What Directors Should Know About Wonder Woman:
Design Thinking for Cybersecurity
by Brian Barnier
Directors’ duties increasingly entail strategies for protections from cybersecurity attacks. Yet, most directors feel a clear lack of expertise in this complex topic. Perhaps it is good news for board directors to start with this to begin: it’s not what we know that matters, it’s what we ask that makes the difference.
Consider this: films, in general, comprise two typical discoveries – a character’s self-discovery and that of her world.
Wonder Woman revolves around Diana of Themyscira’s quest to vanquish Ares, the God of War. Diana, despite her intelligence and strength, was wrong. Yet, she changed. In cybersecurity, how are problems framed? How quickly do people change? Do they have Diana’s sense of mission and urgency?
What Exactly Is a “Control?”
Pause your reading of this article. Write down your definition of “control.” Now ask five colleagues to do the same and compare notes.
Surprised?
If you walk through the woods with three specialists – an ecologist, an entomologist and a businessman – each will have different observations. Cognitive biases cause people to force-fit their mental models on experiences and concepts.
Investigating “controls,” we discover two origin stories.
Historically, accountants were cautious about applying financial reporting-style controls to business operations. In 1980, in a seminal study funded by the Financial Executives Institute (FEI), the authors “…found it very difficult, if not impossible, to develop a list of significant procedures that a company must perform or be judged lacking in internal control.”
Michael Cangemi, former CEO of FEI, International President of ISACA and COSO Board Member recalls, “I explored auditing internal control for Foreign Corrupt Practices Act compliance when I joined Phelps Dodge as Chief Audit Executive in 1980. Companies have always developed processes for ensuring the protection of assets and internal control. I found that internal control is different in every company, does not easily lend itself to frameworks or checklists and requires much more subjective auditing.”
What Is NOT a “Cybersecurity Control?”
As detailed in “Cybersecurity: The Endgame – Part One,” an unintended consequence of the Sarbanes-Oxley Act was the application of financial reporting-style controls to cybersecurity.
Dan Goelzer is the author of an insightful newsletter on PCAOB activities, Retired Partner, Baker McKenzie, and former Acting Chair, PCAOB.
He observes, “Operational controls are only secondary to financial reporting controls in the sense that, if they fail, you ‘only’ might go out of business – potentially devastating to you, your investors and your employees. If you don’t have good ICFR you might, at least in theory, go to jail. People should not, but sometimes do, confuse ICFR with cybersecurity controls. Preventing and repelling cyberattacks is far beyond ICFR.”
The two types of controls are entirely different in
design for entirely different
purposes.
- ICFR – manage risk of accurate recording of financial consequences of tangible transactions that occurred in the past in a relatively stable system
- Automated – manage risk of cascading situations in the future in a dynamic system
Applying ICFR-style controls to cybersecurity is a definition error. Would you fly in a plane with ICFR-style controls? No! You want the automated avionics that move the flaps and alerions.
Paul Sobel, former IIA chair and current COSO chair, summarizes based on the specific definitions of each type of control:
“When facing cyber risks, ‘reasonable assurance’ is not sufficient. ICFR with reasonable assurance was not designed to provide ‘as close to absolute assurance as possible.’ Lessons learned from designing industrial control systems can provide that assurance. Also, dynamic methods of managing risk are needed to survive in the fierce world of cyberattacks.”
Wonder Woman’s False Sense of Security
Wonder Woman embraced the unassuming Sir Patrick. His demeanor gave her reasonable assurance that he couldn’t be Ares. Diana was wrong.
For cyber pros, chasing the wrong types of controls is life on a gerbil wheel – high risk, little business impact, monster spend and unfulfilling.
Another false sense of security and blind spot was Diana’s “god killer” sword. It slew Ludendorff, but Ares casually destroyed it.
The misapplication of ICFR-style controls is a formal root cause of breaches, waste and pain. It warrants fixing with safer solutions.
- Cyber is a system so apply systems thinking.
- If you are already applying “systems engineering” that’s good.
- But too much of systems engineering for cyber is narrowly focused on either 1) bringing security into app dev or 2) knitting together piece-part security tools. It doesn’t include the full scope of the system.
- It needs a more scientifically accurate view of a system – where anything with a causal impact is part of the system.
- Power-up cybersecurity and drive better business outcomes. Apply design thinking –
the vanguard of cybersecurity.
- Design thinking for cybersecurity takes proven and practical critical thinking and systems thinking and adds a designer’s lens.
- This lens brings practical benefits such as 1) challenging the accuracy of preconceived views – just like Wonder Woman did – and 2) simplifying complexity
Beginning Steps:
- Eliminate futile ICFR-style controls for cybersecurity
- Fix ICFR-style controls that are helpful, such as IT systems hygiene. But realize 1) they lack mathematical reliability of automated controls, 2) cost is excessive and 3) they can distract from safer actions.
- Focus on automated-style controls that work like IT systems reliability and engineering
- Outthink cyberwarfare enemies – embrace robust scenario analysis. Ask, “Would the scenarios make a good film?” (See The Operational Risk Handbook for more scenario workshops)
Here is a key challenge… the struggle to change has been researched since Plato, Aristotle and Thucydides, even in life-threatening situations. Organizational mass and inertia resist change. Overcoming requires a catalyst.
Surprise – the catalyst for improvement is you!
Let’s finish our walk in the woods. As a cyber pro, compare your view to the ecologist who sees the wood’s ecosystem and the businessperson who sees its financial value. Individually, each specialist is limited to one’s discipline and biases. You miss the 3-D view. You expand your influence and impact by seeing what others miss.
Making Change Easier
- Reframe to clarify the real problem. Symptoms often mislead – discover alternative diagnoses, think differently. View cybersecurity as a system – the whole is greater than the sum of its parts.
- Address “hardwired” resistance. Have powerful but safe conversations and factor different perspectives to find root causes. Offer choices and reasons for change.
-
Design the shortest path to an ideal future
Find accelerants – a transformation leader, an innovation/design lab or a professional coaching program. Why aren’t cyber pros coached and invited to such labs? Primarily because cyber isn’t viewed as value-creating.
It’s worth its weight in palladium to partner with coaches and innovators to generate the gift of value.
Design thinking, including envisioning alternative futures, is powerful. Facing cyberwarfare, consider five futures:
- Same cybersecurity methods, no change – worst future
- Same methods, more money and run faster – degraded future
- Minor improvements, more money and run faster – static future
- Cutting and/or fixing ICFR-style controls, onetime spend, improved operations – better future
- Fully fixing ICFR-style controls, applying automated controls, and shifting to a systems and psychology approach – best future
Which one would you pick?
In Summary:
- ICFR wasn’t designed for cybersecurity
- The opportunity cost of inaction is very high
- Valuable change is based on critical thinking, systems thinking and psychology – combined and applied by design thinking
- Your personal opportunity – generate the gift of value
Just like Wonder Woman and creative disciplines, design thinking has much to offer cyber to catalyze change.
Note: This article was adapted from Brian Barnier & Prachee Kale (2020) CYBERSECURITY: THE ENDGAME – PART ONE, EDPACS, Taylor & Francis
Brian Barnier
Brian is a Boardwise Partner who works with clients on analytics, risk management and cybersecurity challenges. He is also co-founder of www.thinkdesigncyber.com. He is known as the pioneer in bringing life-like scenario analysis and industrial-strength design thinking to cybersecurity and a leader in systems thinking and math in cybersecurity. Brian Barnier’s “CYBERSECURITY: THE ENDGAME” is the 2020 Article of the Year published in the EDP Audit, Control, and Security (EDPACS) Journal. He is the creator of CyberEd.io’s coursework on Critical Thinking and Design Thinking.
Learn More About Our
BOARD PROFESSIONAL CERTIFICATION PROGRAM
Serving as a board director is both an honor and a duty. This program equips directors with the understanding about their responsibilities, the current and emerging challenges and trends which face them and the fundamental knowledge and skills they need to be capable contributors to public, private and advisory boards. Arm yourself for success with this highly interactive program and secure a level one board certification.
WHAT MAKES THIS PROGRAM DIFFERENT
Our Board Professional Program is for aspiring and current board members who want to increase their ability to engage meaningfully in discussions of leading-edge topics, ask sharper questions more easily, delve to the core of critical issues and improve proportional impact in a boardroom to create more shareholder value – not just conceptually, but tangibly by helping management think more critically about decisions.
Boardwise offers 8, 2-hour modules of training that span from “welcome to the boardroom” to leading-edge technology application, including AI-Decision Science and Cybersecurity.
Our modules are strikingly different from other programs. Other programs are structured as more lecture-oriented knowledge downloads, often around regulatory and compliance topics to prepare for test-taking or compliance.
In contrast, Boardwise modules offer:
- Guest speakers and breakout sessions that enable peer-to-peer discussion and immediate “learn by doing.”
- Leading-edge topics such as AI and Decision Science, Cybersecurity, Data and Digitization. The discussion orients to a topic – drawing on life experiences – to understand the concepts and limitations, assumptions that can trap, errors frequently made by management, and sources of success and failure.
- This enables participants to ask sharper questions – questions that help lift management out of the weeds, challenge existing knowledge/assumptions/frameworks and see with new lens/perspectives to avoid wasteful churns and pivots.
- As one person said, it seems “Montessori-style.” Modules and discussions are designed to enable knowledge retention and application to empower you in your boardroom.
TOPICS AND CONTENT
This program has two components.
INITIAL ORIENTATION – assessment and personal one-one one video call with Boardwise expert
Participants complete an online Board Bona Fide® assessment to establish current board readiness. You have a one-hour private session with a board expert coach to review your profile; discuss what type of board is the best match and explore suggestions for how to achieve your goal to serve on a board.
GOVERNANCE EDUCATION SESSIONS – live educational sessions online
The live interactive program includes eight sessions, each of which is two hours.
The modules include presentations and interviews with experts on governance and the hot topics which directors must address today, including:governance differences among countries, cybersecurity, risk management and decision-making, artificial intelligence, strategic designs, financial foundations and emerging challenges in digital transformation and diversity.
Each session includes interviews with topic experts, facilitated presentations related to director duties and cares on the topic and experiential board exercises based on real-world situational cases. Cases are used for board simulations and discussion. Homework assignment are provided a week prior to each session for participants to read and prepare.
Governance Sessions Topics
- FUNDAMENTALS OF BOARD SERVICE
- GLOBAL GOVERNANCE
- FINANCIAL FOUNDATIONS
- BOARD’S ROLE IN STRATEGY AND INNOVATION
- BOARDS AND BIG DECISIONS: CYBER&BIO SECURITY AND RISK MANAGEMENT
- BOARDS AND BIG DECISIONS: ARTIFICIAL INTELLIGENCE AND DECISION-MAKING
- BOARDS AND BIG DECISIONS: ROLE OF BOARDS IN THE DIGITAL AGE
- THE CEO, YOUR BOARD STYLE AND BOARD DYNAMICS
Why This Program?
Taught by world-class global experts in corporate governance, you will:
- Learn the latest in governance issues and how to manage them;
- Prioritize board roles and responsibilities;
- Understand the economic, legal, reputation and fiduciary responsibilities of directors;
- Feel empowered to ask the right questions and make important decisions
- Understand and improve your effectiveness on a board;
- Learn about best practices for evaluating company financial and strategic performance;
- Improve committee effectiveness and personal director contributions;
- Consider ways to improve board mix, meeting effectiveness, relationships with shareholders and stakeholders and increase overall corporate reputation;
- Compare practices and ideas with director colleagues from other companies who participate;
- Become a more effective, knowledgeable leader in corporate governance.
Join those board directors who understand: board learning is a permanent commitment.