Cybersecurity investment is broken
Cybersecurity is now the #1 spend item on the technology investment list. In 2022, 88% of boards say that cybersecurity is a business issue, not a technical one. Unfortunately, boards have no idea how to govern cyber as a business issue and executives have no idea how to guide cyber investment as a business issue.
Bottom line, no one can explain the business value of security control, so we can’t have an adult conversation about business investment in security. And the world is in a very bad place because of that.
Cybersecurity has been a board-level issue for more than 15 years. In that time, I’ve reviewed more than 1000 board presentations and met with dozens of boards on cybersecurity. After all my board interactions, my conclusion is that we need smarter money, not just more money.
Admiring the problem
Boards have no idea what to ask for.
They treat security like magic and security people like wizards. You know, give the wizards some money, who cast some spells, and the organization is protected. If something goes wrong… I guess we need some new wizards. This has led to some very bad investment decisions.
Most damaging of all, security officers have trapped in a recurring and crippling ideology that MORE security is always better.
It’s not. But boards are afraid of dragons, so you have to pay the wizards.
Failures of business decision-making
Look at any cybersecurity incident and you’ll find a failure of decision making, not a failure of technology.
The former CEO of Equifax, hacked to the tune of 150M people stood up in front of the US Congress and said that they patched critical systems in 48 hours. The problem was, that the system that got hacked was taken offline 77 days after it was compromised, and it still wasn’t patched.
The entire crux of his defensibility was that some wizard didn’t do their job. Except now he’s the one without a job. He knew enough to quote their patching policy, but he didn’t ask key questions like “what percentage of our systems are NOT being patched within 48 hours.”
The 70-page final report from (the US) congress on Equifax summarized it this way: the CEO did not prioritize cybersecurity.
Colonial pipeline is another example. I have no inside information, but what we see on the outside tells the story.
You know why most organizations don’t test their recovery processes for their critical functions? Because it’s very expensive and risky to take a fully functioning business system down to bare metal and hope that you can bring it back.
You know when most organizations test their recovery capabilities? After a ransomware attack. And that is the single biggest factor in whether a ransomware incident takes a couple of hours to clean up or devastates the organization.
Consider that choice to not test those recovery processes is a business decision.
A reality check
The reality is that you can spend every available dollar on cybersecurity and you could still get hacked tomorrow because there is no such thing as perfect protection.
These days most board members will nod and smile and say they understand this. But I’m telling you they don’t understand it on a Visceral level which actually changes how they engage on the topic.
Cybersecurity is a choice
You can spend money and be more protected, or save money and be less protected. You can’t buy your way out of this. Many organizations have tried. They still aren’t perfectly protected, but they do start to damage their ability to function.
I was meeting with the chief operating officer of a 50,000 person bank in London (pre-COVID) and I told him that you can overprotect an organization. He literally said “Stop. What do you mean you can overprotect an organization?”
I said “do you have an ipad” … he said “yes”, so I said, “well give it to me, you can’t use it anymore because it’s not protected.” And he said “Oh, I get it, if we lock everything down so tightly that we start to take the tools away that people need, then we’ll hurt our business.” Exactly.
Neither can you just ignore security. So the right question is “what is the right amount of security?”
The real purpose of a security program is NOT to prevent the organization from being hacked, because that’s an impossible goal. The purpose of the security program is to balance the need to protect with the need to run the business. The right amount of security is one that’s defensible to our key stakeholders like our citizens, customers, shareholders, and regulators.
Invest in Outcomes, not Tools and Capabilities
Cybersecurity investment is broken because we invest in tools and capabilities, not outcomes. That has to change.
Maturity is the gold standard for reporting security readiness and it’s played out its usefulness for organizations that are above a 2.5. Which is most of them.
A lot of faith is being put into the concept of risk quantification to create estimations of unknowable and uncontrollable factors. Unfortunately, this is not playing out well in our client base. It is expensive, it can be gamed, and it doesn’t support the type of pragmatic decision making we need in a business context.
Risk quantification will not be the panacea people expect it to be. But it is currently at the height of inflated expectations and we expect a lot of money to be wasted on it, before its limitations are widely recognized.
Create a safer world
This may feel like an argument to moderate cybersecurity investment. It is not. This is about risk optimization to create the right priorities and the right investments to balance risk with the needs to achieve desired business outcomes.
If we engage boards in this manner, you’ll see greater investment and, more importantly, smarter investment. And that will create a safer world.
First published on Gartner Blog Network