The Power of Curiosity in Cybersecurity and Risk Management
By Dan Polly, VP Business Controls, currently focused within the InsurTech space
Keep asking all the questions, and questioning all the things.
That was a colleague’s parting advice to me at the end of a recent conversation. It got me thinking about a state of mind that is crucial to just about every field, but especially to cybersecurity and risk. That mindset is curiosity.
Curiosity is a state of active interest and engagement with the world around us. It is the desire to know more, understand better, and see beyond what is immediately apparent. Curiosity requires exploration, and that exploration can lead to new insight and deeper understanding.
For cybersecurity and risk practitioners, curiosity is essential. We operate in a threat landscape that is constantly evolving, as attackers relentlessly pursue new ways to exploit vulnerabilities. We must stay ahead of the curve by questioning our assumptions and exploring fresh ideas. Curiosity is our best tool for identifying new threats – and developing creative solutions to meet them.
So how do we build a safe path for ourselves as cybersecurity professionals? We must understand that this isn’t a passive endeavor. It requires not only internal assessment but an external action.
The good news? We are naturally curious! Regardless of formal education or professional experience, we all come equipped with a drive to understand the world around us – and our curiosity scales as we pursue knowledge. The more we learn, the more we want to know. It’s never too late to reawaken our childhood impulse to ask questions: What is this? How does it work? Why do we do that?
Unfortunately, many of us find that our curiosity is unwelcome in the workplace. Some of our colleagues may view curiosity as a luxury – something to indulge only when time permits. Others may respond defensively, perceiving questions as critiques of job performance or challenges to authority. I believe we’ve all experienced the discouragement that results when inquisitiveness is mistaken for meddling or interest for intrusion. In order to avoid conflict, we learn to self-censor, never straying beyond the bounds of “acceptable” behavior. This also creates an environment where bad ideas can flourish, groupthink rules, and gatekeeping is institutionalized.
If this sounds trivial, it’s not. Even if a failure of curiosity isn’t outwardly dramatic, there can still be a severe impact on the health of your business, your personal career, or your professional field. The quiet suppression of new ideas, methodologies, and techniques is especially dangerous from the perspective of cybersecurity and risk. Adversaries count on it. They rely on our maintaining the status quo.
So how do we build a safe path for ourselves as cybersecurity professionals? We must understand that this isn’t a passive endeavor. It requires not only internal assessment but an external action.
Some suggestions to get started:
Model curiosity in your own behavior. Be curious yourself and show that it is OK to ask questions – even if those questions may challenge others, and even if you’re not sure what others will think of you as a result. Additionally, be prepared to answer questions from others openly and honestly.
Advocate for curiosity. When you see individuals or organizations stifling inquisitiveness, speak up. Point out the negative consequences of rejecting curiosity and asking why questions are seen as a threat. This doesn’t have to be adversarial – you can even use your curiosity to probe into a resistant colleague’s concerns.
Inspire others to be curious. While advocating for colleagues who are practicing curiosity is essential, it’s equally crucial to draw out curiosity in those who may not be used to questioning existing norms. Fortunately, curiosity is contagious! Share your own experiences and offer to help others explore topics they are curious about. When you see someone being curious, encourage them!
Create the opportunity for curiosity. If you are in a position of authority or influence, partner with more junior individuals to explore and mature their ideas. Be the safe place – a trusted ally to help advance ideas.
These suggestions are just the beginning. In order to establish an enduring path for ourselves and others, we must internalize our call to action. Keep curiosity in mind as you join your next meeting, attend a project gathering, and move through your career. From the beginning of your day to the end, remember:
“Keep asking all the questions, and questioning all the things”.