Cybersecurity Spending Does Not Equal Protection

Spending a lot on cybersecurity does not mean great protection. Believing otherwise, leads to big security budgets and disappointed executives.

Sadly, one of the more popular questions that Gartner gets from our clients is “How much should I spend on cybersecurity?”

“We didn’t spend enough money on that.”

                          …Spoken by no CFO, ever

Executive business decision makers do not judge any other part of their business by the amount they spent on it. So why do they do it with security?

One of the biggest mistakes organizations can make is to conflate cybersecurity spend with protection. This leads to big security budgets that have no relationship to better security. And executives disconnected from the reality of how security investment really works.

The problem is created by these seemingly contradictory statements that are both true.

• Spending a lot on cybersecurity does not mean you have good protection.
• You will need to make an investment if you want to become better protected.

“Make an investment” may be more money or an investment in time and effort to change from an older, less effective process or control to a newer, more effective one. The net may be cost savings, but you still must make an investment to create the change.

I know organizations who spend a ton of money on security and are terribly protected. I also know organizations with very modest security budgets that have created great levels of protection. Basically, money doesn’t equal protection, but investment is absolutely necessary if you want to become better protected.

It is true that “it all comes back to money.” But in cybersecurity investing, budget approval is only the start. Value is created by spending the money to create protection level outcomes.

Those outcomes dictate your protection, not the money you spent delivering them. The fact that you bought and implemented some cool stuff doesn’t mean better protection either.

When executives conflate the size of the budget with level of protection, this leads to throwing money at the problem. That’s how organizations end up with big security budgets and poor protection.

Behaviors that reinforce the idea that cybersecurity spending = protection

The following behaviors should be avoided.

Behavior #1: Treating budget approval as a success

Many CISOs treat getting budget as a success. They build business cases, money is allocated, creating cybersecurity spending on tools, all of which is reported back to the executives. This pattern reinforces executives’ belief that money is buying them better protection.

In each board meeting, the CISO reports the progress of money spent and tools implemented. This creates a self-affirming cycle between the CISO and management. The CISO gets more money/success and the executives believe they are getting better protection so they give the CISO more money, and on, and on.

…until the spend becomes so great that the executives ask what they got for all that money.

…or when the organization experiences a material cyber incident.

In both cases, the executives are left disillusioned.

Behavior #2: “Money is not a problem. I can get whatever I need.”

A recent article in the WSJ quoted Amazon CISO Stephen Schmidt:

Mr. Schmidt reports to Amazon Chief Executive Andy Jassy, who is focused on security. “That does actually make my job easier,” Mr. Schmidt said. “Andy has never turned me down for something that I said is necessary to do the job.”

I hear this sentiment expressed regularly, especially in large enterprises with well-funded security programs. For CISOs who are in this position, this is universally stated with pride because it’s an indicator of executive trust.

Trust is a good thing, but this also establishes a line of responsibility to the CISO. If something goes wrong, it’s completely legitimate to inquire why the CISO didn’t ask for something that would have prevented the incident. This expectation is amplified if the security budget is well-funded and the executives equate spend with protection.

Behavior #3: Cybersecurity spending benchmarks are the primary motivation for security investment

Cybersecurity spending benchmarks are a powerful tool to understand where you’re putting your money. When they are interpreted as a protection level, they lead to throwing money at the problem.

You should use spending benchmarks as leading indicators of underinvestment. You also need a story about what you’re doing with the existing budget, and what you will do with new budget to change protection levels.

To change hearts and minds, avoid these three CISO behaviors to actively move your executives off the idea that “money = protection”.

• Don’t report spending money on tools without also reflecting a change in a protection level.
• Manage expectations with executives who approve budget requests because they trust you.
• Don’t lean exclusively on cybersecurity spending benchmarks to make the case for better protection.

The Bottom Line

It is not appropriate for executives to treat the CISO as the arbiter of appropriate protection and enable this by giving them whatever they request. This behavior should be tempered with an understanding that security is a choice and a business decision. The executives should be thoughtfully engaged in the choices presented by the CISO.

Measure outcomes and treat the spend as a necessary part of the conversation.

Focus on the protection level outcomes your executives say they want, within the organization’s willingness to pay for them.

Follow me on Twitter (@peproctor)