In an August 6, 2020 Wall Street Journal article titled Pandemic Elevates Security Chiefs to Corporate Leadership Roles the authors, Catherine Stupp and James Rundle, state, “Corporate cybersecurity leaders are gaining prominence within companies as they grapple with rising security threats during the coronavirus pandemic.” They go on to say, “The role for corporate security chiefs now goes well beyond tech bugs and hacker tracking to encompass broader business risks.”
Michael Piacente, the co-founder and managing partner of Hitch Partners, explains this role change by saying, “Executives and boards are bringing them into the fold a lot more often. The executives and the board recognize that they’re a trusted advisor on what’s going on right now.”
As this role change – driven by the changing environment caused by the pandemic – evolves, the “Fixed Mindset” mental model of “This is the way we have always done it”, must be assessed across the enterprise and changed. Most minds choose to approach a situation and ask, “Which ideas do I already love and know deeply, and how can I apply them to the situation at hand?” In psychology this is known as the availability heuristic and its power is well documented.
We all have mental models: the lens through which we see the world that drives our responses to everything we experience. Being aware of your mental models is key to being objective.”― Elizabeth Thorton
The models are a latticework of beliefs and ideas that a person either consciously or unconsciously forms based on education, knowledge gained through life experiences and living vicariously through the experiences of others.
The pandemic is causing security chiefs and their teams to be more innovative in their tactics, flexible in their strategy to deploy tactics at a Tempo1 that exceeds that of the adversary and quick to seize the opportunities presented by the change in conditions.
It has been suggested that when a condition2 change (i.e. the pandemic) occurs, causing our situation relative to that condition to change, the appropriate response is to question our current mental models. This process is called reframing and only after the underlying assumptions of the current mental models are known and questioned, can an individual or organization open themselves to a new perspective and the possibility of creating new mental models.
In order to make the necessary changes to satisfy the responsibility of the new role, the mental models used to create the current cybersecurity information security program must be assessed and updated. Mental models are some of the most powerful mental tools at a person’s or organization’s disposal.
Mental models are complex and rooted in human nature. They affect how we see conditions and the opportunities presented by those conditions to our current situation.
Depending on how we use the mental models available to us, they can be incredibly constructive or destructive.
Existing models can be a barrier to the change we want to achieve. Humans are normally very resistant to challenging and changing their current perception of reality. They generally have a tendency to reject data that does not support an already existing assumption. While ingrained mental models are often the greatest barriers to implementing new ideas in organizations, they are also the area of organizational learning where organizations can make the most significant impact. The mindset of the organization must change from the previously mentioned “fixed mindset” to a “growth mindset”. A growth mindset is the vehicle that enables leaders to become paradigm-busters by stepping outside their existing (preconceived) mental models and keeping pace with the ever-changing threat environment they are chartered to defend the organization against.
Leaders must be able to overcome the limitations of their personal mental models, which are often the barriers to achieving the mission. In their new role, cybersecurity leaders must be able to influence organizational culture change, train their team and develop a new understanding of the environment. If these leaders are to motivate the development of innovative, but feasible, strategies to meet the continuously changing challenges of data security, current mental models, at a minimum, must be assessed.
Leaders must prioritize this fundamental leadership principle:
The only irreplaceable capital an organization possesses is the knowledge and ability of its people. The productivity of that capital depends on how effectively people share their competence with those who can use it.”― Andrew Carnegie
Sharing and learning involves a “movement of mind” and through that learning the individual and/or organization recreates themselves. Learning is best explained as “an interaction among practitioners” rather than a process by which a producer provides knowledge to a consumer. The capacity to learn enables individuals and organizations to solve security concerns (i.e. gaps and vulnerabilities) and, at a minimum, maintain the Tempo of the changing context of the adversarial threat.
However, organizations are not the reason people learn; they are there to help them learn more effectively. Organizations must ensure that conditions exist in which people can continuously learn. By enforcing an organization’s ability to learn, the organization is able to assess reality, develop better situational awareness to that reality and make better informed decisions that lead to successful actions. Such a capability is crucial for survival in the highly complex and continuously changing data security environment.
To be effective in the effort to reframe mental models, basic ideas taught in the “101” course of each fundamental academic discipline need to be added to the latticework of the organization’s mental models.
The construction of a cross functional team that is so often encouraged will be valuable in this effort. If the security team includes members skilled in many of these disciplines, the dynamic of the team can change significantly for the positive. These basic ideas are the foundation on which to build the mental model latticework should be the focus in the learning effort. Scenario development and testing through training such as war gaming exercises will serve to further develop these new mental models.
Having multiple mental models improves flexibility in the decision-making process and is a significant tool for overcoming the principle of human nature to be creatures of habit. This principle causes individuals to follow simple reproducible patterns and continue to follow them until their behavior becomes predictable to the adversary and unproductive for the organization. Additionally, having models that provide similar levels of comfort regarding the decision that must be made can minimize this human nature principle and result in a behavior that leads to success.
The overarching goal is to build a powerful tree of the mind with strong and deep roots, a massive trunk and lots of sturdy branches. These new models become some of the “leaves” we hang on the branches along with the experience we acquired, directly and vicariously, throughout our lifetimes. The “leaves” added due to the experiences with the pandemic can be invaluable to planning for post-pandemic.
In cybersecurity, having a large number of mental models based on a diverse set of disciplines and making them vivid and available in the OODA (Observe, Orient, Decide, Act) Loop3 problem solving process is extremely advantageous in such a situation. That diversity may lead to a decision that otherwise may not have been made.
This tree of the mind will have a great effect on planning. Planning in many organizations is simply a projection of their current mental models into the future. It becomes simply projecting the status quo with a new date. The underlying reason for this is mental models which limit the individual or organization to familiar ways of thinking and acting with the result being that our projections of the future suffer from basic assumptions that are generally invalid.
It must become standard procedure in every planning scenario to challenge existing mental models. Only when assumptions in mental models are identified and tested, can an organization continuously adapt and improve.
In cybersecurity, existing mental models must be “reframed” and new models constructed if an organization and, more specifically, its security team is to be prepared for the adversary’s change in Techniques, Tactics, and Procedures (TTPS). How an organization performs that reframing is crucial.
Quantum physics tells us that nothing that is observed is unaffected by the observer. That statement, from science, holds enormous and powerful insight. It means that everyone sees a different truth because everyone is creating their perception based on existing mental models.
At a time of chaos and uncertainty, a good idea we are comfortable using may get us in way more trouble because we ignored the fact that all ideas have limitations and in this situation those limitations have not been considered. The antidote for such mental overreaching is to add more mental models to our mental palette – expand the repertoire of ideas and force a focus on choosing the ideas that create the best decision to act on which strengthens our comfort/confidence in using them.
You’ll know you are on the right journey in building mental models when your ideas start to compete with one another. Letting the models compete and fight for superiority and greater fundamental truth during the “Decide” phase of the OODA Loop is what good thinking and, ultimately, good decision making is all about.
The winner in a cyberwar conflict will have the better strategy for using the weapons available to them in the engagement. As Sun Tzu says, “The able commander is skilled in strategy”. In the execution of that strategy, mental models have greater influence over the outcomes than decisions and actions because both will be determined by the mental models they use.
The weapons used in the execution of that strategy should be founded on tested mental models employed by a trained and well-prepared security team.
Some tips for mastering the use of mental models are:
- Be aware of your thinking; ask yourself provoking questions.
- Gather information to challenge your current thinking.
- Share your thinking with team members who possess different skills.
- Don’t jump to conclusions; suspend your assumptions; consider alternative mental models that are part of the latticework you have created.
If we agree that the cybercriminal is continuously changing their mental models (or perspective) on the least costly and most likely to succeed attack vectors, why are those of us involved in protecting critical digital data either failing to respond at a similar manner, or not at all, to the change in the threats to our business viability?
1 Tempo is relative speed in time and the competitor who is able to respond faster that the opponent can identify opportunities and make decisions that force the opponent into a constant state of reaction; eventually breaking their will to continue.
2 Condition, in the terms of Sun Tzu, is something over which we have no control. The pandemic has resulted in the situation with respect to the chief security officer’s role to change.
3 The OODA Loop was developed by Airforce Col. John Boyd and applied to the combat operations process. It is often being applied to understand commercial operations and learning processes.