Security leaders need to stop chasing “risk catnip”

How often do you indulge in “risk catnip”?

Here’s an example:

The hardest problem in computer science is fighting the urge to solve a different, more interesting problem than the one at hand.

— Nick Lockwood (@nicklockwood) August 18, 2016

That tweet earned over 3000 retweets and over 4000 likes. The chain of comments express understanding and offer more examples. The concept is similar the effect of catnip on felines. Some just can’t resist. 

In security, I dubbed this “risk catnip.” 

“Risk catnip” is a nod to the seductive powers catnip holds over some cats. Drawn to the catnip, cats play with it for a while and bask in the feeling it gives them. Sometimes they drool or pass out. Besides, “risk catnip” sounds better than “risk ball of string” or “risk laser pointer.” 

Like catnip, “risk catnip” might feel good, but it provides little value. 

No value in chasing risk catnip

“Risk catnip” is a seductive illusion of risk that draws attention away from actual risk. It wastes time and energy on less important tasks instead of focusing on what matters most.   

So why does it happen?

Because we can. Usually because we have the knowhow. The seductive nature of risk catnip captures attention with a promise that it could be real. That creates a desire to explore. Just a little bit.    

Then the brain engages, the juices get flowing, and time flies by. It’s a constant reminder that just because you can do something doesn’t mean you should.  Perhaps Dr. Ian Malcolm (portrayed by Jeff Goldblum) said it best in the movie Jurassic Park: 

_

“Your scientists were so preoccupied with whether or not they could, they didn’t stop to think if they should!” 

Michael Crichton illustrated the consequences of bringing dinosaurs back to life. Indulging in risk catnip in security tends to produce a less fatal result. It wastes time, energy, and focus.   

Chasing risk catnip produces little or no value.

Sometimes it even increases friction and erodes value. Especially when it wastes the time, energy, and focus of others. Either because we get them involved, or because they end up waiting on the more important effort. 

Risk catnip replaces hard work with always working

The unintended consequence of risk catnip is more work.   

Take another example from twitter from earlier this year: 

Myopsia, n. (med.): The tendency of ops engineers to solve whatever problem is in front of them at the time, whether it’s important or not.

— John Arundel (@bitfield) January 14, 2016

Always indulging in risk catnip sets off a chain reaction of long hours, poor focus, and high stress. Indulge too much and it could lead to burnout. 

The research on this area is clear (though they don’t cite risk catnip as a cause…. yet). Here’s an excerpt from an article on the Harvard Business Review: 

“Work too hard and you also lose sight of the bigger picture. Research has suggested that as we burn out, we have a greater tendency to get lost in the weeds.”

Do you find yourself and your team working a relentless schedule of long hours? Maybe it’s time to consider how much risk catnip you chase.   

Ask one question to avoid wasting time with risk catnip

There are many different ways to structure your time to focus on priority efforts. Even the most disciplined find it hard to resist the seductive nature of risk catnip.   

Start with awareness. The more you practice recognizing it, the easier it becomes to spot risk catnip.  

The headlines and social media are rife with examples of risk catnip. Work with your team to label examples – and explain why. The goal is to call attention to risk catnip, not to deride those lured by it.   

When you find yourself drawn to risk catnip, stop. Take a deep breath. Then ask, “how does this contribute to our current priorities?” 

Walk away if there is no clear value. Run away if you know it’s nothing more than a distraction. 

As a security leader, our jobs are tough enough. The last thing we need is an unlimited supply of risk catnip to distract us and keep us from doing our jobs.