The Case for Lean Cybersecurity Leadership

Few would expect that adding resources to a critical operational area could compromise its effectiveness. But as organizations beef up their cybersecurity teams in response to the growing threat and cost of cybercrime, they may be inadvertently blunting their ability to accurately assess their own exposure to risk.

Businesses' natural response to growing cyber risk has been to invest in and grow their cybersecurity capabilities, including creating new leadership roles for safeguarding the confidentiality, integrity, and availability of organizational data. However, our research uncovered a surprising paradox that can render such expansion counterproductive. We found that experienced security teams can exhibit a collective overconfidence that makes responses to cyberthreats less effective. While leaders might expect that adding senior-level positions to a cybersecurity team will improve its capabilities, doing so can increase this organizational overconfidence, with potentially catastrophic effects on IT security.

This phenomenon of decision-making bias stemming from overconfidence, referred to as illusory superiority, has been found in other settings as well. Under certain conditions, people — regardless of their competence level — overestimate their abilities, skills, or qualities relative to those of their peers. There are clear downsides to illusory superiority: Individuals tend to engage in more risky behaviors, underestimate the effort needed to complete a task, and disregard valuable feedback. Overestimating one's own ability can also harm teamwork and result in suboptimal personal and group outcomes.