What if the number of data breaches we see are injecting fear into those ultimately responsible for company losses? What if boards of directors and security leaders are unknowingly letting fear drive their decisions? What if those decisions lead to unnecessarily large security teams, ridiculous cyber budgets and every tool in the Gartner magic quadrant?
Those questions are perhaps hard to answer with any certainty, but lets flirt with the ideas a little.
There are a few things we can be sure of. Boards and security leadership do not want to be at the helm when their companies suffer a data breach. So what do boards and security leaders do to try and prevent that doesn’t happen? Budgets and an arbitrary number of FTE are set to expand the team with. What happens then? Well we can all agree with one thing about budgets – there is an argument that because there is a budget, it all has to be spent. Technology is bought, teams are expanded.
So what is the result? Here’s one theory, the consequence occurs where those responsible for security spend money without genuine rationalization or considering ROI. For example, cyber risk appetite isn’t set and agreed at board level, or a quantified risk assessment hasn’t been performed which means targets for the security control environment can’t be accurately set.
Without these items, how does one know where they are going in terms of spending and expanding? A gap analysis can be performed, weak controls can be identified. But just because weak controls are identified, doesn’t necessarily mean they need to be improved.
For example. Let’s say a gap analysis, self-assessment or other exercise identified data classification as the weakest security control. Well, that doesn’t automatically mean that this control needs to be improved. Perfect data classification in itself doesn’t actually improve security. Without other controls such as DLP controls in email, cloud environments etc, the classification of data will not prevent secret or confidential information leaving the organisation. Besides, the organisation may not store customer, confidential or secret information. Context is key here and this is one of the issues with compliance led security or security frameworks which are applied as-is.
Once a security improvement program has been established, security leaders are naturally inclined to show the board what return they are getting on their investment. A common way of demonstrating this is by using metrics or KPI’s. Unfortunately, a security leader may be inclined to use a metric which demonstrates the largest growth since said investment, instead of one which demonstrates a more clear return on investment in terms of security posture improvements.
Getting back to one of the original questions on how fear is leading to failures in cyber security. Such fear leads to money being spent on the wrong things due to a lack of initial strategy planning or effective risk management. An ultimate hypothesis is that all of these decisions are made out of fear to answering to the regulator, media and a companies customers when an inevitable security breach happens.
‘But regulator, we recruited 50 more people in cyber and spent 500m on security in the last years’.
A defensible position?
So what is the real root cause of such decision making? Fear is driven by the inability to identify the real risks the business faces and therefore the most important controls to focus on improving. Which leads to the inability to understand, calculate and articulate return on investment in cyber security.
How can we fix this?
"But we've always secured it this way" 
Leave a comment