Strategic Alliance Magazine Q1 2018 - 29

INVESTING IN SECURITY

What are the potential threats that exist that could lead
to those outcomes; how likely are any of those potential threats to actually occur? Often, it's really hard to
figure most of this out. Organizations have a very hard
time putting a value on their information resources;
it's nearly impossible to know all the potential threats
that might exist, let alone how likely they are to occur.
Because of this, those key decision makers are often
making investment decisions under conditions of uncertainty. Oftentimes, when faced with a very hard
question like this, people don't do all the necessary calculus and, instead, replace the hard question with an
easier one. In behavioral science-speak we call these
"heuristics," simple rules of thumb that people use
when making a judgment about something. In some
cases these heuristics work fine, but in others they can
lead to problems. In the case of cybersecurity investment, the heuristic that C-level decision makers might
use is "If I'm compliant, I'm safe," and focus their investment decisions on ensuring that they've checked
all the boxes of one security framework or another.
However, while compliance might be great for getting
contracts, or proving you've done your due diligence
in court, it doesn't equate to security.

How do some of these behaviors relate to
managing multi-party collaborations?
Consider the additional security concerns that emerge
in multi-party collaborations where information is
shared. It's very easy for us to pay attention to the risks
we face as an individual company. And we may evaluate the security risk of a partner through the lens of
our own security mindset. What you may not be asking, and what you should be asking, going to the table
with a potential partner, is: What are the risks they face?
How are your security systems going to interact with
their risks and vice versa because you are now stewards to each other's security? Take, for example, Target's
breach caused by sharing security permissions with a
third-party vendor. You need to make sure no back door
exists that is going to create a vulnerability.

Why are avoidance and underinvestment such
problems among executives?
The Nobel laureate and behavioral scientist Daniel
Khaneman coined the acronym WYSIATI, or "what you

see is all there is." The idea speaks to the fact that we often really just pay attention to the things that are in front
of us and sometimes neglect other potentially important
information. It has to do with what behavioral science refers to as mental models, which are simple models we all
use to make sense of the complexity of the world around
us. These models help us to make predictions about the
future, but they also have the consequence of directing
our attention toward certain things while we ignore
others. Executives at different organizations likely have
different mental models when thinking about risks and
security for their organization. If, when forming strategic
alliances, or merging organizations together, you don't
address the differences in those mental models appropriately, both parties may miss risks.

How do you circumvent those
potential shortfalls?
One internal risk we have been addressing is how CISOs
responsible for security interact with the senior team.
If I'm a CISO (Chief Information Security Officer)
asking for money from a CEO to secure the servers,
the CEO may say it's not an immediate issue, and
maybe we will address it next year. What the CISO
should communicate is that the entire financial system is sitting on those servers. That would probably
pique their interest. The CISO may not have background in finance or business strategy. They may
come from a tech or cyber policy background, so they
don't have a mental model for thinking about what
broader organizational risks might look like. It's a bit
of a communications challenge. If you have a bunch
of high-level people coming to the table trying to knit
these alliances together, one person should be there
to represent the security risks and communicate how
they may meaningfully affect other risk areas such as
operations, finance, or public relations. We have been
proposing building risk committees that specifically
address risks relevant to each one of those areas. The
CISO can become more aware of the risks of each and
understand the linkages between those risks so they
are more adept at communicating how cybersecurity interacts with those risks. Now imagine expanding
these committees when building alliances to ensure that
all of these things are being considered and the senior
leadership is listening to these needs. n
Q1 * 2018 | STRATEGIC ALLIANCE MAGAZINE

Table of Contents for the Digital Edition of Strategic Alliance Magazine Q1 2018