Specific to this story, we will narrow in on the risk management responsibilities and step through pivotal decisions that lead to misunderstandings, misreporting, and inaction. This scenario highlights a lesser-known concept; seemingly unbiased choices influenced by the fact that we think positively about the future. It is good to be positive, but it also gives way to it won’t happen to me attitude. This condition is called optimism bias, and it can be detrimental to your success.
We take client confidentiality seriously. The events disclosed from this experience will not include names to protect the identities of those affected. Let’s continue.
Demands of the CFO
With an MBA and CPA designations, this seasoned Chief Financial Officer (CFO) managed many executive-level responsibilities within this manufacturing company. Capital structures, performance measurement, budgeting, financial reporting, and risk management are some activities that kept this executive busy.
This CFO’s responsibilities are similar to many of you reading this article. Time and attention are limited, where at a moment’s notice, your agenda for the day changes when the CEO, a board member, or an auditor needs information.
Like many of you, the IT department reports to the CFO. As situations would require meetings, this CFO demanded that sessions be limited to 30 minutes or less and that any proposed action items be limited to one page in length—the summary approach limits discussions regarding the trade-offs of one action over another.
IT’s series of minor incidents not handled very well brought about a meeting where we planned to discuss their growing security-related concerns. Leading up to the meeting, the lead IT person disclosed cybersecurity weaknesses within the company, and the CFO would not approve funding to address the problems.
We established an understanding of group participation during the collaboration and that disclosed information might become uncomfortable. We expect new information to surface. We are not assigning blame or fingerpointing; we are participating to get better at protecting the business.
We discussed critical assets and loss event scenarios. Paraphrased, the CFO stated, “I have not experienced ransomware, and we will never see ransomware here.”
I wondered why this executive would make such a bold claim, so I asked. Paraphrasing the CFO’s response – “We are not a big publicly-traded company, and besides, we have a cyber policy that we’ll probably never use. We are not that size of operation.”
I was surprised to hear this underestimated exposure from the person in charge of corporate risk management. The IT person warned me, but why would this intelligent finance executive not take reasonable precautions to probable loss events?
Several weeks passed, and the CFO approved funding for limited discovery and three business process mappings. Assisted by the IT department and a few other departments, we quickly identified severe problems with processes, procedures, and controls that could significantly disrupt business operations.
Our findings and reasonable concerns were not limited to one page. We found that the staff was not in control of the environment as the CFO presented. The lack of visibility into assigned responsibilities, task completion, misconfigurations, and lack of controls contributed to significant exposure to loss events. Documentation was outdated, and no measurements or definitions for success were present.
Realistic and Unrealistic Expectations
The IT lead knew that this meeting would be uncomfortable. I give them credit for placing their ego on the shelf and supporting transparency. This person is growing as a leader, considering much of their time as a collective group was devoted to repairs and responding to events. IT wanted executive support in protecting the company and understood that we were not a threat to them and their team.
The CFO viewed their personal judgment as an expert and broadly did not support IT’s recommendations. The lack of adequate understanding and bias prevented the CFO from objectively making risk decisions.
Several months passed, and they reached out to schedule a Zoom meeting. After digesting the information, the CFO is prepared to fund a limited set of action items. The CFO agreed that there is value in building a strategic plan to allocate resources better.
During the status update session, the CFO mentioned the recent board meeting. So I inquired about the feedback from the board specific to their loss exposure. Cyber was not discussed with the CEO or during the board meeting. I was stunned and immediately worried as I tried to apply deeper meaning to this information.
The Incident and Call To Action
The phone rang early that Sunday morning, less than two weeks before the scheduled work. We think we have ransomware. After quickly validating a few details, they have ransomware. All servers and powered-on desktops and laptops are now encrypted.
The cited deficiencies from the earlier report are complicating recovery efforts. The criminals manipulated the backups, so there is no clear recovery point or recovery time. The CEO called an emergency meeting Monday morning. Upon learning the incident’s significance, escalations and notifications must occur, as production is entirely disabled.
After being offline for more than two weeks, and a direct expense of more than $1M for attorneys, disclosures, forensics, recovery, and hardening. The recovery team carefully restored the systems and applications to a secure and stable state. Several months of remediation and hardening took place, and eventually, all systems were, repaired, rebuilt, or replaced.
Parting Words and Sadness
The CFO reached out and requested a phone conversation. During that call, “I am leaving the company.” The CEO and board assigned the CFO responsible for the cyber incident. I felt sad, for this is a good person who had a focal lapse in judgment.
The parting words of our brief chat paraphrased were, “You and the team warned me, but I wouldn’t listen. I never thought ransomware would hit us. I am sorry.”
Are you listening?
When you begin looking for information to substantiate your decision, that’s a big red flag to hit the pause button and examine the injected bias. The regret and expense will follow when you label the most impactful weaknesses as good enough.
What is Optimism Bias?
Optimism bias believes that we are more likely to experience good outcomes and less likely to experience bad results. The key to optimism bias is that we disregard the reality of an overall situation, such as securing business assets from criminal exposure because we think we’re immune from the range of adverse effects.
Unrealistic optimism or comparative optimism occurs in men and women, regardless of age. People tend to favor information that reinforces what they already think or believe through the decision evaluation process. These errors in judgment reflect an individual’s preference.
What is the danger of optimism bias?
As you just read, this CFO had a severe case of optimism bias that cost this person a high-paying position and the respect of many people. This period of overestimated asset security skipped strategy and execution in favor of hindsight and regret.
A subset of people refuses to believe that change or improvement is needed until they experience the situation firsthand. People read about this event and think their assets are secure and their controls are good enough. They will not apply this knowledge to their business, and that’s a problem.
Why do we deceive ourselves? You know the positive feelings about acting when the consequences are not favorable. Is it beating the odds? Every action has a cause and effect, such as overeating to weight gain, lying to broken trust, speeding to being pulled over.
All of these bias distortions are not sustainable.
What do the optimist and pessimist have in common? They are both likely to be wrong in their beliefs. Conversely, a realist can objectively look at a situation, consider the factors, including facts, and make better (unbiased) decisions.
What’s on your mind?
It is no surprise that everyone has biases. How do you protect yourself, knowing that you, team members, and stakeholders have an optimism tendency? Do not allow this limitation to rob your potential.
Problems persist when the bias is not disclosed and considered within the scope of decision-making. Laying out a clear roadmap that leads to business success includes the identification of prejudice, assumptions, and the associated pitfalls. In following the advice of Socrates: “It is better to change an opinion than to persist in a wrong one.”
You do not want to experience the destruction of it won’t happen to me fallacy. Deliberate and strategic action can minimize stress, business disruption, and financial loss. We look forward to collaborating with you.
We assist forward-looking executives and technical teams who will use shared knowledge and data to improve risk judgment calls and be more accurate. We believe that capital and time are terrible things to waste.
As a proud supporter of American companies, Certitude Security® is working diligently to inform leaders and facilitate essential asset protection priorities for businesses throughout the United States. If you are interested in learning about the empowering services that Certitude Security® can offer, visit our website or coordinate a time to speak to a team member today.