Thinking About Security, Fast & Slow

COMMENTARY

Psychology professor Daniel Kahneman recently passed away. His most famous book, Thinking Fast and Slow, discusses how we have two methods of thinking — one based on immediate reactions and instinct, and another that is slower, more logical and considered. This book can encourage us to look at how we think through our tactics, operations, and strategic plans, and where we can improve them using psychology and human understanding. For example, how can we understand these modes of thinking and use them to achieve our strategic goals around managing risk? More importantly, can we change our approaches and get the best of both modes of thinking?

As chief information security officers (CISOs), we have to have our long-term goals around risk in mind all the time. Keeping our organization secure and company data protected encompasses a range of different skills, forethought, and planning. At the same time, IT security teams face daily changes in the threat landscape, as new issues are discovered, new ransomware gangs launch their activities, and older threats rise and fall in importance. Responding to patches needs to be done quickly in order to keep ahead of potential exploitation and weaponization — according to our research, the average time to patch is around 30 days.

Weaponization for the biggest vulnerabilities in 2023 had a mean time of 44 days, so in theory, taking a slow approach and getting things right should be the order of the day. However, around a quarter of weaponized threats appeared on the same day that the patch was released. Fast order thinking is therefore necessary to prevent these attacks, yet this can be hard to achieve across large organizations where tasks are distributed across departments.

Managing risk involves long-term planning and short-term response to fast-changing parameters. The biggest mistake is missing where planning ahead is required to make reactions easier and more effective. One CISO mentioned to me that he feels like he is trapped in a hamster wheel, forever running but not getting where he needs to go. Instead, we have to unify our view of risk so that we can make the right decisions in context.

IT Infrastructure, Fast and Slow

Enterprises have very different IT platforms in place. Traditional IT assets in data center environments will rub shoulders with new cloud-native applications and containerized systems where the average lifespan for a container is around five minutes. All of these systems will have to be managed and kept secure, but the thinking and processes that take place around them typically call for different mindsets.

Traditional IT assets typically are high-value investments that will not be replaced for years. These systems are often responsible for revenue-generating activities, and businesses will not be willing to take them out of commission for downtime and updates to be applied. These systems have to be protected against threats, yet the threat of them being affected by downtime is seen as an even bigger risk to the business. The theoretical threat of a missed patch has to be compared with the very real risk of lost revenue. In these circumstances, taking that logical and methodical approach to measuring risk will be necessary.

For modern applications, adopting a slower approach will not keep up with the sheer pace of change taking place. Security processes have to respond automatically when required. As any changes take place within our CI/CD pipelines, our security processes should react in line.

Managing Risk Means Thinking Fast and Slow Together

For CISOs, approaches like shift-left security should allow developers to improve security over their code and their pipelines. Yet these approaches rely on collaboration between security and developer teams to work. Saying that you have shifted security left is one thing; actually making the changes in working practices is another. What looks like a quick win and a way to automate security effectiveness actually relies on slow and methodical thinking around collaboration.

The greatest challenge here is that managing risk demands both fast responses and strategic thinking to be effective. Plans made in the past may have to shift based on new evidence, while the ability to react quickly may depend on decisions around areas like infrastructure taken years before.

To reduce risks, CISOs have to understand issues in context and score them appropriately. Getting a single score helps categorize risks against each other. You can then solve those issues based on the most effective measure, whether that is fast order responses or more strategic changes over time. You can get off the hamster wheel and concentrate on longer-term results. By looking at security with both a fast and a slow mindset, we can try to achieve the best of both worlds.