Are These Cybersecurity Challenges Undermining Its Effectiveness?
With more and more companies going digital—the need for cybersecurity is at an all-time high. But this sudden need has also highlighted several fundamental problems with the modern approach to cybersecurity. Every business is aware that cybersecurity is important—yet poor planning and execution leave them more exposed than ever. And as cybersecurity professionals, we believe it’s important to openly discuss these challenges. Are you interested in learning more about:
- How you can research to build a personalized business case that changes how your organization approaches cybersecurity.
- How to improve your cybersecurity readiness by treating it as a choice and a business decision.
- How you can leverage an outcome-driven approach to drive cybersecurity priorities and investments to balance risk and achieve business outcomes.
Why Cybersecurity Is the Focus TodayBy now, you’ve likely heard about the 2017 Equifax data breach—that same breach that exposed nearly 150 million private records, including personal information, social security numbers, and more. No one can dispute the poor cybersecurity practices Equifax had in place. Then-CEO Richard Smith resigned , citing the hack as the fundamental reason for his decision. That point was further illustrated when a December 2018 report issued by the U.S. House of Representatives subcommittee indicated “Equifax’s CEO did not prioritize cybersecurity.” Governments are starting to recognize the importance of cybersecurity. In July 2019, the U.K. Information Commissioner clarified that the severity of fines under GDPR is based on the existence of adequate, reasonable, consistent, and effective controls. This statement establishes a different type of standard to pursue appropriate levels of cybersecurity protection. The limitations of current approaches to security priorities, such as investment and governance, are not in alignment with—or even capable of—addressing this new standard. Instead, a new approach is needed—one that sees businesses come to terms with their limitations. We must accept this standard as a fundamental business problem that should align with core business needs.
The Most Common Cybersecurity Challenges and OutcomesBut what is wrong about the current approach to cybersecurity? We believe it falls into a series of challenges and outcomes:
- Challenge 1: Organizations focus on the wrong questions when it comes to cybersecurity.
- Outcome 1: Ineffective questions lead to poor understanding and drive attention away from improved understanding and better investments.
- Challenge 2: Cybersecurity is viewed as a technical problem that should be left to technical people.
- Outcome 2: This leads to a culture of fear, uncertainty, and doubt, poor engagement with executives, and bad investments in cybersecurity.
- Challenge 3: Current investments serve to address known limitations.
- Outcome 3: Organizations still focus on big concepts, but failed execution and poor expectations actually delay positive cybersecurity outcomes.
- Challenge 4: Real failures are not receiving enough attention to change user behavior productively.
- Outcome 4: Maintaining compliance doesn’t automatically translate to better security.
The Catalyst: Poor Engagement Leads to Poor InvestmentFear, uncertainty, and doubt are often the driving forces behind cybersecurity investment. After all, no one wants to be the next Equifax. And when breaches happen, the media is always quick to ask: “Why can’t they just fix this?” Society has made cybersecurity the black box that it is—treating industry professionals like wizards. It’s the same tired story every time. A breach makes the news, execs look for a cybersecurity wizard, that wizard works their magic—and if something goes wrong—they offload blame and find someone new. Our society of fear has created a double standard. Think about it like this. We accept that a bank may get robbed, but expect a digital bank to be perfect. We feel sorry for the bank’s employees who witness a robbery—seeing them as the victims they are—but show no sympathy for digital crimes. Societal pressure has seen large companies spend the last decade investing in cybersecurity, identifying and combating threats, and developing internal protocols. But none of this answered one key question: how much security do they need? Societal pressure has driven governments to create regulations. While these regulations forced organizations to act, it reduced cybersecurity to a series of checkboxes. Executives believe that compliance will save them, but compliance rarely translates into protection. Compliance forces us to needlessly spend rather than investing money where it can make a difference.
Organizations Are Asking the Wrong Questions About CybersecurityMost organizations are asking the wrong questions today, which leads to bad decisions, misaligned priorities, and poor investments in cybersecurity. But what questions are these organizations asking? These questions include:
- What metrics should I report to my board? The metrics most used today are trailing indicators of factors the organization does not control. This may include the total number of attacks and other reactive statistics. This is the wrong approach. You have to fix the underlying governance model before you can fix the metrics.
- How can I comply with regulation X? Regulatory compliance does not equate to protection. HIPAA-compliant companies have experienced data breaches.
- How can I quantify cybersecurity risk? Most representations of risk and security readiness are not credible and defensible. And even when they are reliable, they do not support daily decision making related to priorities and investments in security.
- What tools should I implement? Security capabilities are a function of people, processes, and technology. Leading with technology results in poor outcomes.
- What are the most common threats in my industry? Organizations do not control threats. They only manage priorities and investments in security readiness.
- How much security do I need? This is a legitimate question, but everyone is seeking a simple answer to an incredibly complex question.
Why Cybersecurity Investments Are Falling ShortIt’s well-known that most companies fall short when it comes to cybersecurity. Today’s CIOs and CISOs feel the pressure to perform, which leads to poor strategies and execution. Here are the main reasons why we believe most cybersecurity investments fail: The Open-Checkbook Method Money alone does not solve the problem. Execs need to become more engaged in security, making it a company initiative. Organizations need more than just money to solve problems—they need smart money that truly understands the problem. Hyper-Focusing on Risk Appetite The risk appetite approach is a popular concept today. Risk appetite measures how much risk a business is willing to accept. It’s an important admission that risk is inevitable, and that risk is a tool that can be taken in measured doses to support business success. A clearly articulated risk appetite should allow the organization to express how much risk it wants, serving as a guide to cybersecurity investment. Quantification Is Not a Magic Bullet Humans like to quantify things—it’s how we determine risk and response. In cybersecurity, this translates to two things:
- How much will this data breach cost?
- What is the likelihood that we will get hacked?
- Cybersecurity board reporting getting buried in an audit committee
- Focusing on addressing internal audit findings over building an effective program
- Organizations where cybersecurity reports into an organization called “audit and compliance” or “risk and compliance”
- Doing the bare minimum with the checkbox mentality
- Lacking a suitable cybersecurity framework
- Programs based on ISO or NIST.
- Pursuing program certifications
The Limitations of Current Standards, Frameworks, and Maturity Models for CybersecurityCybersecurity standards and frameworks are published recommendations designed to secure an environment. There are dozens of them, including the most popular ones—NIST and ISO 2700x. The principal objective of these standards is to reduce cybersecurity risks. They include:
- Collections of tools
- Security concepts
- Security safeguards
- Risk management approaches
- Suggested actions
- Best-practice assurance
- Recommended technology