However, what’s interesting is that the CISOs we spoke with say neither of these approaches …
However, what’s interesting is that the CISOs we spoke with say neither of these approaches
effectively solves the problem. Quantitative risk analysis isn’t the end all, be all. Just because a
risk is scored at 98 out of 100 doesn’t mean it will be remediated. Besides cost, the business
significantly influences the decision of whether to spend money. And most surprising to us, in
the end, many CISOs told us they ignore all their own data, vendor input and pundit whitepapers
and made a gut decision.
Let’s be clear: Gut decisions are not useful. Very often they’re based on a confirmation bias, also
called confirmatory or “my side” bias. That’s the tendency for people to favor information that
confirms their preconceptions or hypotheses, regardless of whether the information is true. If
you have a confirmation bias that laptop theft is the largest concern, whether it is or not, you
will find a way to get disk encryption to be the highest-priority project.
Avoiding confirmation bias can be difficult. The first step is to realize that we’re all prone to it.
If you have a tendency to collect a lot of information and then ignore it, or always find yourself
debating the rest of the organization on which threats are most imminent, you may be more
susceptible than average. Try this exercise: Ask your peers to honestly assess whether they think you frequently make decisions based on gut instinct. Listen to what they say, and understand
that it’s almost impossible to build trust with an information source—such as your risk
assessment team—if you have this tendency.