Addressing Macro vs. Micro Behaviors in Cybersecurity

As Chief Information Security Officers (CISOs), we often see ourselves as change agents inside our organization and are often judged on our ability to introduce and maintain a security culture.  But, fundamental change is hard and often seen as disruptive by those charged with the day-to-day management and product development inside our organizations.


Most of our organizations are overtaxed due to shifting/disruptive market forces, complex regulatory requirements and competing priorities among other things.  For most CISOs, these forces drive compromises that hurt rather than help security.


Harvard Business Review recently looked at what it deemed as “The Biology of Corporate Survival” indicating there is tension between what is beneficial for individuals within the company and the market as a whole.  Ultimately, it is unhealthy to maintain existing, unhealthy technology behaviors inside our organizations because it limits our ability to change and evolve.  Those practices not only lead to poor cybersecurity practices, but, often lead many organizations to fail or lose market share over time.

If we look at IT security in the private sector today, most organizational strategies focus on changing micro behaviors through initiatives like security awareness and corporate risk management programs.  Those changes are worthy of our efforts, because they help evolve an organization to address both today and tomorrow’s cybersecurity challenges.

When championing micro level behavioral change, we’re seeking to influence change on a small-scale - influencing individual change, change within a team or organization.  Often, working inside an organization is the limit to a CISO’s remit. Macro change seeks to influence an industry sector, market or society - where most CISOs have little influence.  

If we continue to focus solely on the micro side of behavioral spectrum without exploring the macro side - changing behaviors that influence the entire tech ecosystem, we will continue to live in a world where cybersecurity risk outpaces our ability to manage it.  That’s the true challenge behind The Cyber Conundrum.

So, how do we influence change at the macro level - inside our broader business ecosystems or across multiple business ecosystems?  We will need strong leadership in the public and private sectors to present a firm call to action to address the macro level behavioral changes.  These leaders must develop a comprehensive strategy that will motivate others and drive momentum for our moonshot.

We know from our study of moonshots in The Cyber Conundrum that we have a way of solving very difficult—even impossible—challenges as long as we coordinate our collective efforts to find a solution.  Our solution must involve solving big macro problems - the speed-to-market at the expense of security paradigm, make application security intuitive or automatic and must be driven public policy incentives, penalties and by technology buyers demanding better security and lower total cost of technology ownership.

Right now, we don’t have momentum, but a movement is building for a consolidated strategy. The question is, will we kick off our moonshot now or will we wait until it’s too late?  


Peter Chronis