Blog
Going Slow to Go Fast: vCISO Restraint Amid Cybersecurity Chaos
For those of us with enough gray hair to remember back that far, it is reasonable to compare the explosive growth of Web1.0 and the proliferation of the Internet in the 1990s, to that witnessed presently in cybersecurity. In both eras, stressed-out, harried leaders and their teams were asked to perform miracle after miracle, to learn and deliver at unprecedented, unsustainable rates, and to always do so without error and all too often without a clear vision or plan. Sadly, we failed to learn from that past and now seem condemned to repeat it, this time in the context of information security.
Things are vastly more complicated today. Thanks to speed-of-light news cycles carrying a daily deluge of ransomware horrors and stories about massive information security breaches, we have a convergence of justified concern and irrational hype. The result is a contagion that infects boardrooms and C-suites, and ultimately trickles down to already overworked and understaffed information security or technology organizations who are directed to defend against the raging, malevolent cybercriminal hoards at the gates. That unfortunately has become business as usual in many organizations.
Information security leadership’s caffeine and adrenaline-addled responses often lack adequate forethought or planning, all in an attempt to satisfy bosses, customers, and frankly, to just silence the din. In the process, nerves are further frazzled, relationships are tested and when all is said and done, the organization is only marginally more secure than before the bedlam ensued. It is here that the lesson of the “Tortoise and The Hare” can be applied.
Remember Aesop’s fable? The one where the rabbit mocked the turtle for being so slow and challenged him to a footrace. Off the rabbit charged to a quick lead and assured victory, only to pause for a nap while the turtle trundled along slowly and methodically behind him, ultimately passing the napping hare and winning the race. The moral of the story being that the race is not always to the swift. In the context of information security, it is during the most stressful scenarios that an effective leader is the one who wisely “goes slow to go fast.”
This is not an easy skill to develop and often is counter to our instincts to be ultra-responsive to minimize damage, move projects along, and be accommodating to bosses, customers, and stakeholders. That said, the notion that “speed wins” in the realm of cybersecurity, is a false premise. The benefits of an intelligently paced and reasonable approach to information security and incidents are numerous:
- Smarter, better-designed solutions to complex problems
- Reduced costs
- Lower likelihood of mistakes
- Increased team morale and engagement
- More satisfied stakeholders
The information security threats our organizations face are real, as are the losses in revenue and reputation that can accompany them. So, too are the pressures organizations face from stakeholders to respond aggressively, perhaps even hyperactively, to new security technology, projects, or threats that present themselves. Truthfully, there may be situations – likely involving a crisis, where an immediate, gut instinct response may be warranted and the proper course of action, but running an information security program or team effectively in the long term, requires a more sustainable and reasoned approach.
Even during a crisis, taking a few moments to gather the facts, bring together the right people, and methodically and unemotionally assess and respond to the situation, is the responsible and smarter course of action.It is at these moments that organizations must push back on those yelling the loudest and resist the urge to respond impulsively. Take that deep breath, filter through the “facts” and invest in at least a modicum of planning before responding to business-as-usual security requests and projects or incidents.
Replace speed-of-light, with speed-of-right.
By responding too quickly, your organization may play right into the hands of cybercriminals who excel at exploiting human nature and security professionals’ innate eagerness to help and artificially elevating the sense of urgency with which organizations feel compelled to respond. In all things information security, it is imperative that we go slow to go fast.
Having a cybersecurity plan in place can help mitigate the panic-fueled impulses your team may get when disaster strikes. Working with a managed services provider, like Thrive, to evaluate your current IT stack and identify potential weak points, can help you bolster your cybersecurity posture. This will help reduce your organization’s downtime and increase its productivity due to mitigated interruptions. Contact Thrive today to learn more about how you can plan ahead and win the race!