Why Bad (Cyber) Things Happen to Good People (and Organisations)

‍Why Bad (Cyber) Things Happen to Good People (and Organisations)

‍
By Ellis Brover
Independent IT Advisor & vCIO | Experienced CIO & Board Director (GAICD) | Executive Mentor

‍

Some years ago, I found myself deep in analysis of the 2008 Global Financial Crisis. What really caused such a catastrophic breakdown in a sophisticated, heavily regulated system full of intelligent professionals? I find myself asking similar questions today about the cyber world. Despite massive increases in cyber awareness, regulation, and investment, we continue to see basic attacks leading to major damage—even in well-managed organisations.

‍

Why?

‍

Too often we stop at surface-level explanations:

‍

• Personal data left exposed in an unprotected test system
• An accounts person fell for a phishing email
• An IT administrator was socially engineered
• Multi-Factor Authentication was missing on legacy systems

‍

These are symptoms—not root causes. To truly understand why these failures happen, we need to go deeper. We need to ask “why” not just once, but five times over, as the Toyota Production System teaches us. In my work, I consistently see five recurring root causes behind these incidents:

1. Complacency
2. Poor Gap Analysis & Planning
3. Ineffective Governance
4. Narrow Focus on Technology
5. Organisational Complexity

‍

Let’s unpack each of these.

1. Complacency

‍

“Success breeds complacency. Complacency breeds failure. Only the paranoid survive.” – Andy Grove

‍

Human psychology plays a big role here. Cognitive biases - especially the "normalcy bias" - lead people to underestimate both the likelihood and the consequences of a cyber incident. Unless someone has lived through a serious breach, it can be hard to get their full attention.

‍

Common signs include:

‍

• Dismissing cyber threats with “Why would anyone target us?”
• Assuming minimal impact: “Our data’s not that sensitive.”
• Overconfidence: “We can be back online in hours.”

‍

The challenge for security leaders is cutting through this mindset when executives are swamped with more immediate, short-term issues.

‍

What helps:

‍

• Use real data and numeric modelling to explain likelihood and impact
• Secure a cyber-savvy sponsor on the Board or Executive team
• Bring in external voices - people who have lived through an incident and can share what it was really like

‍

2. Poor Gap Analysis & Planning

‍

Many organisations rely on “best efforts” when it comes to cyber risk - without a structured or measurable approach.

‍

Warning signs include:

• No objective maturity assessment
• No agreed risk appetite or tolerance
• No cyber strategy or roadmap

‍

Peter Drucker said it best: “If you can’t measure it, you can’t improve it.”

‍

Cyber security maturity needs to be measured within the specific business context. There is no one-size-fits-all “good.” Leaders must define what’s appropriate for their organisation—then build and fund a roadmap to get there.

‍

Where to start:

• Educate the Board on cyber threats and their business implications
• Facilitate a clear decision on risk appetite and executive accountability
• Commission an independent cyber risk assessment - not from a vendor with something to sell
• Create and maintain a dynamic cyber roadmap aligned with business priorities

‍

3. Ineffective Governance

‍

A common issue: the Board and management are completely disconnected from cyber governance. You might hear:

‍

• “We do not understand cyber, but we trust our CIO.”
• “The Audit & Risk Committee focuses on finance - we’ve never had the CIO attend.”
• “We receive a 37-page technical report on cyber… and skip it.”

‍

Cyber is now one of the top enterprise risks, yet many boards lack the visibility and language to govern it effectively. IT often ends up being the sole decision-maker, leading to misaligned or patchy investments.

‍

A better way:

‍

• Integrate cyber into your enterprise risk framework
• Clarify roles and responsibilities across executives - not just IT
• Make business and process owners accountable for their areas
• Ensure reporting is clear, concise, and non-technical
• Add a regular cyber item to governance agendas
• Fill knowledge gaps with expert support and effectiveness reviews

‍

4. Narrow Focus on Technology

‍

"Technology is the answer... but what was the question?"

‍

It is tempting to throw tools at the problem. But even the best tools fall short if the human and cultural elements are ignored. Many breaches happen not because defences failed—but because someone clicked the wrong link, reused a weak password, or ignored procedures.

‍

What I often see:

• Dismissal of training: “Users will always click, so we filter instead.”
• Overconfidence in business continuity plans: “IT will fix it in two hours.”
• Cultural gaps: “Our CEO doesn't take their cyber training seriously, so why should I?”

‍

What actually works:

• Engaging, regular cyber awareness and phishing training - mandatory for all
• Leaders who model good cyber behaviours
• A cultural shift toward assumed breach - with emphasis on detection and recovery, not just prevention
• A passionate advocate driving awareness throughout the business

‍

5. Organisational Complexity

‍

“Nobody really understands how it all fits together.”

‍

In large or long-established organisations, IT systems become tangled webs:

‍

• Legacy platforms with missing documentation
• Multiple integration methods and inconsistent standards
• Shadow IT and rogue systems outside formal governance

‍

Complexity grows naturally over time - unless effort is made to fight it. This is entropy at work.

‍

What can help:

‍

• Crack down on shadow IT - not because IT likes control, but for risk reduction
• Commit to an evergreen platform approach, with protected budget
• Reduce platform sprawl - even if it means trade-offs
• Measure and manage technical debt just like financial debt

‍

Final Thoughts

‍

Cyber resilience is not about superficial fixes. It is about intentionality - having a clear strategy, aligned governance, and a balanced approach across people, process, and technology.

‍

If we stop blaming individuals and start looking at the systems, structures, and mindsets that let incidents happen, we can build stronger, smarter, and more resilient organisations.

‍

Thanks for reading - I hope these lessons serve you well.