Douglas Bernardini is a cybersecurity specialist & cloud computing expert with over 10 years of experience and holds AWS, GCP, and AZURE security certifications. He possesses relevant knowledge in cloud security hardening (CSPM & CWPP), cybersecurity experience leading SOC implementation, and is a specialist in cloud risk management focused on SIEM implementation & observability. With strong background in security metrics, KPIs and incident response, he has relevant knowledge in log/event analysis and performs countermeasures mitigation against DDoS, Rootkits, Zero-Day exploits, Data-Leaks, malwares, XSS scanning and botnet isolation. He conducts penetration tests to find attack vectors, identify vulnerabilities, and security violations.
Who has ever been to business meetings where everyone has agreed to take visibly wrong actions?
This situation is described as Abilene’s Paradox, where a group of people agree on something, although most think it would not be a good decision.
This paradox was coined in 1974 by Jerry B. Harvey (management expert and professor at George Washington University) after an experience with his family, where everyone agreed to have lunch in Abilene, a place far from where they were. This lunch was a frustrating experience for the whole family and where it all went wrong.
When they returned home, one by one confessed that from the beginning he thought the idea of having lunch in Abilene was terrible, but eventually agreed because everyone was agreeing to go.
Today Abilene’s paradox is used to describe failures in consensus management within a group of people. In cybersecurity, it’s the right death!
This paradox can have terrible consequences. The disaster that occurred in 1986 with the Challenger spacecraft that killed seven crew members is a sad example.
After several postponements and cancellations, NASA was desperate to make this launch. As a result, a group of managers collectively decided to ignore the warnings of engineers about the risks of making this launch at a very low temperature. The outcome of this childish decision, we already know.
The human being has the need to belong to a group and this can persuade us to agree with the consensus, leading to extremely poor and bad group decisions.
Another very emblematic case is that of Operation Aurora, a sophisticated hacking attack that occurred in 2010 and hit Google’s infrastructure. Carried out by an organized group of criminals located in China, this cyber-attack occurred due to the absence of well-structured security processes within the company at the time. The consensus was then to leave security processes in the background.
Even Google itself, in an action of maturity and corporate excellence, has made a series of excellent documentaries on YouTube. In these videos, we can watch very honest testimonials, where professionals who worked in the information security department at the time declare that the consensus was to speed up deliveries. The security schedule was put on the back burner, when it was known that the risk taken was high.
Being modern in 2023 and exposing divergent opinions of the majority is difficult, as it takes courage and effort to expose it. On the other hand, it is much easier to agree with the group and, if something goes wrong, the blame can be divided among all.
But how can we prevent ourselves from being victims of the consequences of this paradox?
Promoting a strong culture in which people feel comfortable expressing concerns and opinions different from others, in a psychologically safe environment, where it is possible to have honest discussions. There is a famous Peter Drucker quote that says that “culture eats strategy for breakfast”. This implies that the culture of your company always determines success regardless of how effective your strategy may be.
When he said that culture eats strategy for breakfast, Drucker pointed out the importance of the human factor in any company. No matter how detailed and solid your strategy is, if the people executing it don’t nurture the appropriate culture, your projects will fail.
Culture isn’t about comfy chairs and happy hours at the office. Rather, it’s more about the ways your employees act in critical situations, how they manage pressure and respond to various challenges, and how they treat partners and customers, and each other.
One modern management technique, that encourage people to show real opinion, is “Fail early, fail often”. From The full quote, from John C. Maxwell, is all about iteration and risking failure (with a small and controlled scope of impact) in order to eventually achieve success. It’s about avoiding any obsession with perfection, delivering something that more-or-less works, and improving it, with the help of the end users.
“Embrace failure” is other approach. By embracing failure, you are accepting yourself and your situation as a part of life. It is an opportunity for growth, but it is not a measure of your future or self-worth. While some things are out of your control, failure and success often go hand-in-hand — success usually comes as a result of past failures.