Freaking Change Already – a Psychology Journey Part 2

We began this journey in my last article, where I discussed the Top Cybersecurity Trends for 2023 as predicted by Gartner.?I then noted that while many of these trends made sense, what was missing was a more concrete sense of “why”. ?Why would any of those trends come to pass? Does the impetus for meaningful change even exist in the industry right now??I ended Part 1, by submitting to you that change is unlikely due to the lack of change factors: need, desire or ability, the presence of which determines the success of all efforts to make any sort of change.

In this article, I will go a bit deeper into what changes are necessary, why, and how we can start to make them.?I also scrapped the word “Cybersecurity” in the title and replaced it with “Psychology” since this is much less about cybersecurity and more so about human behavior.?To begin, let’s expand a bit on the term “change” and what we typically mean by it.

What do we mean by “change”??According to the Oxford Dictionary, it can be used as both a noun and a verb with the general definition being modifying or replacing something with something else.?It’s a pretty straightforward term that we’ve all been using since we were kids (ie…Change your socks, those smell like hot garbage.?Get up and change the channel, it’s time for Three’s Company! You’d better change your attitude, or I’ll give you something to cry about.). Things like changing your socks or the channel on the TV (yes, that was a thing when I was a kid), are easy to do, but changing your attitude…oof…not so much.?So, while the concept of change is easy to understand, the act of changing can be difficult for most of us.?

There are all sorts of reasons for this, some good, some bad, but at its most basic element, when we have an opinion about something, we become emotionally attached to.?We think that because it ours and we own it, we need to defend it as a part of our identity, regardless of the logic that underpins our position.?So, as humans we find ourselves holding illogical opinions about subjects as a result of this existential perspective, with an aversion to change, as that would call into question who we are.

Just think about the language that is used to describe people that hold their positions firmly versus people that change more readily.?People that maintain their opinions about something are seen by others as: firm, dedicated, committed, true believers and solid; these terms are typically seen as honest.?People that change their opinions are seen by others as: flimsy, milk toast, wishy washy and flip floppers; these terms are typically seen as dishonest.?

In this book, Think Again, psychologist Adam Grant covers the neuroscience of changing your positions on beliefs you may have held your entire life.?This book was life altering for me, so you haven’t read it yet, I highly recommend it. In short, it takes a tremendous amount of emotional intelligence, courage and strength to change a deeply held position, even in the face of overwhelming evidence.

Professor and Nobel Prize winning Physicist Ricard Feynman had a much different view on change than many of us today have.?As a scientist, he would become excited if he found out he was wrong about something because it gave him the opportunity to become more right.?“Being wrong is not a bad thing like they teach you in school.” Feynman says, “It is an opportunity to learn something.?There are not mistakes, only lessons.?Growth is a process of trial and error.” (For more on one of the most fascinating people in history, I highly recommend his book, Surely You’re Joking, Mr. Feynman.). He didn't see being wrong as something to avoided out of a sense of defiance or shame but embraced as a tool to draw closer to truth or a better future state. Since reading this book I have made a concentrated effort to truly become OK with being wrong and using it as a tool to learn and grow.

OK, so let’s take a step back and take stock of where we are.?We now know that the positions we hold may or may not be logical, that we are likely to defend them as a part of our identity and that being seen as someone who changes opinions is weak and untrustworthy.?We have also seen that some pretty smart people who are experts in human behavior and science, extoll the benefits of change, and hold views that stand in stark contrast to the status quo of human beliefs.?Now, there is still one aspect about change that we haven’t covered yet, and that’s knowing what to do but not being able to do it.

In their book, The Knowing-Doing Gap, Jeffrey Pfeffer and Robert Sutton discuss the concept of knowing what to do but failing to do it, in great detail.?Think of it like this, everyone knows smoking is bad for you, yet people still smoke.?Everyone knows that regular exercise is healthy for you, but many people don’t do it. ?Most people know that easting too much junk food contributes to weight gain, which leads to all sorts of cardiovascular diseases, but many people still opt for a bag of chips (or crisps) over an apple.?So, it’s one thing to know what you should do and it’s something else entirely to actually do that thing.?There are heaps of additional books and articles that cover this phenomenon, but for the sake of brevity, suffice it to say that it’s not enough to simply know what you should or should not do, it’s significantly more complicated.

Let’s look at a couple of fun examples to illustrate what I am talking about:

Geocentrism v Heliocentrism

In the 2nd century AD, Roman mathematician, astrologer, geographer and music theorist Claudius Ptolemy created the idea of a Geocentric solar system (ie…Earth in the center with everything else orbiting around it).?It wasn’t until 1543 when Polish astronomer Nicolas Copernicus introduced the idea of a Heliocentric solar system (Sun in the middle, other stuff orbiting it) that Ptolemy’s theory was proven to be incorrect.?THEN, the Catholic Church (the dominant power of the time) didn’t formally accept Heliocentrism by Papal edict until 1822 (I found that to be really interesting and honestly, pretty telling). ?Rough and tough, that’s 1,400 years from Ptolemy to Copernicus and another 422 years from Copernicus to Pope Pius VII (the Pope is 1822). That’s a really long time to be wrong about anything much less something that is now taught in elementary schools. Seemingly basic concepts, yet it underwent millennia of debate before widespread adoption.

Wash Your Hands

In 1847, Hungarian physician and scientist Ignaz Semmelweis, pioneered the concept of antiseptic procedures (ie…washing your hands).?In 1865, he was sadly institutionalized allegedly suffering a nervous breakdown due to the medical community not taking his findings seriously (I feel you brah).

Fast forward 14 years to 1861 when Germ Theory was discovered by French chemist and microbiologist, Louis Pasteur.?His discoveries led to the principles of vaccination, microbial fermentation and pasteurization.

While both of these discoveries would lead to significant medical advancements, they were not fully accepted by the wider medical community until 1920, 60 years after Pasteur and almost 75 years after Semmelweis.?Why in the world would it take so long for these medical advancements so long to take hold? At the time, one of the leading causes of death in hospitals was sepsis (infection) due to germ transference between patients, since doctors did not wash their hands between patients. Think of the thousands upon thousands of lives that could have been saved between 1857 and 1920 by doing something as simple as washing your hands? And the medical community knew that - Pasteur's findings were irrefutable, but they failed to act and thousands died as a result. So tragic!

What Does That Leave Us?

So, if these changes seem to make so much sense Chris, why haven’t we made them yet, huh??Aren’t things that are self-evident quickly understood, embraced and adopted at scale (nope)? ?Don’t you think if this was want needed to be done, we would have done it a long time ago? For robots, yes…absolutely.?For human beings…hmmm…no so much.

To get the cybersecurity industry to enact meaningful changes, three things need to be accomplished:

1.?????The need, desire, ability components must be met.

2.?????Currently held positions must be decoupled from the identity of the people that hold them, and a scientific perspective needs to be adopted.

3.?????The knowing-doing gap must be addressed to ensure what should be done aligns with what is being done.

I hope that all makes sense and provides some additional context regarding why things haven’t changed much in the cybersecurity space for such a long time.?In my next article titled, “Who is Going to do What by When, a Cyber-Psych Journey Part 3”, I will cover the specific things need to be changed and how the impact on the industry could be significant.?Until then, keep reading, keep learning and keep thinking!