Cybersecurity Investment is Broken
Cybersecurity is now the #1 spend item on the technology investment list. In 2022, 88% of boards say that cybersecurity is a business issue, not a technical one. Unfortunately, boards have no idea how to govern cyber AS a business issue and executives have no idea how to guide cyber investment as a business issue.
Bottom line, no one can explain the business value of a security control, so we can’t have an adult conversation about business investment in security. And the world is in a very bad place because of that.
Cybersecurity has been a board level issue for more than 15 years. In that time, I’ve reviewed more than 1000 board presentations and met with dozens of boards on cybersecurity. After all my board interactions, my conclusion is that we need smarter money, not just more money.
Admiring the Problem
Boards have no idea what to ask for.
They treat security like magic and security people like wizards. You know, give the wizards some money, who cast some spells, and the organization is protected. If something goes wrong… I guess we need some new wizards. This has led to some very bad investment decisions.
Most damaging of all, security officers are trapped in a recurring and crippling ideology that MORE security is always better.
It’s not. But boards are afraid of dragons, so you have to pay the wizards.
Failures of Business Decision-Making
Look at any cybersecurity incident and you’ll find a failure of decision making, not a failure of technology.
The former CEO of Equifax, hacked to tune of 150M people stood up in front of the US congress and said that they patched critical systems in 48 hours. The problem was, that the system that got hacked was taken off line 77 days after it was compromised, and it still wasn’t patched.
The entire crux of his defensibility was that some wizard didn’t do their job. Except now he’s the one without a job. He knew enough to quote their patching policy, but he didn’t ask key questions like “what percentage of our systems are NOT being patched within 48 hours.”
The 70 page final report from congress on Equifax summarized it this way: the CEO did not prioritize cybersecurity.
Colonial pipeline is another example. I have no inside information, but what we see on the outside tells the story.
You know why most organizations don’t test their recovery processes for their critical functions? Because it’s very expensive and risky to take a fully functioning business system down to bare metal and hope that you can bring it back.
You know when most organizations test their recovery capabilities? After a ransomware attack. And that is the single biggest factor in whether a ransomware incident takes a couple of hours to clean up or devastates the organization.
Consider that choice to not test those recovery processes is a business decision.
A Reality Check
The reality is that you can spend every available dollar on cybersecurity and you could still get hacked tomorrow, because there is no such thing as perfect protection.
These days most board members will nod and smile and say they understand this. But I’m telling you they don’t understand it on Visceral level that actually changes how they engage on the topic.
Cybersecurity is a Choice
You can spend money and be more protected, or save money and be less protected. You can’t buy your way out of this. Many organizations have tried. They still aren’t perfectly protected, but they do start to damage their ability to function.
I was meeting with the chief operating officer of a 50,000 person bank in London (pre-COVID) and I told him that you can overprotect an organization. He literally said “Stop. What do you mean you can overprotect an organization?”
I said “do you have an ipad” … he said “yes”, so I said, “well give it to me, you can’t use it anymore because it’s not protected.” And he said “Oh, I get it, if we lock everything down so tightly that we start to take the tools away that people need, then we’ll hurt our business.” Exactly.
Neither can you just ignore security. So the right question is “what is the right amount of security?”
The real purpose of a security program is NOT to prevent the organization from being hacked, because that’s an impossible goal. The purpose of the security program is to balance the needs to protect with the needs run the business. The right amount of security is one that’s defensible to our key stakeholders like our citizens, customers, shareholders, and regulators.
Invest in Outcomes, not Tools and Capabilities
Cybersecurity investment is broken because we invest in tools and capabilities, not outcomes. That has to change.
Maturity is the gold standard for reporting security readiness and it’s played out its usefulness for organizations that are above a 2.5. Which is most of them.
A lot of faith is being put into the concept of risk quantification to create estimations of unknowable and uncontrollable factors. Unfortunately, this is not playing out well in our client-base. It is expensive, it can be gamed, and it doesn’t support the type of pragmatic decision making we need in a business context.
Risk quantification will not be the panacea people expect it to be. But it is currently at the height of inflated expectations and we expect a lot of money to be wasted on it, before its limitations are widely recognized.
Create a Safer World
This may feel like an argument to moderate cybersecurity investment. It is not. This is about risk optimization to create the right priorities and the right investments to balance risk with the needs to achieve desired business outcomes.
If we engage boards in this manner, you’ll see greater investment and, more importantly, smarter investment. And that will create a safer world.
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
9 Comments
Great article Paul! Thank you for the pragmatism and the the concept of over-protecting an organization. I feel like so often that companies do exactly what you said. That is, they invest in tools without understanding what exactly they are trying to achieve. In addition, they don’t establish quantifiable measurements to be able to track progress towards achieving goals and oblectives.
Well said Paul.
I would add one note. A false choice many organizations, and CISOs, have fallen into is the false “secure or useable” choice. Just because we need to “lock things down” does not mean we need to make them unusable. I think we often have a lack of imagination in designing security systems that can be both secure and useable.
Another true inspiring article Paul Proctor.
I was inspired by an article of yours when I decided to embrace vCISO profession.
I fully agree that cybersecurity doesn’t have be a “mantra” to follow at any cost and in any circumstance: the balance with business or ordinaly life must be the goal.
About risk quantification I agree with you that now is over-hyped, and as usual peolple tend to expect miracolous guesses about the implicity uncertaineity of the world, anyway I believe that trying to express risks in money they could cost is far better than labeling them High, Medium, Low.
Thank you for sharing your valuable thoughts.
Roberto Perelli
Paul,
Great article and spot on. It is an never ending challenge with organizations barking at the wrong cybersecurity issues and solutions.
Hopefully, we will make progress in managing security risk quickly. Time is of the essence. We cannot wait too much longer to recognize the importance of choosing the right solutions, right tools and right budgets to address the right security issues.
Thanks for publishing this article. Well written.
Well said Paul. We need to design security that makes the business environment secure and easy to use. We
Agree that the prevailing decision-making process is broken when it comes to information security and privacy. It’s so broken that many boards don’t even know if they meet the minimum legal fiduciary duties to their constituencies in this same area. The legal obligations of directors and officers constitutes a good initial domain in through which an organization can find the balance that this article discusses. At the very least make sure that the directors and officers are doing what the laws, regulations, contracts, etc., require. When we have that floor established, then we can build from there to find the correct balance point. But many organizations can’t tell you where that floor is, and so, as a consequence, they can’t do the balancing act either.
Paul, given the excellent content and clear prose of this posting, you should post more often.
Good to see you are still swinging for the fence!
Excellent articles. If I could add my few points here; I would also consider all of the points above when auditing a smart contract. Smart contracts are the new set of technology which forms DAOs and help people interact with systems with no human intervention.
Cybersecurity audits are becoming relevant more than ever.
Some percent of security are indeed technical, an everlasting race between the “Good Guys” against the bad guys developing new threats to our daily business.
But people are the factor we rely on. Best technical solutions are not effective if not implemented and maintained, and that is human decision to do so.
On the other hand, best awareness trainings are in vain if criminals are successful in penetrating the outer defensive walls of ratio and knowledge, attacking our emotional level, fear, pride, delight, play instinct.
Best admins are guided to the slippery slope and will fail, asking themselves ‘how could that happen’ later.
So: make techniques tailored for people, for mistakes and errors of people, able to offset their behavioral threats.
To my opinion, that is the challenge.