cyber threat alliance

Instinct, Intelligence Key to Decisions ‘At the Speed of Intuition’

Despite enhancing the enterprise, the rise of digital business will continue to drive increasing numbers and diversity of cybersecurity risks. By 2025, board members and security executives will need to make informed decisions, fast, in accordance with that ever-expanding scope of risks, Gartner analyst Jeffrey Wheatman noted in his recent webinar, “Security Scenario 2025 – Outrageous Intelligence” (registration required).

CISOs and security risk-management (SRM) leaders theoretically should be leading the security discussion, but they often fail to communicate to board members in a way that promotes necessary change, Wheatman said. Gartner’s “sentiment-cognition model” is intended as a catalyst to help close that gap and more effectively communicate cyber risk at a board level.

The disconnect

Historically, CISOs and SRM leaders have gone with their gut when there’s too much data to make sense of, Wheatman pointed out—and it’s not always successful. Or, being experts in their field, they will rely on data-rich quantitative models to communicate risk. But non-security-experts (that is, most board members) tend to think qualitatively, not quantitatively. According to Gartner, these two traits tend to prevent SRMs from gaining the credibility they need to impact vital decisions around security risk. Cue the sentiment-cognition model—a four-quadrant approach used to help balance intelligence and intuition and build a common perspective between board members and SRMs.

Using the sentiment-cognition model

Gartner’s sentiment-cognition model measures risk sentiment along the model’s Y-axis, with apathy and outrage as the two extremes. On their own, each extreme is likely to cause negative outcomes. Apathy might yield numbness to threats, while outrage can lead to clouded judgement, creating disconnects among stakeholders about what is important.

Cognitive decision-making is reflected on the X-axis, with instinct and intelligence as the two extremes. Again, each extreme can prevent good decisions. Too great a focus on intelligence can result in “analysis paralysis,” while reliance on intuition—though valuable when scant information is available—can backfire when used as a long-term solution. Informed decisions (that may combine instinct and intelligence) made in a timely manner are more likely to resonate with all stakeholders, according to Gartner.

Instead of focusing on individual quadrants (e.g., “outrageous intelligence” or “apathetic intuition”), the model’s decision-making goal is to stay as centered as possible—like a balancing act among the four quadrants. However, it’s expected that movement towards intelligence on the X-axis will increase by 2025, as more reliable AI-fueled risk-management data becomes available.

Speaking the same language

Gartner emphasized the effective use of AI/machine learning, but reminds board and SRM stakeholders not to rely on it exclusively—even come 2025. Boards should encourage security teams to combine AI-provided intelligence with past experience and established best practices to drive decisive action. Intelligence should be used as a counterweight to intuition—hence the ongoing balancing act. Wheatman expressed that by 2025, boards should evaluate CISOs on their ability to “balance and ride”—a skill acquired through working with predictive analytics and AI. This form of evidence-based security will be a core business practice, leading to decision-making “at the speed of intuition.”

In addition, Wheatman stressed the need for qualitative communication supported by quantitative information. Providing data without interpretation is a recipe for miscommunication, he said. Instead, CISOs and SRMs should be encouraged to discuss risk in a way that resonates with everyone. Gartner also expects research in domains such as marketing, business intelligence, and social-sentiment analysis to be incorporated into the decision-making process, further helping CISOs gain a deeper understanding of risk sentiment. Ultimately, this will help them gain the trust needed to confidently lead at the frontline of cyber risk management.