What Have You Got to Lose?
@Tom Foremski wrote an opinion piece titled “A dismal industry: The unsustainable burden of cybersecurity;” and I’d like to comment about his opinion.
To begin, Mr. Foremski’s detracting commentary about cybersecurity increases distrust in the often-fragile relationship between IT practitioners, cybersecurity engineers & analysts, and non-technical executives & members of the C-Suite.
The primary purpose of cybersecurity is the protection of a companies’ operational systems, corporate financial systems, and valuable data assets – including customers’ data (both B2B & B2C customers.)
If everyone followed the rules and procedures, we would not need to spend a single penny on cybersecurity. But not everyone follows the rules and procedures.
An analogy is society’s need for police officers. If drivers did not speed, if property were not stolen or damaged, if people refrained from harming one another, we would not need law enforcement officers. Yet, because people continue to break the law, infringe on the safety and peace of others, we need those officers.
Additionally, why in some cities where there is a strong police force, the crime rate does not fall (and may increase?) Would Mr. Foremski write next “A dismal industry: The unsustainable burden of law enforcement”?
There is a analogism between local law enforcement and cybersecurity personnel. Police protect personal safety and property of the local community, while cybersecurity personnel protect corporate safety and property of the company community. (Please allow me some latitude, I clearly understand the personal risks accepted in the line of work is nowhere near the same…)
Tom’s statement, “We are spending more while losing even more. It's an unsustainable trend. This is not cool.” Staying with my law enforcement analogy, should we stop having police officers to enforce the laws or provide safety? Lawlessness and drivers speeding through school zones are also “not cool.”
We all agree there are inefficiencies as to how we manage cybersecurity, application development, and IT, so let’s work to find better integrated ways of working. Are we fighting a losing battle? Maybe. But the only way to win is when there is minimal incentive for hackers. We cannot reward their actions. Hacking is their business, and they also evaluate the ROI metrics of their hacking tools.
I am not suggesting that spending more means you get more – or better – protection. I have seen firsthand companies engage vendors for cybersecurity solutions, yet because a vendor will only accept responsibility for only their product and there is often a short fall in the meshing a single solution with other applications and solutions.
Further, when there is a lack of leadership from a company’s executives individual business units are “allowed” to seek a cybersecurity solution to meet their own requirements while failing to identify an appropriate solution for the entire organization.
From a holistic perspective, this type of IT and security fragmentation creates significant gaps in interoperability of the organization. As a result, the department and company, realize minimal ROI at the same time potentially creating a greater risk of attack.
Let’s get back to the root causes...
~25% of attacks are the result of human error
~28% of data breaches involved internal actors
~30% are the result of unpatched known vulnerabilities
These are the primary weaknesses allowing hackers access to what should be protected data. In recent years, by investing into cybersecurity, educating employees, and implementing improved technology solutions, we have increased the odds of successfully defending assets.
I know this because my company proved the effectiveness of the triad of people, process & technology. In 2016, a customer of ours with 330+ devices and a unified technology solution realized a 90%+ reduction in security incidents and 90%+ remediation resolution time over the first 12 months. This increased the level of effectiveness of their security team and reduced their need to add more personnel.
In comparison, another company failed to deploy our security solution, and had a lax approach towards employees using company computers and internet access for personal use and social media. A single phishing attack took down the company and required three days for operations to fully recover. The total cost of around the clock recovery efforts and downtime of 70 employees was estimated at almost $1,000,000. Add to that figure the cost of potential business loss from reputational damage; potential penalties from customer data being taken, and the figure is likely well into 7 figures.
Is it cost-effective to pay a cybersecurity company a monthly fee to reduce 90% of the threats, increase your effectiveness, make you a secure partner for your customers and vendors, and reduce the risk of lost productivity, punitive penalties, and corporate/brand reputation?
To answer those questions with a question – What have you got to lose?