect that helps improve an organization’s security posture, and it is one that is often overlooked. If you are a security leader, you owe it to yourself and to your organization to create a culture that rewards honesty and truthfulness. Otherwise, the house always wins. That’s good if you’re a Las Vegas Casino, but not so good if you’re looking to build a winning security organization.