Hi folks,
The other day I met some fellow parents at my kid’s school and we did the usual introductions. Of course, about 10 seconds into the conversation, I had forgotten their names, which made follow-ups for a playdate awkward.
That happens to me all the time, and it drives me crazy. Nothing says “I value you as a person and would like to develop a relationship” quite like “uh, sorry, what’s your name again?” I know it’s a common problem, though, and not one limited to people. Organizations forget, too.
In 1885, Prussian psychologist Hermann Ebbinghaus published his hypothesis of the forgetting curve which basically states that the more time that passes after an event, the less we’re able to remember about the event. A few years ago, a former colleague of mine from Mandiant, Grady Summers, applied this theory to cyber compromises, asserting that the organizational support for improvements to cybersecurity are greatest immediately following a compromise, and that such support dwindles over time. So if you’re trying to improve the security of your organization, you need to move fast and take advantage of the quickly closing window of opportunity.
This isn’t limited to compromises, of course. It could be a shift in the regulatory industry, an audit finding, or any other event that grabs the attention of decision makers and compels them to support change. But regardless of the impetus, the forgetting curve remains, and the window of opportunity is only open for a limited time.
So what’s the solution? Well, according to Ebbinghaus, overlearning is the way to go – practicing a skill past the point of initial mastery. Of course, when we’re talking about the opportunity that comes from unwanted events…
Yeah, I agree. In my mind, there are two practical approaches First, you want to move fast to implement desired changes post-event. That generally means being prepared with a list of desired changes prior to an event so you’re not caught flat footed
Second, find a way to keep the lessons learned fresh. Ideally, we’d again follow Ebbinghaus and his spaced repetition approach, but we don’t need to suffer the effects of the negative event ourselves. We can also leverage compromises or negative events in other organizations to help remind ourselves about why we’re going through all this effort to improve our security. You can flatten out that forgetting curve with quick, concise debriefs of other public compromises as they happen. They should highlight similar impacts as those your organization felt as well as the corresponding efforts you’re taking to make sure your organization doesn’t suffer from the same fate. While your support will likely still diminish over time, it won’t drop off nearly as quickly.
By being prepared and sharing regular, active reminders of why people should support your efforts, you should be able to capitalize on a bad event and make good things happen.
Now, if I could only remember where I put my keys…
Rex