With more and more companies going digital—the need for cybersecurity is at an all-time high.

But this sudden need has also highlighted several fundamental problems with the modern approach to cybersecurity. Every business is aware that cybersecurity is important—yet poor planning and execution leave them more exposed than ever. 

And as cybersecurity professionals, we believe it’s important to openly discuss these challenges.

Are you interested in learning more about:

• How you can research to build a personalized business case that changes how your organization approaches cybersecurity. 
• How to improve your cybersecurity readiness by treating it as a choice and a business decision.
• How you can leverage an outcome-driven approach to drive cybersecurity priorities and investments to balance risk and achieve business outcomes.

The goal of this article is to help build an understanding of these challenges, how companies can approach and overcome them, and how to develop the right mindset when it comes to cybersecurity.

Why Cybersecurity Is the Focus Today

By now, you’ve likely heard about the 2017 Equifax data breach—that same breach that exposed nearly 150 million private records, including personal information, social security numbers, and more. 

No one can dispute the poor cybersecurity practices Equifax had in place. Then-CEO Richard Smith resigned , citing the hack as the fundamental reason for his decision.

That point was further illustrated when a December 2018 report issued by the U.S. House of Representatives subcommittee indicated “Equifax’s CEO did not prioritize cybersecurity.”

Governments are starting to recognize the importance of cybersecurity. In July 2019, the U.K. Information Commissioner clarified that the severity of fines under GDPR is based on the existence of adequate, reasonable, consistent, and effective controls. 

This statement establishes a different type of standard to pursue appropriate levels of cybersecurity protection. The limitations of current approaches to security priorities, such as investment and governance, are not in alignment with—or even capable of—addressing this new standard. 

Instead, a new approach is needed—one that sees businesses come to terms with their limitations. We must accept this standard as a fundamental business problem that should align with core business needs.

The Most Common Cybersecurity Challenges and Outcomes

But what is wrong about the current approach to cybersecurity? We believe it falls into a series of challenges and outcomes:

• Challenge 1: Organizations focus on the wrong questions when it comes to cybersecurity.
• Outcome 1: Ineffective questions lead to poor understanding and drive attention away from improved understanding and better investments.

• Challenge 2: Cybersecurity is viewed as a technical problem that should be left to technical people.
• Outcome 2: This leads to a culture of fear, uncertainty, and doubt, poor engagement with executives, and bad investments in cybersecurity.

• Challenge 3: Current investments serve to address known limitations.
• Outcome 3: Organizations still focus on big concepts, but failed execution and poor expectations actually delay positive cybersecurity outcomes.

• Challenge 4: Real failures are not receiving enough attention to change user behavior productively.
• Outcome 4: Maintaining compliance doesn’t automatically translate to better security.

The Catalyst: Poor Engagement Leads to Poor Investment 

Fear, uncertainty, and doubt are often the driving forces behind cybersecurity investment. 

After all, no one wants to be the next Equifax. 

And when breaches happen, the media is always quick to ask: “Why can’t they just fix this?” 

Society has made cybersecurity the black box that it is—treating industry professionals like wizards. 

It’s the same tired story every time. A breach makes the news, execs look for a cybersecurity wizard, that wizard works their magic—and if something goes wrong—they offload blame and find someone new.

Our society of fear has created a double standard.

Think about it like this. We accept that a bank may get robbed, but expect a digital bank to be perfect. We feel sorry for the bank’s employees who witness a robbery—seeing them as the victims they are—but show no sympathy for digital crimes.

Societal pressure has seen large companies spend the last decade investing in cybersecurity, identifying and combating threats, and developing internal protocols. But none of this answered one key question: how much security do they need?

Societal pressure has driven governments to create regulations. While these regulations forced organizations to act, it reduced cybersecurity to a series of checkboxes. 

Executives believe that compliance will save them, but compliance rarely translates into protection. Compliance forces us to needlessly spend rather than investing money where it can make a difference.

Organizations Are Asking the Wrong Questions About Cybersecurity

Most organizations are asking the wrong questions today, which leads to bad decisions, misaligned priorities, and poor investments in cybersecurity. 

But what questions are these organizations asking? These questions include:

• What metrics should I report to my board? The metrics most used today are trailing indicators of factors the organization does not control. This may include the total number of attacks and other reactive statistics. This is the wrong approach. You have to fix the underlying governance model before you can fix the metrics.

• How can I comply with regulation X? Regulatory compliance does not equate to protection. HIPAA-compliant companies have experienced data breaches.

• How can I quantify cybersecurity risk? Most representations of risk and security readiness are not credible and defensible. And even when they are reliable, they do not support daily decision making related to priorities and investments in security.

• What tools should I implement? Security capabilities are a function of people, processes, and technology. Leading with technology results in poor outcomes.

• What are the most common threats in my industry? Organizations do not control threats. They only manage priorities and investments in security readiness.

• How much security do I need? This is a legitimate question, but everyone is seeking a simple answer to an incredibly complex question.

At best, these questions lead to approval for some type of security budget. At worst, they lead to a false sense of security that everything is okay.

Let me tell you something. Everything is almost always not okay.

Why Cybersecurity Investments Are Falling Short

It’s well-known that most companies fall short when it comes to cybersecurity. Today’s CIOs and CISOs feel the pressure to perform, which leads to poor strategies and execution.

Here are the main reasons why we believe most cybersecurity investments fail:

The Open-Checkbook Method

Money alone does not solve the problem. Execs need to become more engaged in security, making it a company initiative. 

Organizations need more than just money to solve problems—they need smart money that truly understands the problem.

Hyper-Focusing on Risk Appetite

The risk appetite approach is a popular concept today. Risk appetite measures how much risk a business is willing to accept. It’s an important admission that risk is inevitable, and that risk is a tool that can be taken in measured doses to support business success. 

A clearly articulated risk appetite should allow the organization to express how much risk it wants, serving as a guide to cybersecurity investment.

Quantification Is Not a Magic Bullet

Humans like to quantify things—it’s how we determine risk and response. In cybersecurity, this translates to two things:

• How much will this data breach cost?
• What is the likelihood that we will get hacked? 

Boards need these numbers to justify their decision making, and many people are starting to believe this is the correct approach.

But is this the right approach?

We have several examples of organizations that have engaged in quantification exercises—producing fancy charts and models that justify their bias. Quantification leaves you at the mercy of “expert opinion.” 

Quantification may serve as a useful tool to justify investments, but it’s not a magic bullet that can solve your cybersecurity problems.

Internal Audit and Regulatory Compliance Remain Primary Drivers

Many board-level executives still believe that internal audit and regulatory compliance can serve as primary guides for complex cybersecurity issues. 

There are several indicators of this, including:

• Cybersecurity board reporting getting buried in an audit committee
• Focusing on addressing internal audit findings over building an effective program
• Organizations where cybersecurity reports into an organization called “audit and compliance” or “risk and compliance”
• Doing the bare minimum with the checkbox mentality
• Lacking a suitable cybersecurity framework
• Programs based on ISO or NIST.
• Pursuing program certifications

The limitations of this mentality are well-known. Internal auditors should not dictate how much risk is acceptable or which controls are most important. Checkboxes create spend in areas where you don’t need it and take resources away from areas where you do need it.

The Limitations of Current Standards, Frameworks, and Maturity Models for Cybersecurity

Cybersecurity standards and frameworks are published recommendations designed to secure an environment. There are dozens of them, including the most popular ones—NIST and ISO 2700x.

The principal objective of these standards is to reduce cybersecurity risks. They include:

• Collections of tools
• Policies
• Security concepts
• Security safeguards 
• Guidelines 
• Risk management approaches
• Suggested actions 
• Training 
• Best-practice assurance
• Recommended technology

Process maturity models use this information to extract best practices and techniques to determine capability levels. Together, they guide priorities and investments to achieve desired levels of cybersecurity capability. 

But these maturity models only measure how good capabilities are—not what they are achieving!

As organizations achieve higher maturity, these maturity models, frameworks, and standards begin to lose their value. 

Around 2.5, they become poor guides in helping an organization determine further priorities and investments.  Above 2.5, the complexity of potential investments must be crafted more closely to the context of the organization.

Regulators have also signaled that cybersecurity capabilities must-have characteristics beyond those commonly represented and audited in maturity models and existing standards.

Maturity models have helped organizations prioritize billions of dollars in spending over the last two decades, and that has netted excellent results. 

Gartner maturity data for all industries indicates an average between 2.6 and 3.6 for all industries. Organizations need something more powerful that has that direct line of sight to deliver higher levels of protection.

Cybersecurity Readiness Is a Choice

The purpose of a security program is not to protect the organization—that’s an impossible goal.  The purpose of a security program is to balance the need to protect with the need to run the business.

If we can’t protect the organization entirely, what should we do? Cybersecurity readiness is a choice. Create adequate, reasonable, consistent, and effective controls that are credible and defensible with your key stakeholders—your shareholders, regulators, and customers—so they can see you’re spending the right amount on the right things in security. 

Risk, value, and cost optimization guide priorities and investments. After all, risk optimization demonstrates the organization has the right priorities and investments to balance risk and desired business outcomes.

The urgency to treat cybersecurity as a business decision has never been greater. Organizations now have the understanding and the tools to do it.

Why does a double standard exist when it comes to cybercrime? Although the comparative environment of a physical crime, like a robbery, and a cybercrime, like stealing credit card numbers, are different, the crimes are similar in many ways. 

Criminals steal money everyday, in every format. However, the way the public responds to these crimes, especially regarding the attribution of blame, is different.

If Bonnie and Clyde shoot up a bank and steal millions of dollars in cold hard cash, it’s a national event, but people do not regard Bonnie and Clyde as solely responsible for the robbery. Causes include the economy, weak bank security practices, the banks foreclosing on people’s homes, and other societal outcomes.

In modern times, if someone shaves pennies off millions of online banking transactions and reroutes this money to their account, becoming a multi-millionaire in the process, few people take an interest, and everyone blames the hacker, or some C-level executive at the bank.

To bolster security, employees work together to strengthen business processes and practices, and to ensure the safety of their customers’ data. Why then, are specific C-level employees, like Susan Mauldin of Equifax, blamed for their company’s data breaches? Surely more people can share the blame, especially the hackers?

Equifax: The Dangerous Double Standard

Equifax is one of the top American credit reporting agencies. The personal and sensitive data of approximately 150 million Americans was stolen from May to July 2017 and reported in September of that year. Waiting 2-4 months to report the loss of sensitive data, just because a cybercrime occurred, is a severe issue. The main issue, however, runs much deeper than this. 

While few people in Equifax were blamed for this breach, blame should be attributable to more people, like the hackers and other employees in Equifax. While the company could have implemented more robust infrastructure, or improved communication flows to mitigate hacks before they occurred or to respond preemptively better, the company is not solely at fault. This was a widespread issue that no one person could control.

Equifax’s internal conduct was exposed after Congress released a report on the breach. IT and security at Equifax were kept separate, leading to a lack of communication within the organization. This separation started in 2007, ten years before the hack, as the Chief Security Officer and Chief Information Officer had a personality clash and could not resolve their differences. Had this separation been resolved, Equifax may not have waited to report the breach as long as they did.

The lack of communication is unacceptable yet common in companies worldwide. There is no standard for cybersecurity in practice. Companies should follow best practices, but every company is unique and will implement cybersecurity as they see fit. In the end, only a few people are scapegoats for such crimes, although many more people can be blamed.

Double Standards: Are They the Product of Human Error?

Human processes and interpersonal cooperation in companies large and small can improve. C-level employees who are formally responsible for preventing or reacting to cybersecurity issues must be held accountable for the actions, or lack of acting. 

Still, they are not the only ones involved. While all employees must choose their actions carefully and put the organization’s needs before themselves, responsibility runs throughout the organization. It’s clear the attribution of the blame needs addressing.

It’s natural for humans to want a scapegoat in times of conflict. After all, someone must pay! Someone must be responsible! These are normal human reactions.

Cybersecurity is no different.

If an employee is accountable for a set of duties, they must be held responsible and act accordingly. Had Equifax had excellent communication between employees, and between departments, reporting the breach in May, June, or July, when the breach was occurring, the public condemnation against the organization would not have been as harsh. 

Equifax learned from their mistakes. In 2018, former IBM Chief Technology Officer Bryson Koehler joined Equifax. Koehler’s mission included increasing Equifax’s security framework and compliance, instilling sustainable business practices, and emphasizing the importance of investing in modern technologies to improve data security.

Solely Investing in Technology is Not Enough to Break The Double Standard

Cybersecurity is hands-on. End-user cybersecurity practices need to be followed and implemented across organizations, from the Chief Executive Officer to the temp receptionist. Everyone has a role to play, and everyone must take part. A chain is only as strong as its weakest link, and so too are organizations. 

Common cybersecurity practice double standards in the workplace include:

• Employees leaving their workstations and offices unlocked, but they would never leave their home unlocked while at work
• Employees sharing confidential work information with visitors, but they would never share information like their social insurance number or health issues with strangers
• Employees take time to respond to cybersecurity threats, but they would call the police if they found their home ransacked

Cybersecurity practices are just as essential to respond to as their physical counterparts. Employees need to act proactively to halt breaches before they occur. Once a breach occurs, the public will find out and overreact. Heads roll, and the public circus blames individuals for leaking millions of customers’ records.

The Scapegoat Double Standard

Equifax’s actions are not solely the responsibility of the Chief Security Officer. Everyone in the organization had a role to play, not just Mauldin. So why is she responsible? She is not, but the public needs a face to blame. When robbers steal money from a bank, security guards who fail to prevent the robbers from entering the bank do not go to jail. 

Scapegoating occurs in cybersecurity due to pressure. Everyone is pressuring the organization involved. The public wants answers, the government wants answers, and the media wants answers. Solutions in cybersecurity are not clean and simple, though, and neither should retribution. 

So how do we dole out responsibility proportionally?

The CARE System: Is It the Answer We Need?

Leading cybersecurity professionals have developed the CARE Standard for Cybersecurity. Here’s a brief breakdown of what this standard is trying to achieve:

• Consistent. Does a specific solution provide consistent results and controls?

• Adequate. Do you have the right level of controls in place based on your business’s needs?

• Reasonable. Does your solution have appropriate, fair, and moderate controls?

• Effective. Are the controls you have in place producing suitable results?

It’s no secret that the majority of large enterprises are heavily focused on achieving a high maturity level. But is this the right approach? And does a higher maturity level really mean anything without context?

The CARE system is designed to overcome these inconsistencies by relying on metrics and reports that work in line with governance processes and decision making. This outcomes-based approach drives key processes and investments based on how they impact the business in question.

How does it accomplish this? It leverages a system of continuous monitoring of these outcomes to allow for agile adjustments to cybersecurity priorities and investments.

The CARE framework has the potential to provide consistent results to businesses that adopt it, but larger change still requires the industry to reassess how it approaches cybersecurity in general.

The Solution to Cybersecurity Double Standards

Cybersecurity is all about agility, and larger companies are by their nature slower to respond than smaller companies. No company can know ahead of time if a hack is about to occur. Often, companies, like Equifax, only discover hacks and breaches after the incident has occurred.

The companies that respond quicker though incur less damage and less wrath from the public. Just like in non-cyber security situations, reacting quickly and taking responsibility leads to better outcomes.

Also, beyond active threat detection or prudent employees, companies need to adopt more transparent business processes and practices. Like data flow, communication must allow for greater cooperation between clients and companies and leaders within those companies. Keep in mind that cybersecurity activities are judged more by the company’s willingness to communicate than technical solutions. Communication is key.

The best cybersecurity systems and defenses in the world will not matter if the information is not shared, or actions are not taken to both prevent and react to breaches and hacks – look at Equifax. However, following cybersecurity best practices is the bare minimum a company should invest. Companies need to approach cybersecurity based on their needs and find integrated solutions to provide seamless security to clients and customers and within the organizations themselves. 

Why? Because cybersecurity isn’t a one-size-fits-all solution. Cybersecurity is complex. Industry-wide frameworks and standards seem great in theory, but rarely work in practice. The only way we can overcome the cybersecurity double standard is by reimagining how we approach cybersecurity in practice.

How M87 Is Working to Solve the Double Standard

Here at M87, we are firm believers in customization when it comes to cybersecurity solutions. We know that two businesses are the same, which is why we work to create personalized cybersecurity solutions for our clients.

Are you looking to improve your cybersecurity systems? Do you need help determining if your current solutions are capable of protecting your business?

M87 provides managed in-house cybersecurity services and consulting services to companies interested in improving communications flows and cybersecurity practices and infrastructure. Let’s remove those double standards from your company today, and work towards a more secure future for all.