His most famous book, Thinking Fast and Slow, discusses how we have two methods of thinking - one based on immediate reactions and instinct, and another that is slower, more logical and considered.
As chief information security officers, we have to have our long-term goals around risk in mind all the time.
At the same time, IT security teams face daily changes in the threat landscape, as new issues are discovered, new ransomware gangs launch their activities, and older threats rise and fall in importance.
Weaponization for the biggest vulnerabilities in 2023 had a mean time of 44 days, so in theory, taking a slow approach and getting things right should be the order of the day.
Fast order thinking is therefore necessary to prevent these attacks, yet this can be hard to achieve across large organizations where tasks are distributed across departments.
Managing risk involves long-term planning and short-term response to fast-changing parameters.
IT Infrastructure, Fast and Slow Enterprises have very different IT platforms in place.
All of these systems will have to be managed and kept secure, but the thinking and processes that take place around them typically call for different mindsets.
These systems have to be protected against threats, yet the threat of them being affected by downtime is seen as an even bigger risk to the business.
The theoretical threat of a missed patch has to be compared with the very real risk of lost revenue.
In these circumstances, taking that logical and methodical approach to measuring risk will be necessary.
Security processes have to respond automatically when required.
As any changes take place within our CI/CD pipelines, our security processes should react in line.
Managing Risk Means Thinking Fast and Slow Together For CISOs, approaches like shift-left security should allow developers to improve security over their code and their pipelines.
These approaches rely on collaboration between security and developer teams to work.
What looks like a quick win and a way to automate security effectiveness actually relies on slow and methodical thinking around collaboration.
The greatest challenge here is that managing risk demands both fast responses and strategic thinking to be effective.
To reduce risks, CISOs have to understand issues in context and score them appropriately.
Getting a single score helps categorize risks against each other.
By looking at security with both a fast and a slow mindset, we can try to achieve the best of both worlds.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 01 Jul 2024 14:00:09 +0000