The six C's that kill cybersecurity programs

Why is it that the world is spending more and more on cybersecurity and losses continue far outpace investment?  Why is it that many, if not most, organizations are struggling or failing at part of - or all of - their cybersecurity efforts, particularly any kind of proactive security initiatives?

I have a theory. Let's call it the six killer C's. 

Culture

For far too many organizations, cybersecurity, if thought of at all, is thought of as an IT department problem.

It's not.

Modern cybersecurity is a pan-organization issue and requires new approaches from the top right down to bottom of the organization chart. C-suite executives must believe - and be seen to believe - in the importance of doing business securely.

Involving the entire organization means that the human part of cybersecurity, so often overlooked in favour of the false promise of security technology silver bullets, shifts from a liability to an asset. Properly engaged, aware and trained employees become an integral part of an organization's cybersecurity detection and response mechanisms. 

Organizations of all types need to treat cybersecurity the same way that progressive, responsible manufacturers, construction companies and more treat physical employee safety - i.e. it's ingrained into the organization's cultural DNA.

Wouldn't it be nice to see organizations internally publicize that it's been 365 days since a significant cybersecurity incident? Unfortunately, with the approach many - if not most - organizations take to security, such a sign is a fantasy. 

Complexity

With cybersecurity all-to-often left as the domain of IT, the next killer C, complexity, comes right after culture.

Doing things securely often means adding steps, or layers to systems and processes. At a fundamental level, this runs counter to what many IT shops see as their core mission - providing their organizations with robust services at ever decreasing costs that increasingly make companies more efficient and employees more productive. 

Complexity also comes into play when IT resource managers attempt to size effort required to proactively improve security. Proactive security often requires a great deal of up front work sizing the problem and ensuring the correct solution, time that doesn't show a huge return on investment immediately. Given the pressures many IT shops face (particularly in health care and education) to keep the lights on, initiatives that can seem like they will take too long and too many resources for uncertain gains are seen as difficult to justify. Or in some cases, for initiatives that will have a mild negative impact on client experiences as a trade-off for security, are seen as not welcome. 

Unfortunately, this kind of short-term thinking ignores the impact of an adverse security event, which can be even more costly to internal IT shops as all resources are poured into putting out a fire, investigating and then properly securing applications and systems. 

Conflict of Interest

Complexity also feeds another of the killer C's - conflict of interest. IT shops that don't have an appropriate separation of duties between IT operations and security will easily fall into this trap.

Whether it's not dedicating resources to proactive security because of questions around value, or whether its brushing discoveries of vulnerable systems under the digital rug and not looking into possible exploitation, it's abundantly clear in much of the literature and training on cybersecurity that separation of duties is a critically important function.

Unfortunately, many small, medium and some large-size IT shops believe they can't afford to fully implement organizational models that separate security and operations. The reality is they can't afford not to. 

Cash

Complexity and conflict and interest both lead well into the third killer C: cash. Doing things securely, whether it's investing in the proper mix of security tools (NGFW, NAC, SEIM, Anti-Malware), people (dedicated security teams with adequate training), or processes is expensive. 

The high cost of doing business securely online creates situations where organizations take what they believe to be calculated risks when it comes to cybersecurity. 

Take the famous case of Sony Pictures' IT security chief Jason Spaltro, who told CIO magazine in 2007 that "It’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss." 

Turns out, Sony Pictures 2014 hack cost a heck of a lot more than $1 million, with Sony estimating the full-year cost of investigation and remediation at $35 million. 

How much that loss actually hurt Sony or how much they cared about the breach is questionable, particularly given their statement in a February 2015 filing that:

"Sony believes that the impact of the cyberattack on its consolidated results for the fiscal year ending March 31, 2015 will not be material". Given that Sony Pictures still had an operating profit of $460 million, they may have a point. Still, one has to wonder if shareholders feel that same way about preventable losses in the tens of millions of dollars. 

Complacency

The fifth C, as illustrated quite well by the Sony Pictures hack (but hardly exclusively), is complacency. In the end, the growing wave of cybercrime losses globally clearly shows that while security investment is set to double over the next five years, cybersecurity isn't still truly a priority for far too many organizations. 

That may change however as regulatory costs such as fines and penalties are levied by government agencies on corporations shown not be be exercising due diligence in cybersecurity and as more and more jurisdictions pass mandatory breach reporting laws. 

It may become a priority for companies as they realize that customers will likely leave brands that suffer a breach, with one recent survey stating that two-thirds of customers would reconsider doing business with a company if their financial information was exposed. 

Corporate attitudes towards cybersecurity may also change as shareholders become increasingly intolerant of preventable losses due to cybercrime and hold CEOs, CFOs, CIOs (and not just CISOs or security staff) responsible and accountable for such losses. 

Communication

Helping the c-suite understand their cyber risk is a daunting task. First, executives deal with an basket full of risk every day with nearly every decision they make. They need to be given specific, meaningful, accurate, relevant and timely metrics and key risk indicators that they can use to measure, manage and monitor their cyber risk. 

Helping organizations overcome the six killer C's is one of the key objectives of our new cyber risk measurement and management platform, Beauceron. If you want to see how Beauceron can help you organization, request a demo today!

Communication doesn't just mean getting information to and from the C-suite. Truly effective cybersecurity communications help engage the entire community and can help individuals understand the important role they play in protecting themselves and the whole organization from an ever-increasing variety of threats.  

This post was written by David Shipley, CEO of Beauceron Security. The original version, The Five Killer C's of Cybersecurity was published in January 2016 on LinkedIn and generated many comments and suggestions, including the addition of a sixth C, Communications, an excellent suggestion by Charlie Timblin, CRISC, CISA.