Cybersecurity is now the most preferred item on the technology investment list. According to 2022 data, 88% of boards believe that cybersecurity is a commercial topic rather than a technical one. Nevertheless, executives and boards lack the necessary know-how to effectively manage cyber investment as a business topic.
In conclusion, no one can articulate the commercial benefit of a security measure. Hence, we cannot create a platform for a proper discussion regarding commercial investments in security. Therefore, many problems are experienced on a global scale.
Cybersecurity has been addressed at the board level for more than 15 years. Over the course of that period, I've consulted with dozens of boards to discuss cybersecurity and evaluated more than 1000 board presentations in this regard. I came to the realization that we need to earn money wisely, not just the money itself.
Boards don't know what they want exactly.
Cybersecurity is arcane, and security personnel is just wizards for them. Give wizards some money, and abracadabra, the company is safe. If something goes the wrong way, new wizards can be hired anyways. This mindset has brought about quite destructive investment decisions.
Even worse, people in charge of assuring cybersecurity are stuck in the fallacy that more security means the better.
That is not the case. Yet, dragons are a threat to boards, so you better be paying the wizards.
Take a look at every cybersecurity incident and you'll notice that the mistake was caused by human decision-making rather than a technological flaw.
To comfort the 150 million customers whose data had been compromised, the former CEO of Equifax stood up before the US Congress and promised to repair critical systems within 48 hours. The problem was that the hacked systems were still disabled and unpatched 77 days after they were compromised.
The key problem stated on his defense was that the wizards were not doing their job. Of course, he is the one who lost his job currently. He was knowledgeable enough to cite their patching policy, however, he omitted to inquire about how many of our systems could be patched within 48 hours.
This problem was outlined in the final 70-page report from the Equifax convention as follows: Cybersecurity was not a top priority for the CEO.
Colonial pipeline is another, relevant example. Although I do not have any inside information, the situation is crystal clear from the outside.
Why do you think most companies don't test recovery processes for critical functions? It is extremely expensive and dangerous to disassemble a fully operational business system in an effort to restore it.
When do you think most companies test their recovery processes? Of course after a ransomware attack. This is the most crucial variable that determines whether a ransomware assault is quickly and easily eliminated or it results in a significant financial loss for the company.
It is evident that not testing these recovery processes is a commercial decision.
Even if you spend all of your money on cybersecurity, you could still fall victim to a hacking incident the following day because perfect protection is not a reality.
Currently, the majority of board members will nod and grin while stating that they comprehend this. Yet, they are unaware of how this circumstance has altered their viewpoint on the matter fundamentally.
Spend your money and be safer, or save your money and make a compromise. Money is not the golden ticket at all. Many companies try to dig their way into that situation. Though not as safe as intended, they started to restrict themselves in some transactions.
I told the chief operating officer of a bank in London employing 50,000 people at the time of our conversation (before COVID) that he may be overprotecting an organization. He said ''Wait, how is it possible to overprotect a company?''
“Do you have an iPad?” I asked. “Yes,” he said. "Then give it to me, you can't use the tablet any longer because it's unprotected," I said. "Now I see. We would jeopardize our business if we put everything under such tight supervision and start taking away the tools people need". Right on the spot.
But on the other hand, you cannot ignore security. That is the question to ask: "What is the right level of security?"
The real purpose of a security program is NOT to prevent the company from being hacked, because that is simply impossible. The security program aims to strike a balance between corporate operations and protection needs. The right level of security must be ensured according to key stakeholders such as employees, customers, shareholders, and regulatory mechanisms.
We invest in technologies and amenities rather than results, henceforth, our cybersecurity efforts result in failure. We need to change this.
Maturity, which serves as a valuable benchmark for businesses with a score above 2.5, is regarded as the fundamental requirement for cybersecurity proficiency. Most of these companies are on these levels.
The idea of measuring risk is too heavily relied upon when attempting to predict unknown and uncontrollable circumstances. Unfortunately, this hasn't worked very well in our customer base so far. As well as being pricey, it can be tricked and does not encourage the kind of practical judgment we need in a business setting.
Risk quantification won't be the elixir many believe it to be. But this concept has now gained quite a popularity yet with false expectations. It is evident that a lot of money will be wasted until the shortcomings and limitations of this subject are fully distinguished.
This may sound like dulcifying the issue of cybersecurity investment. That is not the case at all. In order to balance risk with necessities and achieve desired business outcomes, risk optimization is necessary to establish the proper priorities and make the appropriate expenditures.
You'll see greater and, more crucially, wiser investment, if we engage boards in this way. This, in conclusion, will result in a safer world.
Source: Proctor, P. (2022, March 27). Cybersecurity as a Business Decision: A Manifesto. Gartner Blog.