Don’t be a victim of continuation bias; it’s time to completely change your IT strategy in the face of the ongoing cyber threat.
You likely have no reason to know the name Walter Bailey. A lot of people owe him their life, though.
In 1977, Walter was a busboy at the Beverly Hills Supper Club in Kentucky. When a fire broke out, Walter (against the direction of his manager) stepped up to the microphone in an effort to get everyone out safely. He went to the stage in a room holding somewhere between 900 and 1,300 guests, all waiting for that evening’s main event: John Davidson. (Nobody cared in those days that the space had enough capacity and exits for 600 people.)
Several warm-up acts, including a comedian, had already performed. So, it’s easy to understand why the crowd didn’t exactly snap to attention when a busboy started telling people about the fire and instructing them to move in an orderly way to one of the exits. A few laughed, thinking it was part of an act. Most just dismissed him.
Four minutes later, the lights went out; and over the course of the next few hours 167 people would die. The Beverly Hills Supper Club would become known as the location of one of the largest fires on record (and one of the deadliest).
Continuation bias and your budget. The death toll at the Beverly Hills fire was impacted by continuation bias. This is the bias that makes us want to stick with the original plan, even when we get evidence that reveals the original plan is a bad one. Call it tunnel vision. Call it being hard-headed. Call it whatever you like – continuation bias drives poor decisions even when circumstances demand we step back and take another look.
And this is why your nice, shiny, brand new budget is likely wrong (or at least part of it).
The problem. Cybersecurity is a charged word. It is something most do not understand, and also a word that has been used to instill fear in the market. The threat is real – the grandstanding, however, is not necessary.
With that in mind, the easiest way to understand the real problem with cybersecurity is to paint a picture from last year. I was fortunate enough to be able to present a breakout session last year at a conference for AEC leadership. That discussion was designed to make cybersecurity easier to understand and provide several low-cost/high-impact things that could bring more security to a business. Understanding a bit more about cybersecurity makes it easier to manage rather than something to be feared.
All week, I felt positive. I was encouraged because many speakers and participants brought up the importance of advancing cybersecurity awareness and preparedness – so I anticipated a crowd.
We got into our breakout room which had seating for 50. When we finally closed the doors, we had … eight.
Eight brave people.
Thus, the empty chairs became a lesson. Those 42 empty chairs are the reason the AEC industry is headed for trouble. I left the conference feeling like the industry is taking an approach to cybersecurity like the kamikaze pilot who made 12 missions – real involved, but not real committed. A lot of words with marginal action. The talk is good, and I even met several firm owners who have taken the exact right steps. But they represent the minority.
The sum of these very disparate parts. This whole discussion likely reads like three very separate paths, so let’s bring them all together. There is easily a 95 percent chance your budget is wrong. If you rolled up your 2023 budget and did not add a minimum of 30 percent to your IT budget for addressing proactive cybersecurity needs, you are uncovered.
And by the way, that cybersecurity insurance policy won’t save you. In fact, the cybersecurity insurance market is non-sustainable on its current trajectory. Next year, you likely will not be able to afford it (and even if you can, the coverage will be so small it won’t matter).
How are you going to operate in an uninsurable ecosystem? Even if the industry is successful in creating an insurance captive, is insurance really going to be the primary line of defense? Proactively taking steps in your business to address cybersecurity is the one way you can minimize any threat that hits – which is the ultimate standard. Over time, everyone will be impacted by a cybersecurity event. The real question is how will you minimize the impact? (Especially if you held your IT budget flat or decreased it).
This is where continuation bias enters the fray. Continuation bias is why you likely held your investment in IT steady. Even in the face of report after report of AEC industry cyber events, you likely felt that the path you have been on for years in IT is still the right one. If you are not completely changing your IT strategy in the face of the ongoing cyber threat, you are bowing at the altar of continuation bias.
“How in the world can I just add 30 percent to my IT budget for cybersecurity?” This is the right question to ask. The hard part is that you will have to divest in some areas to invest in your digital security. There is no other way (unless you just happen to have extra money floating around). Cyber threats should reprioritize your spending, just like the move from manual drafting to CAD did. If you created your budget for 2023 and didn’t reprioritize, your budget is just wrong.
It’s not too late. It’s just February. For those of you on fiscal instead of calendar operating years, you can be ahead of the curve. This is a difficult discussion, and it is difficult to make work. Your business is too valuable, though, to step over a dollar to save a nickel when it comes to cybersecurity.
Acknowledge reality and stop waking up every day hoping that tomorrow will be yesterday. The world is not going back, and the internet is not getting magically safer. Eradicate continuation bias from your business planning. The AEC industry needs its Walter Bailey. Who is going to step up and advocate for a different approach to cyber? When it comes to cybersecurity, be Walter.
Mark Hodges is chief growth officer at Edafio Technology Partners. Contact him at mhodges@edafio.com.