For years, the conventional wisdom for tackling cyber risk has been a simple mantra: invest more. Hire more senior leaders. Build a bigger, more complex team. It’s a logical response to a growing threat landscape. But what if that very response is making you less secure?
A recent spring 2025 article in the MIT Sloan Management Review uncovers a startling paradox in cybersecurity leadership. Based on a Delphi study with 34 top executives (CISOs, CIOs, and CTOs), the research reveals that expanding your security hierarchy can inadvertently foster a dangerous, collective overconfidence that blinds your organization to its true level of risk.
This psychological bias, known as “illusory superiority,” is a critical, often-unseen process failure. The findings suggest that a leaner, more self-aware approach to leadership might be the key to true resilience.
The Overconfidence Trap: Three Ways a Bloated Hierarchy Exacerbates Cyber Risk
The research identifies a dangerous pattern: as security teams grow, so can a collective overconfidence that makes them less effective. This isn’t just a theory; the study pinpointed three specific ways this “illusory superiority” manifests.
1. The Bigger the Threat, the Greater the Overconfidence
The most shocking finding from the study is that the more catastrophic a potential threat, the more overconfident leaders are in their ability to mitigate it compared to their peers. The research found that a major ransomware attack, for example, elicits the greatest feelings of superiority. This may be because severe threats are discussed so frequently that leaders become inadvertently emboldened, mistaking conversation for preparedness.
2. Accountability Becomes Muddier With More Layers
The study describes a “cascading effect” in complex hierarchies. Employees assume the IT department is accountable; the IT department assumes their managers are; and managers assume the C-suite is ultimately responsible. Each additional layer can make the boundaries of responsibility murkier.
This leads to a dangerous situation where senior leaders are removed from the technical reality but are still pressured to “project confidence” to the board, even if they lack full visibility due to fragmented accountability.
3. Senior Managers Discount Frontline Expertise
A critical process failure identified in the research is the tendency for senior leaders to believe their rank reflects superior knowledge. This overconfidence leads them to sideline or disregard recommendations from lower-level employees who are often more technically adept. This prevents the organization from bringing all its available knowledge to bear on a problem, effectively fighting with one hand tied behind its back.
Taming Overconfidence: The Case for a Lean Cybersecurity Approach
The article doesn’t just diagnose the problem; it offers two clear, process-driven recommendations to counter the effects of illusory superiority and build a more effective security posture.
1. Right-Size Your Senior Team (Embrace Lean Leadership)
Leaders must fight the tendency to solve every problem by adding organizational complexity. The research argues that for most small-to-medium-sized organizations, a lean cybersecurity leadership structure is more effective. This often means one empowered, security-focused C-suite leader (like a CIO or CISO) with a clear mandate, rather than a multi-layered hierarchy that can obscure accountability.
2. Engage in Anonymous, Distributed Benchmarking
To get a realistic assessment of your capabilities, you need external data. The study proposes that organizations engage in anonymous benchmarking by sharing threat intelligence with peer organizations. This provides a dose of reality that directly counters unsubstantiated overconfidence. The article even suggests forward-thinking technical solutions, like a permissioned blockchain, to enable anonymous data sharing among member organizations.
Rethinking Resilience: Less Complexity, More Clarity
The ultimate lesson from this research is a powerful challenge to the status quo. True cyber resilience may not come from a bigger budget or a larger team, but from a leaner structure and a commitment to intellectual honesty. By recognizing our own biases and building processes that foster clarity, accountability, and a realistic view of our capabilities, we can build a security function that is not just bigger, but genuinely better.
For Further Reading:
This blog post is based on the insights and analysis presented in the article: Flostrand, A., Park, A., Demetis, D., Kietzmann, J., Pitt, L., & Mccarthy, I. (2025). The case for lean cybersecurity leadership. MIT Sloan Management Review, 66(3), 16-18. Retrieved from https://www.proquest.com/scholarly-journals/case-lean-cybersecurity-leadership/docview/3174841584/se-2
