Peanut butter budgeting for cyber security -- and why it doesn't work.
The economics of cyber security are completely lopsided. There are a seemingly infinite number of cyber security risks out there, with more and more popping up every day. Hackers appear to have unlimited resources, and cybercriminals are literally reinvesting their lucrative profits into new and innovative ways to exploit, extort, and steal from your organization.
But... in order to foil, frustrate, and impede the nefarious schemes of these very well-equipped and well-funded adversaries, we as cyber security professionals are grudgingly allocated a hopelessly limited budget. The meagerness of which we are then asked to stretch ever so thinly across every conceivable threat vector out there in order to assure the business (management, executives, and the board) that, "We’re doing everything possible".
If this scenario seems familiar -- and not just because it reminds you of the plot of Mission Impossible -- you’re not alone.
A CISO I know explained the problem to me in this way, "I’m given a cyber security budget the size of a jar of peanut butter and then I’m asked to spread it equally and evenly over an attack surface about the size of the moon. The worst part isn’t that it’s impossible, it’s that I’m going to be held accountable when it fails".
Unfortunately, you’re never going to get enough Jif to do the job right so long as the business continues to think of cyber security as an IT problem -- rather than the real, enterprise-level, risk-management problem it truly is.
Changing the Rules
It may seem a no-win situation, but maybe not. As Captain Kirk taught us when he became the first person to ever beat the Kobayashi Maru test (whenever we geeks need leadership guidance, we should always look to James T. Kirk), "If you can’t win the game, then change the rules".
When it comes to cyber security budgets and priorities, these are the game-changing conversations CISOs need to be having with the business:
No more "sensational" headlines, please! It doesn’t matter what cyber security risks you saw on CNN that threaten other organizations, so please stop sending me all of those "interesting stories" to read. What matters most are the specific risks that threaten our organization. These are the ones we need to talk about and focus on. All too often, non-technical executives get distracted and caught up in the dramatic media-driven "breach of the month" horror stories and lose sight of what the specific and probably mundane-sounding threats are to their own organization.
Prioritize the crown jewels. What are our most critical digital assets that we must protect and how should we prioritize our security strategy accordingly? These crown jewels may include the obvious ones: customer credit card information for a retail organization, the source code for a software company, or personal health information for a hospital. But they may also include not so obvious ones such as a file share with detailed merger and acquisition documentation that only the finance department is aware of. Without context, IT can’t make these decisions; only the business can intelligently direct and prioritize. Or, at the very least, understand that they need to be involved in the discussion.
If we can’t see it, we can’t protect it. Do we have in place the full visibility and tools we need across the network and enterprise to monitor and protect what is most valuable and most vulnerable? If not, then funding these initiatives needs to be an enterprise-wide, strategic priority. Business leaders need to understand that cyber security is no longer a cost of doing business, it’s a cost of staying in business and, therefore, needs to be appropriately funded. The only way to do this is to have leaders calculate the financial impact of the identified risks and work together to prioritize solutions accordingly.
Aim to Super Size That Jar of Peanut Butter
Business leaders like to discuss the bottom line. Unfortunately, they often see cyber security as a cost center because they don’t fully understand the impact that an attack or breach could have in real financial terms or the competitive advantages they could gain from earning and maintaining "trust" in the marketplace. It’s on us as cyber security professionals to change their perspective and challenge their assumptions by engaging them in these game-changing discussions.
In the end, we may only get a slightly bigger jar of peanut butter, but at least we’ll know exactly where best to spread it in order to make it stick.
Kevin Magee is a sales hacker with over two decades of experience as an entrepreneur, sales executive and cyber security professional. A member of the Gigamon Canada team, Kevin leads sales for the Province of Ontario helping customers from across the Financial Services, Insurance, Retail and Public Sector industries to successfully adopt and implement enterprise-wide Security Delivery Platforms.