Reducing Risk in the Cloud by Overcoming the Status Quo Bias
I remember an incident from my previous CIO role. A number of us were in a meeting discussing the severe problems we were having with the performance of a large contractor. At one point, someone suggested that we start a new RFP (request for proposal) process to replace the contractor. “Too risky,” said one of the more senior executives at the table. “We don’t know what kind of a contractor we’ll wind up with or how good they will be.”
I’ve heard many variations of this line of thought. Essentially, we had a contractor who had a 100% chance of performing poorly, since they already were doing so, yet the perceived risk of working with an unknown was somehow believed to be higher. Similarly, organizations often think that it is risky to move to Agile ways of working or to migrate to the cloud if they haven’t done so before. This is equally strange, since Agile techniques were invented as a way to reduce risk, and the cloud provides many ways to reduce risk compared to onsite implementations.
I have had similar conversations with security experts in the government, and frequently with managers at AWS customers. “Is the cloud secure enough?” people often ask. But this is the wrong question. What they should be asking is, “Where will my security posture be better — in the cloud or in my onsite data center?” I didn’t have to ask myself that question in my role at the Department of Homeland Security (DHS). I knew the answer: the cloud clearly enabled us to build a much more robust security architecture.
Ask anyone in the information security arena if they are happy with their organization’s current onsite security posture:
“No way. Too many people have privileged access; we have too many insecure legacy platforms; we don’t patch often enough; our firewall rules are too complex; production systems aren’t reviewed often enough…” and on and on.
“How about moving to the cloud, then?”
“Well, that would be risky…”
There is a pattern here: we tend to attach too much weight to the risk of the new and too little weight to the risk of the status quo.
In fact, this is simply an instance of a common bias, described in a 1988 article by W. Samuelson and R. J. Zeckhauser, “Status Quo Bias in Decision Making.” Samuelson and Zeckhauser’s experiments showed that people disproportionately decide to stick with the status quo when presented with alternatives. In a 2016 Psychology Today blog, Rob Henderson says, “Status quo bias is a cognitive bias that explains our preference for familiarity. Many of us tend to resist change and prefer the current state of affairs.”
Status quo bias was further explored by Daniel Kahneman, J. L. Knetsch, and R. H. Thaler in their paper “Anomalies: The Endowment Effect, Loss Aversion, and Status Quo Bias.” The authors relate status quo bias to a phenomenon called the endowment effect, the tendency of people to give a higher weighting to things they already have, when making decisions.
What at first seems like fear of the new is perhaps better thought of as an emotional preference for what we already have. The effect is stronger the more choices we are confronted with (think of all the options available in the cloud!) and, interestingly, stronger the longer we have held the object we may be giving up.
For enterprises looking to transform digitally, it is critical to move beyond that bias, to move beyond the fear and the perceived risk of the new. Instead, enterprises should focus on how new ideas in the IT world can help reduce risk — reduce the risks of IT investments, reduce the risk of disruption in their industries, and reduce the risk of security breaches. They can reduce all of these risks through a combination of moving to the cloud, introducing DevOps, and architecting and operating their systems using contemporary best practices (see the AWS Well Architected framework).
There are all sorts of risks in today’s business technology environment — all sorts of things for good managers and leaders to worry about. There is the risk that a large IT investment will not return the business benefits that were intended. There is the risk that a disruptive startup will shake up the industry. The risk that a hacker will steal sensitive customer data. The risk that a competitor will think of a brilliant new idea first. That costs will spiral out of control. That a new technology will make the current infrastructure obsolete. That the government will suddenly change a regulation that deeply affects the business.
I could go on and on. There are so many risks it is a wonder that an enterprise can do anything at all. But that is exactly the point — the biggest risk is never change, but stasis. Unless you are sure that your enterprise is already prepared to meet all of the risks mentioned above, the status quo is a terrible place for you to be, and the risk of the new should seem negligible compared to the urgency of change.
It turns out that many innovative companies have found ways to reduce risks in an environment of digital transformation, and central to most of them is agility — the ability to learn and quickly adapt. Or to put it another way, to systematically and deliberately reduce the cost of change and the cost of learning. How do you reduce the risk of a large IT investment not returning enough benefit? By insisting on results while the investment is being made and pivoting as soon as possible if it is not showing results. How do you reduce the risk of disruption? Stay ahead of it and respond quickly when the industry changes. How do you reduce your security risk? Test often, patch quickly, respond to incidents at lightning speed — these are at least a large part of new security models.
The cloud is the underpinning of these strategic approaches to risk management. It allows enterprises to respond quickly and elastically to changing market conditions. It facilitates agility and innovation. It provides pre-developed services that can be quickly assembled as building blocks. It makes it possible to automate software delivery and create security and compliance guardrails.
In an upcoming series of posts, I will return to these questions of risk and show how the cloud helps companies improve their security postures, ensure that their investments deliver business outcomes, stimulate innovation to stay ahead of disruption, control costs, and avoid obsolescence in many different senses.
In short, I will show how the cloud lets companies dramatically reduce risk.
 W. Samuelson and R. J. Zeckhauser, “Status Quo Bias in Decision Making,” Journal of Risk and Uncertainty 1, no. 1 (1988): 7–59.
 Rob Henderson, “How Powerful is Status Quo Bias?” Psychology Todayblog, September 29, 2016, https://www.psychologytoday.com/blog/after-service/201609/how-powerful-is-status-quo-bias.
 Daniel Kahneman, Jack L. Knetsch, and Richard H. Thaler, “Anomalies: The Endowment Effect, Loss Aversion, and Status Quo Bias,” The journal of Economic Perspectives 5, no. 1 (1991): 193–206.