Author Michele Wucker’s published her book The Gray Rhino: How to Recognize and Act on the Obvious Dangers We Ignore in 2016 but it really took off in the US this year.
“This spring with the arrival of the coronavirus was a perfect metaphor for things that some people did see and talk about – and look at where we are right now,” Wucker said. “We’re in a big mess, much of which could have been avoided.”
Michele Wucker defines a Gray Rhino as “high impact, obvious and probable” threats that “we twist ourselves into a pretzel to avoid seeing or confronting.” To FAIR Institute Chairman Jack Jones that sounded a lot like the mindset of the cyber risk management as it’s so often practiced, based on undisciplined, model-free qualitative analysis – even as data breaches and other loss events continue. Jack invited Michele to sit down for a keynote conversation at the 2020 FAIR Conference to see what the FAIR community could learn from Gray Rhinos about persuading their organizations to adopt FAIR. Here are some of the key points from the conversation:
Recognize the biases that you’re up against
Michele identified four common types.
- Denial – often a necessary defense mechanism when confronted with a big problem but it shouldn’t be allowed to continue for long
- Solution aversion – if the solution is really unpleasant
- Optimism bias – we hear the things we want to hear
- Group think or confirmation bias. “We are much less likely to pay attention to red flags and alternative points of view when we are in a group and that is stronger the more homogeneous the group is…The real answer is to get the knowledge that you need.”
“Solution aversion sounds like a lot of the arguments against better risk management,” Jack commented. “People resist change to the way they think about and deal with risk so they argue that current approaches are just fine. “
A sense of powerlessness to change things perpetuates the status quo
When teams don’t feel they lack “agency” to make change, “the temptation is to give in to the gremlins in our heads,” Michele said. To Jack, that sounded familiar: “Many boards and executives express frustration regarding vague and difficult-to-interpret security metrics…When the efficacy of the options we are presenting is vague and the organization is told it has to do some particular mitigation because it’s required or considered best practice, there’s clearly going to be a lack of agency.”
“The way to get people to do big things is to start them out with the little things”
That message from Michele lines up with the advice from many FAIR practitioners who successfully established a quantitative risk management program – win converts with small analysis projects of high relevance to stakeholders.
The 5 stages of recovery for dealing with Gray Rhinos
Michele works with clients to get through these steps – food for thought for planning a FAIR introduction.
1. Denial. At least, get the organization to acknowledge the Rhino
2. Muddling. The team focusses on obstacles and inertia.
3. Mindshift. Let’s focus on what it would actually take to solve the Gray Rhino.
4. Urgency (or panic). Doing something just to do something – alternatively, freezing.
5. Action. “It often starts with a critical mass of people who are trying to get other people to move – the people ahead of the curve, the mavericks…You also want to identify the stakeholders who can affect the outcome and move them closer to it.”
Jack’s comment: “The stages you describe sound all too familiar to me.”
If you were a registered attendee of the 2020 FAIR Conference and missed the Gray Rhino session, you can return to the virtual conference venue to view the video for 30 days.
See more conversation between Jack and Michele. Watch this video they recorded earlier this year.