Why would someone run five miles on a treadmill, sweat through three sets of pushups and a hundred burpees, and then drop by a donut place on the way home from a workout?

American psychologist Leon Festinger spent many years researching this topic and coined the term “cognitive dissonance” to explain this phenomenon. His theory, first published in 1957, still resonates today on how we justify things that belie our beliefs.  The person who is fastidious about avoiding soda might view the daily donut ritual as his “reward” for being strict about everything else. (If you are wondering why I keep bringing up donuts, let’s just say this anecdote is not theoretical.)

No one wants to believe they are irrational so this desire to make all our actions seemingly align and therefore “make sense” requires a lot of mental gymnastics.

How is all this related to IT you may ask?

Well, a World Economic Forum survey recently confirmed that TWO of the five biggest risks CEO’s face are related to cyberattacks and data fraud. Yet, when many senior leaders of companies and non-profits concede that these are real threats they often follow that with “I just don’t have the budget or time to invest in the products, procedures, and training to address those vulnerabilities.” Yet, they somehow find budgets for things that are a lot less crucial to their organization’s survival.

Maybe they think the consequence of being breached, though time-consuming to address, will not be that bad?  A couple of examples from this year suggest otherwise:

A university in Illinois (with thousands of students) that “survived a campus fire in 1912, the Spanish flu in 1918, The Great Depression, World War II, and the 2008 global financial crisis” closed down due to a ransomware attack.

A large county in New Mexico with a population of almost 700,000 suffered a security breach that led to the shutdown of a government building and the blocking of cameras in their jail. Having volunteered in a jail as a tutor, I can assure you that not having the cameras work for even five minutes is a major crisis.

A Massachusetts-based health care provider had a data breach that impacted two MILLION people whose social security numbers, birthdays, and medical information were stolen.

Another rationalization I hear often is that there is nothing they can do because hackers are going to hack. I am not saying that the most robust cybersecurity operation in the world can guarantee a zero chance of disruption. However, we already know that most breaches are due to human error, lack of routine patching, and having the right procedures/processes in place. All of these things can be readily improved with a systematic process.

So what should you do to overcome cognitive dissonance in your IT strategy? First, you need to gain a realistic assessment of where you are.  Every one of our engagements starts with an audit that compares best practices on hundreds of variables and that result can quickly give you an initial evaluation of your cyber risks. Second, you must actively address the gaps and their consequences. Not every problem or remedy is equal and an expert familiar with the various threats and tools to combat them can recommend which actions are worth taking and which are not. Finally, you need to recognize that cognitive dissonance is always ready to creep back in the minute you become too comfortable. The people trying to break into your technology infrastructure are always hard at work coming up with new ways to succeed. Shouldn’t you be just as proactive to thwart them?