.png)
When yesterday’s success quietly engineers tomorrow’s failure.
- Captain Ajesh Sharma (Veteran)
- Feb 23
- 3 min read
Security failures rarely begin with dramatic negligence or deliberate misconduct; they begin with a quiet confidence that yesterday’s success is sufficient protection for tomorrow’s uncertainty.
“This has never happened before.”
“Why would anyone target us?”
“This is how it works here and it’s still fine.”
These statements do not sound reckless. They sound reasonable. They sound experienced. They sound like organizational memory at work.
As Daniel Kahneman, Nobel laureate and pioneer in behavioural economics, observed: “We are blind to our blindness.” The longer a system operates without visible failure, the more it mistakes familiarity for robustness. And that is precisely the problem.
Static Procedures. Dynamic Risk.
Business as usual rarely presents itself as risk. It presents itself as continuity, stability, proof that the system functions. Over time, controls that were once deliberately designed become inherited rituals.
Risk, however, does not remain static simply because policy documents do.
Threat environments evolve. Motivations shift. Attack methods adapt. But organizational assumptions, once embedded, tend to calcify. The longer a system operates without incident, the more it begins to mistake the absence of failure for evidence of robustness.
These observations emerged from discussions with security leaders operating across Europe and Asia — from mature regulatory systems to high-growth environments.
Despite differences, the underlying pattern was strikingly consistent. The context changed. The bias did not.
Mental Mechanisms That Keep You Comfortably Blind.
These are the mental shortcuts that make outdated controls feel ‘proven’ and verification feel unnecessary.
Normalcy Bias: Yesterday Worked. So Today Must Be Fine.
Normalcy bias rewards consistency over relevance. The longer an organisation remains incident-free, the more confidently it assumes its controls are still valid.
Example: In the 2012 Benghazi attack in Libya, security measures were built for earlier threat conditions and had worked before. That past success created confidence. But as the environment shifted, assumptions were not revalidated.
The longer the calm, the weaker vigilance becomes.
Optimism Bias: It Won’t Happen Here.
Optimism bias is especially powerful in organisations that equate strong protection with immunity. When defences are layered and reputations are solid, risk feels theoretical.
Example: In 2003, attackers stole an estimated $100+ million worth of diamonds, gold and other valuables from safety deposit boxes inside the Antwerp Diamond Heist at the Antwerp Diamond Center. The facility was widely regarded as one of the most secure in the world. Confidence in its layered protection was so high that optimism became the vulnerability. The attackers did not overpower the system. They exploited the belief that strength meant immunity.
Every breached building once believed exactly this.
In-Group Bias: Sounds Familiar, Must be OK.
Familiarity feels reassuring, especially when reinforced by trusted colleagues or long-standing relationships. It feels efficient. It feels frictionless.
Example: In 2025, several UK retailers, including Marks & Spencer, suffered disruption from cyberattacks reportedly enabled by IT helpdesk impersonation. Attackers posed as “locked-out” employees and pressured support teams into resetting passwords or MFA. The tactic works because the request sounds routine and unmistakably internal, and that familiarity replaced verification.
Belonging beats credentials - unless someone insists on proof.
Normalcy bias, optimism bias and in-group bias do not disappear across borders — they adapt to culture. In hierarchical environments, challenge feels like disrespect. In consensus-driven cultures, it feels disruptive. In fast-growth organisations, it feels like delay.
Different contexts and geographies. Same suppression of friction.
The mechanism shifts. The outcome does not.
When business as usual is culturally reinforced, verification becomes negotiable and challenge quietly recedes. Security is not culture-agnostic. Ignoring geography does not make controls universal — it makes them fragile.
What Needs to Change
Security doesn’t fail loudly. It fades quietly — when past success is mistaken for present relevance, when good intent is confused with low threat, and when familiar language replaces proof.This is not a frontline lapse or a simple process gap. It is a leadership and culture issue.
Leaders must measure not only whether controls exist, but whether they are challenged.
Assumptions need expiry dates — not indefinite renewal.
Mitigations must be actively revalidated against current risk — not inherited by default.
Familiarity should trigger verification — not relief.
Security that fits perfectly into business as usual is rarely being tested — and untested controls drift.
Now ask yourself:
What if the next intruder doesn’t look suspicious - what if they look familiar? Would your business as usual let them through
...or pause?
Authors:
Katarzyna Kałużny | Global Leader in Operations & Enabling Functions | Executive MBA
Capt Ajesh Sharma | Global Security Strategist & Leader | Founder of Helix Security Advisors
Comments