Greg Rodriguez, Director of Information Technology/Chief Security Officer, Nashua School District
CybersecurityHigher EducationInformation TechnologySecurity

The Tech Director May Be the Biggest Risk

cxomagazine

By Greg Rodriguez, Director of Information Technology/Chief Security Officer, Nashua School District

It is okay not to know, but it is not okay for the ego to make one ignorant. A favorite anecdote people in tech hear from people outside of tech is “I am good with technology” or “I know enough to be dangerous.” Many of us in technology are humble enough to know that even if we are good with technology, we should never admit to having expert-level status. But do we take our own medicine by proclaiming we are cybersecurity experts but are not, which can lead to a gap in confidence and competence too often to the peril of our organization? Welcome to the Dunning-Kruger effect. This psychological workplace phenomenon happens when we overestimate our competence as a technology director or manager, which tends to cause us to make riskier behaviors and poor decisions that could significantly impact our organization. We must not commit ourselves to not to be victims of our title, position, status, and education.

Understanding We Do Not Know Everything

We all have a cognitive bias because we have limited knowledge or competence in a specific domain but vastly overestimate our abilities, leading to a wildly inflated sense of abilities, as demonstrated by psychologists Dunning and Kruger, who published a study in 1999. They noted that improving competence can enhance self-awareness, enabling individuals to assess better where they are on the learning and skills journey.

Please do not take this as a pejorative statement because we all need a reminder once in a while that the threat landscape is evolving with attackers becoming more sophisticated than ever before with artificial intelligence, software vulnerabilities, and organizations that have yet to adopt a cyber awareness culture. With cybersecurity and technology, leaders are desperately trying to keep up. This reality must set in because all organizations will get attacked. You are not impervious. And the chances are, you are under attack right now. According to a US Department of National Intelligence report, global ransomware attacks increased 74% from 2022 to 2023. Another report from the Annals of Operations Research supports these findings throughout Asia and the Pacific, where companies, education, and other industries reported a 47% increase in overall malicious and criminal cyber-attacks.

Now that this sobering reality has set in, tech leaders must feel vulnerable because they all are. With the other responsibilities associated with being a director or manager, like supervising, working with senior leadership, and managing day-to-day duties, is there time to become one? The short answer is that they cannot. Being an expert is not required, but moving to knowing and working with your supervisor to understand risk and how to thwart it is paramount.

As the saying goes, “You do not know what you do not know” is no longer an excuse; faking it until making it is a recipe for becoming part of that 74% statistical increase.

Dunning-Kruger and Cyber Security Risk

Tech leaders have bought the latest security appliances and software, performed a phishing test, and assumed all the boxes are checked once completed. Granted, that is a tremendous success; any tech leader should be proud of these accomplishments because this is essential. However, with these controls, these leaders inaccurately assure stakeholders that these controls have made the organization safe and airtight. Directors and managers often don’t know what they don’t know and rely too heavily on software and appliances because that is all they think they need. This becomes increasingly risky, and part of good cyber hygiene is assessing risk. If the tech director is the most significant risk because they overestimated what to do or what they have, that is hard to determine and could lead to trouble.

Self-Awareness Sets In

As time passes, leaders feel good about their current state because they are confident that what they have done will be enough until one day they read an article about how much another technology director who overestimated his competence, did not understand risk, and a costly ransomware attack victimized the organization. His self-confidence suffered, and he felt the unbearable responsibility to fix what happened first and then commit to improving.

This self-awareness to uncover and address areas of vulnerabilities does not make one weak; it only assesses security controls relative to your risk and reallocates resources to enhance security. Leaders should identify these risks through outside penetration testers and external auditors to evaluate the organization’s risk. The report should reveal that while performance is adequate, it falls short. This moment highlights the realization that significant vulnerabilities remain, signaling the need for improvement. It becomes clear that there is a gap between the organization’s confidence and its actual level of competence, which are misaligned.

Adopting a Strategy of Progress, Not Perfection

There is now a determination to perfect the cybersecurity program. Just remember that perfection is the eternal enemy of progress. There are many avenues one can take to improve self-awareness of skills and competence by establishing an action plan to become more successful. The urgency to learn cybersecurity can feel overwhelming, but starting with a solid foundation of core concepts and gradually building knowledge through certifications, training, or concise daily insights provides a manageable path forward.

Why is this important? For starters, how are tech and cyber leaders supposed to educate users on best practices in cybersecurity if their knowledge is limited? These are great ways to progress your knowledge and understand how to lower yourself as a risk. As the saying goes, “You do not know what you do not know” is no longer an excuse; faking it until making it is a recipe for becoming part of that 74% statistical increase.

Being an overconfident, overeducated, and underskilled technology director did not serve me well because I did not fully understand the global threats that my organization faced. While improving, I consistently seek more opportunities to understand myself, the global cyber landscape, and my role and informed decisions relating to risk in my organization.

Office of the Director of National Intelligence. (2023). Ransomware attacks surge in 2023. Retrieved from https://www.dni.gov/files/CTIIC/documents/products/Ransomware_Attacks_Surge_in_2023.pdf
Ruan, G., Jia, Z., Ke, H., Wang, J., & Sun, M. (2022). A comprehensive survey on cyberattacks: Taxonomy, trends, and mitigation strategies. Annals of Operations Research, 319(2), 1233–1260. https://doi.org/10.1007/s10479-022-04844-8