by Michael Gabriel

How much cybersecurity funding is enough – is it a bottomless pit?

Opinion
Sep 23, 2019
BudgetingData BreachIT Leadership

No matter how much you spend on cybersecurity, there’s no guarantee you won’t have a significant incident. How do senior management and the board know what makes sense?

budget piggy bank spending savings security spending
Credit: Getty Images

I was the corporate technology representative for an information risk committee meeting attended by senior level executives from finance, HR, legal, physical security, internal audit and our external auditors. External audit conveyed that they needed to brief the board on the potential cybersecurity threat. The problem was if this was conveyed before we had some response, all it would do is create concern and a probable fire drill approach that would not be productive.

Questions were raised around how to best convey our overall corporate cybersecurity status as well as across each division. The board awareness needed to happen asap, and I took on the task of leading the effort to define an approach within one quarter, otherwise the Board would need to be briefed by external audit regardless. The pressure was on, but it was both reasonable and necessary.

I interviewed some large well-known, as well as niche, cyber-focused professional services firms that all had established cybersecurity approaches, but all seemed very heavy in terms of both initial effort and ongoing upkeep. None provided the clear dashboard perspective we were looking to convey, and after a few weeks I hadn’t gotten anywhere other than to better understand what I didn’t think would work.  

A solid cybersecurity perspective needs to be looked at through a time dimensional lens

Fortunately, it was mid-December and I got an idea that hit me while once again watching the timeless “A Christmas Carol.” Now, we all know the best way to convey something is through a clear story, which is what Dickens did so well. And the wisdom of Charles Dickens’ approach with the ghosts of Christmas past, present and yet to come actually resonated with me! My own experiences reinforced that this was the perspective I thought we should convey, which covered:

  • The Past – What have we experienced in terms of significant incidents, and what have we learned and done about them?
  • The Present – What’s our risk relative to threats we’ve heard about in the news and what are we doing about them?
  • The Future – What do we need to worry about in the future based on business plans and evolving threats, and how does that impact our forward planning?

A continuing status update focused on key business impact metrics and initiatives, ideally on a basis that dovetailed into Board meetings, would be necessary to ensure that proper attention was focused based on relevant past, present and future perspectives. That certainly didn’t preclude immediate notifications and actions that could occur based on actual incidents or perceived threats, and those items would be included in the next status update. While this provided the time perspective on how we were doing, it didn’t address a point of reference needed for a methodical cybersecurity posture.

What is being used as the basis for determining cybersecurity risk?

Chenxi Wang, Ph.D., the Managing General Partner of Rain Capital and a Board member, provides guidance that the question to ask isn’t “how secure are we?” as that’s not based on any assessment framework,” and would just an opinion that’s based on individual perspective.  Understanding your security posture requires a combination of understanding both the threat matrix to your company and some basis for assessing your cybersecurity risk.

Dr. Wang states that “cybersecurity risk needs to be discussed in the context of other risks the business faces – all the significant risks of the company. How those risks are assessed as needing Board attention or not should be using a similar risk framework and assessed every 6 months or so.”

The simple analogy I often use relates to the security protection you decide to implement for your home.  You can have glass sensors on every window, and smoke, heat, water, carbon monoxide, motion detectors and cameras in every room. You can have multiple locks on every door.  You can have 24×7 monitoring and homeowner insurance. Yet no one can guarantee you won’t get robbed, your house won’t catch on fire or won’t be flooded. And while insurance will certainly mitigate your costs, your life will be disrupted for a long time, and you might never be able to replace some precious valuables.  Yet you decide how much insurance you need (based on what needs to be protected), and on how much is prudent.

It’s really no different from a business perspective. You might be legally protected from third party cyber incidents through legal contracts and covered financially with cyber insurance, but what’s the impact to your company reputation even with those protections?  How will it impact any of your ongoing processes, or your consumer or business relationships until remediated?

Your business risks and necessary protection will vary based on the type of business you have. As with your personal life, you need to decide which assets (data, system access, etc.) you need to protect?  And what is the impact if those assets are compromised?

At the conglomerate where I worked, we were comprised of different businesses even though they were all media related. The risks confronting a subscription TV/On Demand business differed from a live news organization, an ad supported broadcast network, a TV and movie production company, or the corporate parent entity. While we had standard Information Security policies across the entire enterprise, the degree with which they had relevance varied across business units.

What assets need to be protected in your company?

This requires you to think about what really matters to your company. Some areas to consider include:

  • Consumer information (whether in house or third-party managed for your company)
  • Regulatory compliance (including state and government, domestic and international), such as PII, PCI, GDPR, CCPA, HIPPA, etc.
  • Supply chain (digital or otherwise)
  • Brand reputation (including social media impact and public or B2B facing websites)
  • Intellectual property protection, including strategy and plans
  • Employee information (including confidential third-party personnel information)
  • Non-public financial and contractual information

To uncover this requires frank discussions with the all business leaders in every department – as well as with your external accounting firm. What information needs to be protected, and where is it located, including your third-party relationships?  What is being done outside of the technology department involvement in the Cloud?  Working with, and educating, business leaders and being in it together with them must be established. You must be able to build the trust that you’re there to help them and the business, and the risk tolerance is a business decision that you can help guide them on.

Cybersecurity frameworks and standards then need to be applied as a basis for determining where you stand. Some standards below can be considered but I would suggest rolling them up to convey a summary level status, and in a way that conveys the potential business and financial impact for current and future cybersecurity plans:

  • Center for Internet Security, Inc. (CIS) Critical Security Controls (CSC)
  • NIST’s Cybersecurity Framework (CSF)
  • SANS Top 20 Controls
  • The EU’s GDPR (General Data Protection Regulation)
  • The California Consumer Protection Act (CCPA)
  • ISO 27000 series (International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC))
  • National Association of Corporate Directors (NACD) Cybersecurity guidelines

How is your cybersecurity risk impacted by funding and how do you compare to your peers?

To continue with the Christmas Carol reference, financial diligence is crucial to determining your cybersecurity position and Ebenezer CFO has an important role to play (please don’t take offense, as he does turn out well in the end!)

There usually is some industry guidance on spending, such as the Financial Services Sector Cybersecurity Profile, that you can utilize for your spending assessment. I would explore which makes sense with your audit firm as well as with your key cybersecurity firms based on any industry expertise they might have (although they might not have any relevant to your industry or company structure).

But aside from that perspective, how does budget spending impact your situation? If your CFO, CEO or Board asked you these two questions, how would you respond? 

  • Do you need more funding for our cybersecurity program, and if so, how will that reduce our risk?
  • If you’re asked to cut 10% from our cybersecurity budget, how would that increase our risk?

So how much do we spend?  Do we approve that request for more resources, or the new artificial intelligence/machine learning (AI/ML) threat prevention tool?  How is risk conveyed in a business perspective?  A well-accepted best practice is to use a risk-based approach that seeks to determine if the cost of putting adequate precautions in place merits the potential risk impact. It can be a simple 4 quadrant perspective of low to high risk on one axis, and low to high cost on another, and can help you assess where your limited spending should go.

Unfortunately, as I learned at an IBM Executive Conference, people generally make decisions based on current certainties over future uncertainties. That’s supported by an article by Dr. David Rock in Psychology Today “A Hunger for Certainty – Your brain craves certainty and avoids uncertainty like it’s pain” that hits upon the principles of how we deal with certainty vs. uncertainty. We’re wired to automatically avoid uncertainty and explains why we prefer current things we know over future things that are less immediately negative for us. It explains the resistance to an increased current financial cost increase versus the uncertainty of whether and when we’ll have a cybersecurity incident and what that financial impact will be.

I have many examples of CISOs who have been asked whether their request for additional resources will occur again next year or in a few years. The CISO can’t really say, as both internal and external factors can impact the answer. I advise them to ensure that they convey the reason driving their request – is it a company-controlled event, such as acquisition integration costs taking their new venture to a n improved security profile?  If so, the decision is to be made whether those changes are business justified, as that’s a business decision. Or is there a new business extension (such as direct to consumer) that has created cybersecurity impact?  Or a new business location that needs to be secured?  The business needs to feel like it has some control, and is not just a victim, over these decisions. That can only be made with a proper assessment framework and understanding of how the business is impacted by potential cybersecurity incidents vs. preventative mitigation costs.

Since the likelihood of having some type of cybersecurity incident is high, you also need to be prepared for an incident response – operational, statutory, and public facing. This is all impacted by the specific incident, your type of business, how you’re technically structured, your third-party dependencies, and the potential impact of different types of cybersecurity events. This can also be treated in the similar risk-based approach defined above.

The straight talk

Cybersecurity isn’t a black hole of funding unless you let it be treated that way. There are tradeoffs and tough decisions to be made that you’re accountable for as a senior executive. You need to be ready to answer questions around the organization’s cybersecurity maturity and the frameworks established to manage emerging threats. You should ensure that cybersecurity status is framed similarly to how other business risks are managed, in terms of the impacts potential security incidents have on the business assets.

Partner with your CFO and CHRO (and COO if you have one), as well as with your Chief Legal Officer, internal or external audit, to help provide a basis for this. Being able to succinctly explain the potential risk, and the cost of mitigating it, in business terms is your responsibility as a CIO/CTO/CISO. While some executives dislike seeing cybersecurity issues documented for reasons that may be financial, legal or political, sticking one’s head in the sand doesn’t avoid the oncoming train about to hit you. It’s your fiduciary responsibility to convey this responsibly in a business understandable perspective, and to build proper stakeholder support since it’s not your issue but one for your company.