Despite rampant cybercrime, many organizations have failed to invest more than the bare minimum in cybersecurity or do so without a clear strategy.
About a third of business leaders say they don’t have the C-suite support they need to adequately invest in cybersecurity, according to a May 2022 ThoughtLab survey co-sponsored by ServiceNow. In fact, when respondents were asked what cybersecurity concerns worry them the most, a lack of support and prioritization of cybersecurity was at the top.
Larry Clinton, president of the Internet Security Alliance, says business leaders have been deferring cybersecurity investments for years. “Over the 20 years I’ve been in cybersecurity, executives have constantly said they’re going to wait for ‘the big one’ to hit before investing more money in security and thinking hard about strategy. Well, the big one has already hit,” he says, citing the 2017 Equifax data breach, one of the largest data breaches in history, which compromised the personal information of 150 million people.
More recent examples include the increase in cyberattacks during the pandemic; ransomware attacks like the Colonial Pipeline hack, in which a Russia-linked cybercrime group took down the largest oil pipeline in the U.S.; and the log4j vulnerability, which left companies in diverse industries scrambling to patch their systems last December. Because so many systems and assets are connected, and companies have so many programs and devices on their networks, attacks always have the potential for wider-reaching impact. For this reason, the U.S. Federal Trade Commission issued dire warnings about future threats and pledged to take legal action against companies that didn’t learn lessons from these repeated attacks.
Cybercriminals have demonstrated their ability to penetrate the vast majority of the networks and systems we use every day. For example, it takes most hackers around two days to break into the average company’s internal systems by guessing an employee’s password or bypassing the company’s security, according to a 2021 report by cybersecurity firm Positive Technologies.
Moreover, new technologies and business models are making it harder for IT departments to secure assets ranging from computers and phones to medical devices, manufacturing systems, and cloud applications. “Digital transformation and cloud computing are fabulously cost effective—but very risky,” says Clinton.
Given that digital operating and business models are increasingly required for business success, this is a risk worth taking, argues Barbara Kay, who has worked in security and risk management for close to 20 years and currently leads risk, security, and ESG product marketing at ServiceNow. “We have enough experience to understand the likely risks,” says Kay. “The issue is making it a key element of transformation planning and implementation, so risk management is baked in from the beginning, not retrofitted.”
Lack of support hampers spending
Increased cybersecurity spending can be a tough sell because it’s inherently a future cost-saving measure—not a revenue-increasing one. Hiring a penetration-testing vendor to try and break into the company’s systems, for example, reduces the risk of a future incident, but doesn’t sell more products.
“On the other hand, if an engineering team asks for money to build a new product and the product sells, it’s easy to show the CFO that the investment paid off,” says Lawrence A. Gordon, professor of managerial accounting and information assurance at the University of Maryland.
CISOs often try to win over CFOs by telling them they must invest in security to avoid a future breach. But it’s difficult to calculate the probability that a breach will actually occur or what the damage might be. When it does happen, it might be very painful for a company, but it’s rare that it would go under as a result. “Look at Equifax,” says Gordon.”The value of their shares dipped momentarily, but they recovered fast.”
Yet the damage caused by a breach can go beyond just pummeling a company’s share price or reputation. It can result in significant business disruption, expensive victim compensation, and high recovery costs. With many companies suffering multiple breaches a year, these costs are becoming significant. In ThoughtLab’s research, companies with multiple breaches had slower detection and response times than those with one or none—representing additional risks and higher costs.
When strategy met bias
When security executives do get the budget they need, they can still fall prey to common biases that impede strategic thinking, says Alex Blau, a vice president at behavioral economics consulting firm ideas42. Executives often view cybersecurity as a discrete problem that they need to think about once a year or once a quarter rather than continuously. This misperception leads many organizations to underinvest in security. Instead, the threat landscape is in constant flux so there’s no such thing as a one-and-done cybersecurity investment. “Tomorrow’s vulnerabilities are going to be a lot different from today’s,” Blau warns.
Executives, like everyone else, use heuristic thinking to solve complicated problems. A heuristic is simply a logical shortcut, like an analogy or an analytic framework. “When we’re presented with a difficult question, we replace it with a question that’s easier to answer,” Blau explains.
While heuristics can help us attack common problems more efficiently, they don’t always yield accurate results. In cybersecurity, for example, executives often use military analogies to define their strategy, Blau says. Like medieval generals repelling a siege, they respond to external threats by reinforcing their castle walls. Such heuristics are seductive but misleading, because cybercriminals are constantly changing tactics to evade defenses and an organization’s assets are constantly evolving as well.
So-called status quo bias also hampers strategic thinking, says Blau. If leaders don’t know that they’ve been the victim of a data breach or that their system has a vulnerability, they might think their defenses are working fine. In reality, they might not have detected the bug or attacks that have already happened.
Reasons for optimism
Some experts are still optimistic that executives will start taking cybersecurity more seriously. According to the ThoughtLab survey, most organizations do plan to spend more on cybersecurity in 2022. Some industries, like telecommunications, insurance, and media/entertainment, are now spending around 15% of their annual IT budget on cybersecurity. “Executives are starting to increase their spending, even though they’re still not spending adequately,” says ISA president Clinton.
Cyber-risk frameworks can help executives use that money wisely. The National Institute of Standards and Technology (NIST) regularly updates its framework of standards and best practices for improving cybersecurity. The framework lays out five functions an organization must perform in order to secure its assets: identifying people, systems, assets, and data; protecting critical services; detecting vulnerabilities; responding to attacks; and recovering post-attack. NIST emphasizes that these five functions are not a step-by-step checklist, but rather a series of actions that must be performed continuously.
Another widely used framework, Factor Analysis of Information Risk, provides a quantifiable way of thinking about cyber risk. It provides a taxonomy that enables analysts to classify the kinds of risks their organization faces, a framework that helps them collect relevant data for risk analysis, a mathematical model for evaluating potential future risk, and general guidance on how to measure risk.
Both frameworks emphasize risk-based programs: invest where the greatest potential impact is. This may be why, according to the Thoughtlab survey, risk assessment was the second most effective cybersecurity investment, and the top area for investment in the next two years.
Clinton acknowledges the importance of security frameworks, but adds that the entire organization needs to be involved in cybersecurity. Relegating security responsibilities to one or two departments, rather than spreading it across the organization, is counterproductive because every department faces cyber risk and should play a part in preventing it. “This is not an IT issue,” says Clinton. “It’s an enterprisewide, risk-management issue. The entire organization needs to be involved. This requires a mental paradigmatic shift.”