“We hold these truths to be self-evident.” Those words from the Declaration of Independence are revered. But most “truths” should be approached with considerably more skepticism if one is to avoid the type of “group think” that the 9/11 Commission cited as a prime factor in our failure to anticipate the terrorist attacks on the Twin Towers and the Pentagon.
“For nearly two thousand years after the golden age of Greek civilization, learned men were content to answer virtually any question concerning the material universe by appeal to the writings of Aristotle, Ptolemy, or Euclid,” notes author James Case in his book Competition. “It just didn’t occur to them to perform even the simplest corroborative experiments,” he observes.
Today the scientific community and the business world operate within an empirical system where theories are continually tested against verifiable facts.
Or so we tell ourselves.
Often, however, we act on shared assumptions that are not well tested or that no longer match reality. A new book called Stall Points looks at how this happens with corporate strategies—and it’s not much of a stretch to see how it could afflict security strategies as well.
The authors studied hundreds of organizations and found that companies stalled when strategic assumptions—initially based on observations of competitors or markets—hardened into corporate doctrine that was no longer challenged, even as it became outdated. Co-author Derek van Bever, in a Harvard Business School podcast, explains that “the assumptions a management team holds most deeply and has known so long or so well that they are no longer actively debated, those are the assumptions that pose the greatest danger to growth.” You can substitute “risk assessment” for “growth” to see how the same could be true for security.
“What happens,” says van Bever, “is that assumptions migrate from an accurate depiction of the world to a dangerously misguided or obsolete perspective.”
As this occurs, there is often someone in the company who sees the real problem, but who can’t get management to pay attention, van Bever notes. That brings us back to the question of how to provide an antidote for “group think.”
One possible strategy is called crowd-sourcing. It’s where a company seeks answers not from a limited cohort of experts but from its entire work force, customer base, or the public at large. To relate it to security, consider that there may be someone among your employee population who—given the chance to solve a problem such as how to prevent tailgating—is able to come up with a creative solution that beats anything your security team envisioned.
We’re all proud of our expertise, but we should constantly reexamine what we think we know, and we should seek input from outsiders whose fresh perspectives may help us to discover the less-evident truths we have yet to divine.
Postscript: This Editor's Note in print and initially online attributed the quote about truths being self-evident to the Constitution. Shame on me. It's really the Declaration of Independence, as an alert reader pointed out.