• About
  • Subscribe
  • Contact
Friday, May 9, 2025
    Login
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
No Result
View All Result
Home Technology Security

Cybersecurity as a business decision

Paul Proctor by Paul Proctor
April 4, 2022
Photo by fauxels from Pexels: https://www.pexels.com/photo/people-having-business-meeting-together-3183183/

Photo by fauxels from Pexels: https://www.pexels.com/photo/people-having-business-meeting-together-3183183/

Cybersecurity investment is broken

Cybersecurity is now the #1 spend item on the technology investment list. In 2022, 88% of boards say that cybersecurity is a business issue, not a technical one. Unfortunately, boards have no idea how to govern cyber as a business issue and executives have no idea how to guide cyber investment as a business issue.

Bottom line, no one can explain the business value of security control, so we can’t have an adult conversation about business investment in security. And the world is in a very bad place because of that.

Cybersecurity has been a board-level issue for more than 15 years. In that time, I’ve reviewed more than 1000 board presentations and met with dozens of boards on cybersecurity. After all my board interactions, my conclusion is that we need smarter money, not just more money.

Admiring the problem

Boards have no idea what to ask for.

They treat security like magic and security people like wizards. You know, give the wizards some money, who cast some spells, and the organization is protected. If something goes wrong… I guess we need some new wizards. This has led to some very bad investment decisions.

Most damaging of all, security officers have trapped in a recurring and crippling ideology that MORE security is always better.

It’s not. But boards are afraid of dragons, so you have to pay the wizards.

Failures of business decision-making

Look at any cybersecurity incident and you’ll find a failure of decision making, not a failure of technology.

The former CEO of Equifax, hacked to the tune of 150M people stood up in front of the US Congress and said that they patched critical systems in 48 hours. The problem was, that the system that got hacked was taken offline 77 days after it was compromised, and it still wasn’t patched.

The entire crux of his defensibility was that some wizard didn’t do their job. Except now he’s the one without a job. He knew enough to quote their patching policy, but he didn’t ask key questions like “what percentage of our systems are NOT being patched within 48 hours.”

The 70-page final report from (the US) congress on Equifax summarized it this way: the CEO did not prioritize cybersecurity.

Colonial pipeline is another example. I have no inside information, but what we see on the outside tells the story.

You know why most organizations don’t test their recovery processes for their critical functions? Because it’s very expensive and risky to take a fully functioning business system down to bare metal and hope that you can bring it back.

You know when most organizations test their recovery capabilities? After a ransomware attack. And that is the single biggest factor in whether a ransomware incident takes a couple of hours to clean up or devastates the organization.

Consider that choice to not test those recovery processes is a business decision.

A reality check

The reality is that you can spend every available dollar on cybersecurity and you could still get hacked tomorrow because there is no such thing as perfect protection.

These days most board members will nod and smile and say they understand this. But I’m telling you they don’t understand it on a Visceral level which actually changes how they engage on the topic.

Cybersecurity is a choice

You can spend money and be more protected, or save money and be less protected. You can’t buy your way out of this. Many organizations have tried. They still aren’t perfectly protected, but they do start to damage their ability to function.

I was meeting with the chief operating officer of a 50,000 person bank in London (pre-COVID) and I told him that you can overprotect an organization. He literally said “Stop. What do you mean you can overprotect an organization?”

I said “do you have an ipad” … he said “yes”, so I said, “well give it to me, you can’t use it anymore because it’s not protected.” And he said “Oh, I get it, if we lock everything down so tightly that we start to take the tools away that people need, then we’ll hurt our business.” Exactly.

Neither can you just ignore security. So the right question is “what is the right amount of security?”

The real purpose of a security program is NOT to prevent the organization from being hacked, because that’s an impossible goal. The purpose of the security program is to balance the need to protect with the need to run the business. The right amount of security is one that’s defensible to our key stakeholders like our citizens, customers, shareholders, and regulators.

Invest in Outcomes, not Tools and Capabilities

Cybersecurity investment is broken because we invest in tools and capabilities, not outcomes. That has to change.

Maturity is the gold standard for reporting security readiness and it’s played out its usefulness for organizations that are above a 2.5. Which is most of them.

A lot of faith is being put into the concept of risk quantification to create estimations of unknowable and uncontrollable factors. Unfortunately, this is not playing out well in our client base. It is expensive, it can be gamed, and it doesn’t support the type of pragmatic decision making we need in a business context.

Risk quantification will not be the panacea people expect it to be. But it is currently at the height of inflated expectations and we expect a lot of money to be wasted on it, before its limitations are widely recognized.

Create a safer world

This may feel like an argument to moderate cybersecurity investment. It is not. This is about risk optimization to create the right priorities and the right investments to balance risk with the needs to achieve desired business outcomes.

If we engage boards in this manner, you’ll see greater investment and, more importantly, smarter investment. And that will create a safer world.

First published on Gartner Blog Network

Related:  CX, digital outcomes and virtual-first worlds to drive next-gen cloud
Tags: cybersecurityGartner
Paul Proctor

Paul Proctor

Paul Proctor is a VP and Distinguished Analyst, and former Chief of Research for Risk and Security at Gartner. He leads CIO research for technology risk, cybersecurity and digital business measurement. Mr. Proctor advises CIOs, executives and boards to manage risk and balance the needs to protect with the needs to run their business. Proctor's coverage includes board reporting, outcome-driven metrics, risk management, the Gartner business value model, and digital business transformation. His ground-breaking research in risk, value, and cost management helps organizations prioritize and invest in the readiness of technology to support their business and mission outcomes. In 2016, he was appointed to the University of California Cyber Risk Advisory Board by former Secretary of Homeland Security and UC President, Janet Napolitano. Previous experience Mr. Proctor has been involved in various aspects of risk management and the business value of IT since 1985. He was the founder and CTO of two technology companies and developed first and second-generation host-based intrusion-detection technologies. He is a recognized expert in the fields of risk management, information security, and associated regulatory compliance issues. He has authored two books published by Prentice Hall. He was recognized for his expertise by being appointed to the original Telecommunications Infrastructure Protection working group used by Congress to understand critical infrastructure protection issues prior to the terrorist attack of 11th September. Previously, he worked for SAIC, Centrax, CyberSafe, Network Flight Recorder, and Practical Security. Professional background SAIC Engineering Manager Centrax Founder and Chief Technology Officer CyberSafe Chief Technology Officer

No Result
View All Result

Recent Posts

  • Study finds almost half of businesses bank on AI-enabled cybersecurity for EDR and XDR
  • AI drives cloud market growth in Q1
  • ARTHALAND chooses OutSystems to advance real estate sustainability
  • Experts warn against AI-powered deepfake impersonation scams
  • Dropbox updates universal search and knowledge management product

Live Poll

Categories

  • Big Data, Analytics & Intelligence
  • Business Applications & Databases
  • Business-IT Alignment
  • Careers
  • Case Studies
  • CISO
  • CISO strategies
  • Cloud, Virtualization, Operating Environments and Middleware
  • Computer, Storage, Networks, Connectivity
  • Corporate Social Responsibility
  • Customer Experience / Engagement
  • Cyber risk management
  • Cyberattacks and data breaches
  • Cybersecurity careers
  • Cybersecurity operations
  • Education
  • Education
  • Finance
  • Finance & Insurance
  • FutureCISO
  • General
  • Governance, Risk and Compliance
  • Government and Public Services
  • Growth Strategies
  • Hospitality & Tourism
  • HR, education and Training
  • Industry Verticals
  • Infrastructure & Platforms
  • Insider threats
  • Latest Stories
  • Logistics & Transportation
  • Management Leadership
  • Manufacturing
  • Media and Telecommunications
  • News Stories
  • Operations
  • Opinion
  • Opinions
  • People
  • Process
  • Remote work
  • Retail & Wholesale
  • Sales & Marketing
  • Security
  • Tactics and Strategies
  • Technology
  • Utilities
  • Videos
  • Vulnerabilities and threats
  • White Papers

Strategic Insights for Chief Information Officers

FutureCIO is about enabling the CIO, his team, the leadership and the enterprise through shared expertise, know-how and experience - through a community of shared interests and goals. It is also about discovering unknown best practices that will help realize new business models.

Quick Links

  • Videos
  • Resources
  • Subscribe
  • Contact

Cxociety Media Brands

  • FutureIoT
  • FutureCFO
  • FutureCIO

Categories

  • Privacy Policy
  • Terms of Use
  • Cookie Policy

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Login to your account below

or

Not a member yet? Register here

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
Login

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Subscribe