With more and more companies going digital—the need for cybersecurity is at an all-time high.
But this sudden need has also highlighted several fundamental problems with the modern approach to cybersecurity. Every business is aware that cybersecurity is important—yet poor planning and execution leave them more exposed than ever.
And as cybersecurity professionals, we believe it’s important to openly discuss these challenges.
Are you interested in learning more about:
- How you can research to build a personalized business case that changes how your organization approaches cybersecurity.
- How to improve your cybersecurity readiness by treating it as a choice and a business decision.
- How you can leverage an outcome-driven approach to drive cybersecurity priorities and investments to balance risk and achieve business outcomes.
The goal of this article is to help build an understanding of these challenges, how companies can approach and overcome them, and how to develop the right mindset when it comes to cybersecurity.
Why Cybersecurity Is the Focus Today
By now, you’ve likely heard about the 2017 Equifax data breach—that same breach that exposed nearly 150 million private records, including personal information, social security numbers, and more.
No one can dispute the poor cybersecurity practices Equifax had in place. Then-CEO Richard Smith resigned , citing the hack as the fundamental reason for his decision.
That point was further illustrated when a December 2018 report issued by the U.S. House of Representatives subcommittee indicated “Equifax’s CEO did not prioritize cybersecurity.”
Governments are starting to recognize the importance of cybersecurity. In July 2019, the U.K. Information Commissioner clarified that the severity of fines under GDPR is based on the existence of adequate, reasonable, consistent, and effective controls.
This statement establishes a different type of standard to pursue appropriate levels of cybersecurity protection. The limitations of current approaches to security priorities, such as investment and governance, are not in alignment with—or even capable of—addressing this new standard.
Instead, a new approach is needed—one that sees businesses come to terms with their limitations. We must accept this standard as a fundamental business problem that should align with core business needs.
The Most Common Cybersecurity Challenges and Outcomes
But what is wrong about the current approach to cybersecurity? We believe it falls into a series of challenges and outcomes:
- Challenge 1: Organizations focus on the wrong questions when it comes to cybersecurity.
- Outcome 1: Ineffective questions lead to poor understanding and drive attention away from improved understanding and better investments.
- Challenge 2: Cybersecurity is viewed as a technical problem that should be left to technical people.
- Outcome 2: This leads to a culture of fear, uncertainty, and doubt, poor engagement with executives, and bad investments in cybersecurity.
- Challenge 3: Current investments serve to address known limitations.
- Outcome 3: Organizations still focus on big concepts, but failed execution and poor expectations actually delay positive cybersecurity outcomes.
- Challenge 4: Real failures are not receiving enough attention to change user behavior productively.
- Outcome 4: Maintaining compliance doesn’t automatically translate to better security.
The Catalyst: Poor Engagement Leads to Poor Investment
Fear, uncertainty, and doubt are often the driving forces behind cybersecurity investment.
After all, no one wants to be the next Equifax.
And when breaches happen, the media is always quick to ask: “Why can’t they just fix this?”
Society has made cybersecurity the black box that it is—treating industry professionals like wizards.
It’s the same tired story every time. A breach makes the news, execs look for a cybersecurity wizard, that wizard works their magic—and if something goes wrong—they offload blame and find someone new.
Our society of fear has created a double standard.
Think about it like this. We accept that a bank may get robbed, but expect a digital bank to be perfect. We feel sorry for the bank’s employees who witness a robbery—seeing them as the victims they are—but show no sympathy for digital crimes.
Societal pressure has seen large companies spend the last decade investing in cybersecurity, identifying and combating threats, and developing internal protocols. But none of this answered one key question: how much security do they need?
Societal pressure has driven governments to create regulations. While these regulations forced organizations to act, it reduced cybersecurity to a series of checkboxes.
Executives believe that compliance will save them, but compliance rarely translates into protection. Compliance forces us to needlessly spend rather than investing money where it can make a difference.
Organizations Are Asking the Wrong Questions About Cybersecurity
Most organizations are asking the wrong questions today, which leads to bad decisions, misaligned priorities, and poor investments in cybersecurity.
But what questions are these organizations asking? These questions include:
- What metrics should I report to my board? The metrics most used today are trailing indicators of factors the organization does not control. This may include the total number of attacks and other reactive statistics. This is the wrong approach. You have to fix the underlying governance model before you can fix the metrics.
- How can I comply with regulation X? Regulatory compliance does not equate to protection. HIPAA-compliant companies have experienced data breaches.
- How can I quantify cybersecurity risk? Most representations of risk and security readiness are not credible and defensible. And even when they are reliable, they do not support daily decision making related to priorities and investments in security.
- What tools should I implement? Security capabilities are a function of people, processes, and technology. Leading with technology results in poor outcomes.
- What are the most common threats in my industry? Organizations do not control threats. They only manage priorities and investments in security readiness.
- How much security do I need? This is a legitimate question, but everyone is seeking a simple answer to an incredibly complex question.
At best, these questions lead to approval for some type of security budget. At worst, they lead to a false sense of security that everything is okay.
Let me tell you something. Everything is almost always not okay.
Why Cybersecurity Investments Are Falling Short
It’s well-known that most companies fall short when it comes to cybersecurity. Today’s CIOs and CISOs feel the pressure to perform, which leads to poor strategies and execution.
Here are the main reasons why we believe most cybersecurity investments fail:
The Open-Checkbook Method
Money alone does not solve the problem. Execs need to become more engaged in security, making it a company initiative.
Organizations need more than just money to solve problems—they need smart money that truly understands the problem.
Hyper-Focusing on Risk Appetite
The risk appetite approach is a popular concept today. Risk appetite measures how much risk a business is willing to accept. It’s an important admission that risk is inevitable, and that risk is a tool that can be taken in measured doses to support business success.
A clearly articulated risk appetite should allow the organization to express how much risk it wants, serving as a guide to cybersecurity investment.
Quantification Is Not a Magic Bullet
Humans like to quantify things—it’s how we determine risk and response. In cybersecurity, this translates to two things:
- How much will this data breach cost?
- What is the likelihood that we will get hacked?
Boards need these numbers to justify their decision making, and many people are starting to believe this is the correct approach.
But is this the right approach?
We have several examples of organizations that have engaged in quantification exercises—producing fancy charts and models that justify their bias. Quantification leaves you at the mercy of “expert opinion.”
Quantification may serve as a useful tool to justify investments, but it’s not a magic bullet that can solve your cybersecurity problems.
Internal Audit and Regulatory Compliance Remain Primary Drivers
Many board-level executives still believe that internal audit and regulatory compliance can serve as primary guides for complex cybersecurity issues.
There are several indicators of this, including:
- Cybersecurity board reporting getting buried in an audit committee
- Focusing on addressing internal audit findings over building an effective program
- Organizations where cybersecurity reports into an organization called “audit and compliance” or “risk and compliance”
- Doing the bare minimum with the checkbox mentality
- Lacking a suitable cybersecurity framework
- Programs based on ISO or NIST.
- Pursuing program certifications
The limitations of this mentality are well-known. Internal auditors should not dictate how much risk is acceptable or which controls are most important. Checkboxes create spend in areas where you don’t need it and take resources away from areas where you do need it.
The Limitations of Current Standards, Frameworks, and Maturity Models for Cybersecurity
Cybersecurity standards and frameworks are published recommendations designed to secure an environment. There are dozens of them, including the most popular ones—NIST and ISO 2700x.
The principal objective of these standards is to reduce cybersecurity risks. They include:
- Collections of tools
- Policies
- Security concepts
- Security safeguards
- Guidelines
- Risk management approaches
- Suggested actions
- Training
- Best-practice assurance
- Recommended technology
Process maturity models use this information to extract best practices and techniques to determine capability levels. Together, they guide priorities and investments to achieve desired levels of cybersecurity capability.
But these maturity models only measure how good capabilities are—not what they are achieving!
As organizations achieve higher maturity, these maturity models, frameworks, and standards begin to lose their value.
Around 2.5, they become poor guides in helping an organization determine further priorities and investments. Above 2.5, the complexity of potential investments must be crafted more closely to the context of the organization.
Regulators have also signaled that cybersecurity capabilities must-have characteristics beyond those commonly represented and audited in maturity models and existing standards.
Maturity models have helped organizations prioritize billions of dollars in spending over the last two decades, and that has netted excellent results.
Gartner maturity data for all industries indicates an average between 2.6 and 3.6 for all industries. Organizations need something more powerful that has that direct line of sight to deliver higher levels of protection.
Cybersecurity Readiness Is a Choice
The purpose of a security program is not to protect the organization—that’s an impossible goal. The purpose of a security program is to balance the need to protect with the need to run the business.
If we can’t protect the organization entirely, what should we do? Cybersecurity readiness is a choice. Create adequate, reasonable, consistent, and effective controls that are credible and defensible with your key stakeholders—your shareholders, regulators, and customers—so they can see you’re spending the right amount on the right things in security.
Risk, value, and cost optimization guide priorities and investments. After all, risk optimization demonstrates the organization has the right priorities and investments to balance risk and desired business outcomes.
The urgency to treat cybersecurity as a business decision has never been