With more and more companies going digital—the need for cybersecurity is at an all-time high.

But this sudden need has also highlighted several fundamental problems with the modern approach to cybersecurity. Every business is aware that cybersecurity is important—yet poor planning and execution leave them more exposed than ever.

And as cybersecurity professionals, we believe it’s important to openly discuss these challenges.

Are you interested in learning more about:

The goal of this article is to help build an understanding of these challenges, how companies can approach and overcome them, and how to develop the right mindset when it comes to cybersecurity.

That point was further illustrated when a December 2018 report issued by the U.S. House of Representatives subcommittee indicated “Equifax’s CEO did not prioritize cybersecurity.”

Governments are starting to recognize the importance of cybersecurity. In July 2019, the U.K. Information Commissioner clarified that the severity of fines under GDPR is based on the existence of adequate, reasonable, consistent, and effective controls.

This statement establishes a different type of standard to pursue appropriate levels of cybersecurity protection. The limitations of current approaches to security priorities, such as investment and governance, are not in alignment with—or even capable of—addressing this new standard.

Instead, a new approach is needed—one that sees businesses come to terms with their limitations. We must accept this standard as a fundamental business problem that should align with core business needs.

But what is wrong about the current approach to cybersecurity? We believe it falls into a series of challenges and outcomes:

Fear, uncertainty, and doubt are often the driving forces behind cybersecurity investment.

After all, no one wants to be the next Equifax.

And when breaches happen, the media is always quick to ask: “Why can’t they just fix this?”

Society has made cybersecurity the black box that it is—treating industry professionals like wizards.

It’s the same tired story every time. A breach makes the news, execs look for a cybersecurity wizard, that wizard works their magic—and if something goes wrong—they offload blame and find someone new.

Our society of fear has created a double standard.

Think about it like this. We accept that a bank may get robbed, but expect a digital bank to be perfect. We feel sorry for the bank’s employees who witness a robbery—seeing them as the victims they are—but show no sympathy for digital crimes.

Societal pressure has seen large companies spend the last decade investing in cybersecurity, identifying and combating threats, and developing internal protocols. But none of this answered one key question: how much security do they need?

Societal pressure has driven governments to create regulations. While these regulations forced organizations to act, it reduced cybersecurity to a series of checkboxes.

Executives believe that compliance will save them, but compliance rarely translates into protection. Compliance forces us to needlessly spend rather than investing money where it can make a difference.

Most organizations are asking the wrong questions today, which leads to bad decisions, misaligned priorities, and poor investments in cybersecurity.

But what questions are these organizations asking? These questions include:

At best, these questions lead to approval for some type of security budget. At worst, they lead to a false sense of security that everything is okay.

Let me tell you something. Everything is almost always not okay.

It’s well-known that most companies fall short when it comes to cybersecurity. Today’s CIOs and CISOs feel the pressure to perform, which leads to poor strategies and execution.

Here are the main reasons why we believe most cybersecurity investments fail:

The Open-Checkbook Method

Money alone does not solve the problem. Execs need to become more engaged in security, making it a company initiative.

Organizations need more than just money to solve problems—they need smart money that truly understands the problem.

Hyper-Focusing on Risk Appetite

The risk appetite approach is a popular concept today. Risk appetite measures how much risk a business is willing to accept. It’s an important admission that risk is inevitable, and that risk is a tool that can be taken in measured doses to support business success.

A clearly articulated risk appetite should allow the organization to express how much risk it wants, serving as a guide to cybersecurity investment.

Quantification Is Not a Magic Bullet

Humans like to quantify things—it’s how we determine risk and response. In cybersecurity, this translates to two things:

Boards need these numbers to justify their decision making, and many people are starting to believe this is the correct approach.

But is this the right approach?

We have several examples of organizations that have engaged in quantification exercises—producing fancy charts and models that justify their bias. Quantification leaves you at the mercy of “expert opinion.”

Quantification may serve as a useful tool to justify investments, but it’s not a magic bullet that can solve your cybersecurity problems.

Internal Audit and Regulatory Compliance Remain Primary Drivers

Many board-level executives still believe that internal audit and regulatory compliance can serve as primary guides for complex cybersecurity issues.

There are several indicators of this, including:

The limitations of this mentality are well-known. Internal auditors should not dictate how much risk is acceptable or which controls are most important. Checkboxes create spend in areas where you don’t need it and take resources away from areas where you do need it.

Cybersecurity standards and frameworks are published recommendations designed to secure an environment. There are dozens of them, including the most popular ones—NIST and ISO 2700x.

The principal objective of these standards is to reduce cybersecurity risks. They include:

Process maturity models use this information to extract best practices and techniques to determine capability levels. Together, they guide priorities and investments to achieve desired levels of cybersecurity capability.

But these maturity models only measure how good capabilities are—not what they are achieving!

As organizations achieve higher maturity, these maturity models, frameworks, and standards begin to lose their value.

Around 2.5, they become poor guides in helping an organization determine further priorities and investments.  Above 2.5, the complexity of potential investments must be crafted more closely to the context of the organization.

Regulators have also signaled that cybersecurity capabilities must-have characteristics beyond those commonly represented and audited in maturity models and existing standards.

Maturity models have helped organizations prioritize billions of dollars in spending over the last two decades, and that has netted excellent results.

Gartner maturity data for all industries indicates an average between 2.6 and 3.6 for all industries. Organizations need something more powerful that has that direct line of sight to deliver higher levels of protection.

The purpose of a security program is not to protect the organization—that’s an impossible goal.  The purpose of a security program is to balance the need to protect with the need to run the business.

If we can’t protect the organization entirely, what should we do? Cybersecurity readiness is a choice. Create adequate, reasonable, consistent, and effective controls that are credible and defensible with your key stakeholders—your shareholders, regulators, and customers—so they can see you’re spending the right amount on the right things in security.

Risk, value, and cost optimization guide priorities and investments. After all, risk optimization demonstrates the organization has the right priorities and investments to balance risk and desired business outcomes.

The urgency to treat cybersecurity as a business decision has never been