With the members of my Group Mentoring and Coaching community¹, I recently conducted a deep dive into the topic of security, or rather cybersecurity (In the article, I'll use those two terms interchangeably).

The conversation turned out to be very interesting for a few reasons. On the one hand, there is a lot of interest and demand for support in this area that many leaders, especially first-time CTOs, struggle with. And secondly, we had a special guest in the session, someone with a wealth of experience in the cybersecurity space who is also a good friend and a former colleague.

In today's article, I'm going to share my reflections after the session and how they helped me frame the topic in a way that brought clarity to my thinking.

Let's start by exploring something fascinating about human psychology: recency bias.

Recency Bias and Cybersecurity

According to Wikipedia², Recency Bias can be defined as follows:

Recency bias is a cognitive bias that favors recent events over historic ones; a memory bias. Recency bias gives "greater importance to the most recent event", such as the final lawyer's closing argument a jury hears before being dismissed to deliberate.

We can observe recency bias constantly in how people think and behave: from people's tendency to change their minds based on the last person they spoke to to the reactive tendency to subscribe to anti-theft insurance or anti-burglar alarms once people have been victims of a robbery.

Unfortunately, recency bias often plays a key role in another area: cybersecurity incidents, especially those involving data breaches.

In a recent study, IBM found this to be true to a surprising level:

More often then not, an injection of investment in security arrives after a breach. Data breaches are often the catalyst for a substantial investment in a cyber security program. In fact, IBM found that nearly two-thirds of organizations increase security investments after a breach.³

Two-thirds is a lot! And it does make sense.

Such incidents are both painful and effective drivers for building awareness about a company's level of vulnerability and the real — not only potential — consequences of such an exposure.

How to use Recency Bias to your advantage

Let's assume you're dealing with a situation similar to the following common scenario.

You are in charge of your company's engineering team, a role that sometimes implicitly includes responsibility for cybersecurity.

Your company has never faced any severe security incidents. Or maybe it has, but they have gone undetected.

A general illusion of security stems from the anecdotal absence of incidents in the company history, a typical case of mistaking correlation for causality. We must assume we're safe because we haven't had any incidents.

The entire organization is so busy shipping out features to gain market share that whenever you try to bring up the topic of cybersecurity, you're welcomed with annoyed looks and comments about this not being a priority because we're behind on the target for this quarter or other similar reasons.

If you're a bit luckier, your executive team generally feels we should do something in cybersecurity without knowing what exactly and to what extent. People expect you to magically determine the precise amount of investment the company should make in it.

You might feel like you don't know how to get started in such a situation.

This is where exploiting — pun intended — recency bias can be an excellent way to kickstart the process.

There are three ways you can do that.

• The simplest one would be to wait until you are the victim of a cyberattack that seriously threatens your company. Clearly, it's not the recommended approach, though it seems pretty standard. But if, unfortunately, this is the situation you're facing, try to get the best out of it. Once the attack has been mitigated and you have dealt with the damages, you have an excellent opportunity to start advocating for a change in direction. Instead of trying to hide the impact the incident has had to avoid feeling embarrassed, you should be overly transparent with your entire organization and, more specifically, your executive team. Make sure to build clarity that a similar event will occur again in the future unless you start treating cybersecurity investments as an ongoing effort. As a result, your company should recognize the need to invest time and money to build better detection, protection, and reaction capabilities.

• A less dramatic and costly approach would be leveraging other companies' misfortune to build a sense of urgency. We are all well aware of widespread media manipulation approaches, where continuously talking about the same issue makes the general public more inclined to believe it's an issue that requires attention. Similarly, you can deploy a more benign form of the same approach to benefit your organization. Regularly sharing news about companies facing cybersecurity incidents and data breaches can be a powerful way to build that awareness⁴. It will add the benefit of improving your own understanding of the most common threats, emerging trends, etc. By following this approach, you won't get the intense knee-jerk reaction of being the victim of a direct cyber attack, but you can use it to build a more nuanced and sustainable level of awareness. Doing this consistently will ensure the topic stays fresh in people's minds. Don't expect that a couple of articles will be enough.

• A third approach, often combined with the previous one, is to “simulate” your incident. More specifically, you want to understand better how vulnerable your organization is to potential attack vectors. You're trying to answer the challenging question you might have heard so often: how can we quantify the risk we face? The simple and most cost-effective way of doing so is to engage the services of a company that will perform a set of activities on your company's infrastructure and codebase, starting from a pure black-box penetration test all the way to security auditing of your code. You should frame that as an investment in awareness/insights building and security improvements. While the latter is obvious, the first is often underestimated. You want to ensure the audit results are shared broadly within your organization, especially with the executive team. The scarier the results, the more you will want to make sure they're understood by decision-makers who will need to support your proposals of increasing investments in this area.

All these actions are inherently tactical, but you want to use them strategically. They will be the stepstone for building the required security and risk awareness in your executive team. Without that support, you'll be left waiting for the next major incident to strike your business before you can make any significant progress.

Once you've successfully established these foundations, you can start thinking more holistically about the whole topic.

There isn't a specific set of next steps you should take, as we're not going through a Hello Word tutorial here. Instead, you'll be evaluating different variables and factors to decide where to go next.

Next steps beyond cybersecurity awareness

Let's assume you've successfully established a solid foundation of cybersecurity awareness in your organization. You regularly perform pen tests and security audits, and you have an internal process for balancing the findings. Where do you go from there?

The answer, as it's often the case, is it depends.

There are a few factors you might want to consider to help you decide on the next move, and they include the following:

Company size and maturity

If your company is still in its early stages, burning through cash while trying to find product-market fit or sustainable growth, you might be OK keeping your security investments mostly at a reactive level. There is little at stake, and the deployment of defenses should be commensurate with that.

Keeping your focus on vulnerability detection and remediation regularly and a solid incident management process could be all you need at this stage. Like everything else in tech, there is such a thing as overinvesting in cybersecurity, and you want to avoid that as much as you want to prevent underinvesting.

Suppose your company is at a later stage, the ambiguous one commonly labeled as scale-up. In that case, you might consider a shift left on security, going from reactivity and post-facto mitigations to prevention. This is when you might consider hiring a Head of Security, CISO, or similar figure to help you shape a holistic cybersecurity strategy and agenda.

Finally, suppose your company is generating steady profits and has a solid market position. In that case, you will likely have recurring interactions with the board of directors on cybersecurity. You will set overall company targets for reducing the cybersecurity risk considerably going forward. You'll want a Head of Security/CISO to be in place and one or more security teams focusing on enabling the organization to go through different steps of the software development lifecycle, IT governance, and compliance with regulations.

Industry context

Some companies operate in highly regulated markets depending on a combination of their industry segment and the geographical locations where they offer their services.

GDPR is just the example most of us are familiar with. Still, plenty of regulations go beyond the privacy space and touch on the broader meaning of responsibility required for a company to operate in specific sectors, finance, and healthcare being the most obvious ones.

Keeping an eye on what is going on in some of these sectors is beneficial even if your company does not operate in them, as regulations tend to gradually expand to cover people's rights to see their personal data protected across all industries.

Operating in specific sectors will also require you to obtain security-related certifications such as SOC2, especially when offering services to B2B clients. That will apply even if your company is relatively small.

Other factors will also influence the decision to invest how much and where. These include the cybersecurity skills and competence of your team, the composition of your board of directors, and/or the profile of new investors putting money into your company.

Even your ability to keep up with the pace of new vulnerabilities discovered in your stack and the tension generated by the need to deliver software improvements is a signal that should inform your decision.

The bottom line is that you'll build your overall security strategy in increments, and during the early phases, this will be much more bottom-up than top-down.

Your ability to build a comprehensive cybersecurity agenda is a function of your ability to raise awareness and clarify the level of risk your company is comfortable facing in the early stages and how much you can evolve that sentiment as the company grows.

That responsibility lies with the person in charge of the engineering team.

It is one of the many areas where your ability to communicate and influence will be equally, if not more valuable than your hard skills in the domain.

If you found this valuable

If you found this valuable, here are other ways I can help you and your company:

1. Follow me on LinkedIn for regular posts on tech leadership throughout the week.

2. Contact me if you're interested in a Fractional CTO, Technical Advisor, or Board Member for your company.

3. Work with me 1:1 as your mentor and coach. I love working with driven and competent people in their specific situations and providing personalized guidance, insights, perspectives, and support.

   Thanks for reading Sudo Make Me a CTO! Subscribe for free to receive new posts and support my work.

   Pledge your support