Lift and drag: confronting complacency and disrupting inertia in cybersecurity strategy

Newton’s first law of thermodynamics – known as the Law of Inertia – teaches that an object will not change motion or direction unless acted upon by some force or disruption. The mathematical predictability of an ordered state allows us to harness energy and produce reliable outcomes. Humans experience inertia every day, both positively and negatively. That experience shows that inertia can create resistance to constructive forces that produce and maintain a state of higher order.

The greatest enemy of success is…success

Within corporate cybersecurity, resistance (inertia) presents in a variety of forms. Individuals and institutions alike often face overwhelming peer pressure to “keep doing what made us successful in the past.” In the face of that pressure, it can be difficult to generate or sustain momentum toward higher-level goals after achieving even an intermediate milestone. For example, an organization that invests in program resources to meet the rigorous compliance standards of a cybersecurity control framework may stall in implementing next-level discipline to achieve essential operational efficiency and business enablement objectives.

Resistance can also surface as status quo bias, the tendency to avoid change even when presented with a more beneficial option. Psychological inertia, as it is known in medical literature, is prevalent in workplace change management because committing to the changes necessary to achieve higher-level objectives causes individuals to feel anxiety and fear. So, even though the workforce acknowledges the security benefits of a Zero Trust model, they resist the necessary changes in their daily routine.

In both instances, satisfaction with achieving the lower-level objectives of the cybersecurity program promotes complacency and resistance to committing to higher-level goals.

Getting past inertia

How do successful CISOs overcome organizational and psychological inertia to achieve high-performance outcomes within their cybersecurity program? There are a few general principles and practices that seasoned cybersecurity leaders follow to architect their strategy to effectively confront complacency and disrupt organizational and cultural inertia.

Principle #1: Inertia serves a useful purpose. It would be a mistake to regard all types of inertia in a negative light and ignore potential benefits. In the same way an airplane is designed for high-speed motion, but the runway is not, a high-performance cybersecurity program must be anchored in proven design and execution standards to ensure consistent delivery of high-value security services. Just as a fixed runway design must serve the various conditions faced by aircraft during takeoff and landing, the program must be adaptable without compromising its predictability. Successful CISOs and other cybersecurity leaders recognize that balancing both attributes, though often competing, must be a strategy priority — one that requires continuous tuning to deliver a program that meets the company’s evolving security demands.

Principle #2: Resistance to motion is a constant. Furthermore, higher rates of motion experience higher rates of resistance. Conversely, the absence of resistance signals the absence of motion. Don’t interpret a lack of resistance as a sign of cybersecurity program health. For those familiar with aerodynamics, it is common knowledge that aircraft must orient into a headwind to experience maximum lift at takeoff. Similarly, those who effectively lead their organizations toward high performance and consistently deliver effective cybersecurity solutions calibrate resistance and embed proven change management techniques in their strategic plans. Engage key business stakeholders to help define measurable outcomes and implementation strategy. Align program objectives meaningfully to the company’s values and celebrate early adoption. The highest-performing CISOs enlist advocates across the business and equip them to promote the individual and corporate benefits of the change, and to prepare their co-workers to be successful with new or updated tools and procedures.

Principle #3: Disruption is necessary. While it’s safe to say that most organizations do not promote a culture that welcomes or leverages disruption as a mechanism for constructive change, it is necessary to move the organization from comfort to awareness and then to action. In fact, most wildly successful organizations can point to one or more significant disruptions that served as the catalyst to overcome status quo bias and drive innovation. Disruptions may be planned or unplanned, direct or indirect, and created by external and internal forces. For example, aircraft safety has been significantly improved by disruptive (and often tragic) events, such as sudden loss of lift (“drag”) caused by the formation of ice on the body and leading edge of aircraft wings under certain conditions. As a result, engineers have developed sophisticated anti-icing and deicing systems to enable safe flight in adverse weather conditions.

Drop the FUD

Misuse of the FUD (fear, uncertainty, and doubt) tactic has been largely discredited and has a limited shelf life anyway. Instead, responsible cybersecurity leaders:

• Anticipate and plan for disruptions by hardening the environment against likely forces
• Brief the organization on appropriate responses to disruptions
• Continuously tune controls and processes to maximize resiliency

They leverage each disruptive event as an opportunity to evaluate current strategy and mobilize the cybersecurity steering committee to promote context-relevant program enhancements. No such event should be wasted as a vehicle to overcome complacency.

For the CISO, organizational complacency and inertia are constants. But factoring these forces into the intelligent program design of the cybersecurity strategy will promote and sustain motion toward high performance.