Rescue Diving and the Psychology of Security & Privacy Incidents
In scuba diving, the most common cause of emergencies is poor judgment. In my professional experience advising senior executives and technical teams, the same is true with regards to cybersecurity and privacy incidents. In both environments, the majority of issues are actually preventable and can be traced back to a poor decision that kicked off a series of events and culminated in trouble.
One of the most critical skills in rescue diving is the ability to proactively and automatically assess situations, considering potential hazards and how to handle them. Poor judgment in identifying potential risks or how we respond to them sets the stage for emergencies — in diving, and in security and privacy.
As I’ve said before, not every security or privacy incident results in a major breach or stems from a software vulnerability. Many start as an overlooked instance of poor judgment, like failing to account for potential abuses facilitated by your product or service, not treating account authentication systems as tier 1 services with your production engineers, or ignoring damaging rumors about your data practices. Every incident has the potential to grow infinitely worse in scope and impact as poor judgment snowballs from one bad decision to another depending on how an organization responds.
From a communications perspective, it’s never wise to treat security and privacy as reactive-only. Waiting for bad things to happen is the definition of a communications team punching above their weight. Savvy communications, security, and privacy teams are in the weeds together every day, proactively assessing situations and how to handle potential hazards.
To be clear, this does not mean every security and privacy team needs a public profile or publicity (reminder communications!=publicity), but it does mean that the folks you trust to make decisions during an emergency should be doing everything they can to prevent emergencies from happening in the first place.
After more than a decade advising tech companies on security and privacy issues, I’ve found there are three primary symptoms of poor judgment — red flags that indicate an incident was either avoidable or made more severe by the response.
Cutting Corners
I find poor judgment difficult to forgive in situations where credible roadmaps and best practices exist. For example, I once reviewed a proposal for a controversial product based on a sample size of eleven users. Eleven. No consideration for representative demographics or use cases. Reliable and scientifically sound market research would take much longer and cost more money, so it was simply skipped and the product launched without adequate data to defend it.
Tasked with explaining to external stakeholders how privacy was balanced against other considerations, the team’s cutting corners left me with one hand tied behind my back. As expected, the product did not land well with users and was justifiably criticized by privacy advocates around the world. It became a major PR issue for the company and stalled launch plans for the product in several markets.
Yet, everyone from the product director and engineering leads to the PR and marketing teams involved contributed poor judgment to a series of decisions that started with “how do we decide what to build?” and led to a significant and costly (yet avoidable) hurdle for the business.
Similar situations can arise when developers cut corners on code analysis or fail to close follow-up tasks from a previous incident. Communicators tend to hold their tough questions until it’s time to prepare for external engagement — but what if we asked them earlier, in the moments where we can influence and guide teams to develop better judgment?
Insufficient Preparation
The most effective responses result from teamwork and preparation. And although there are several reasons why proactive and ongoing preparedness is crucial, one of the most important aspects for me as a communications advisor is the benefit of giving team members something they can control.
The human brain is not optimized to support complex cognitive function under duress, that’s why good response professionals are relentless about keeping their training fresh and relevant. By thinking about what may happen and how you need to respond, you’re mentally preparing to override the hindbrain’s natural “fight or flight” response.
Good preparation increases the speed and efficiency with which we can handle an emergency, so making it a habit to constantly prepare is important. This is one reason why I advocate for a single incident response plan regardless of the scope or size of the incident — the more often you use the plan, the better you will be at executing it.
There will always be things we can’t control about an incident, which leads to anxiety and even more poor judgment within an organization. Therefore, preparing for a good response includes giving team members something they can control to help reduce panic and enable them to use better judgment.
Panic
As a rescue diver, I immediately assess three key indicators to help estimate someone’s aptitude for avoiding panic: their training, their ability to acknowledge their limits, and their personal disposition. Important characteristics of an effective incident response — such as discipline, organization, and foresight — all depend on your ability to avoid panic. Once panic sets in, my attention must focus on protecting response procedures from thrashing and poor judgment.
It’s not uncommon for me to ask someone in the war room (physical or virtual) to take a break and get their limbic system under control before continuing. Stress is a part of the job for incident response, but if we allow it to control our response, we risk perception narrowing (when an individual is unable to notice or deal with subtle aspects of a situation because they’re fixated on a single element). At depth, the effects of perception narrowing become far more serious for divers; and for security and privacy professionals, the potential damage of this narrowing increases with incident severity and external attention.
As rescue divers, we also understand the importance of communicating to a victim or patient about what we’re doing to help as we proceed. So it’s not just about knowing how to escape immediate danger, but also how to maintain workable risk levels by keeping others calm and informed. A panicked diver — or a panicked executive — is a risk to themselves and everyone around them.