Announcement
This results in large security budgets that have nothing to do with improving security. And managers are out of touch with the reality of how security investments actually work.
According to Garner, the problem lies in these seemingly contradictory statements that could also be true:
• High spending on cybersecurity does not mean that we are well protected.
• Investments are needed if we want to achieve better protection.
“Investment” can mean putting more money, time and effort into moving from an old, less efficient process or control to a newer, more efficient one. The end result may be cost savings, but changes still require investment.
There are organizations that spend a lot of money on security and are terribly protected. But there are those who have created an excellent level of protection with a very modest security budget. Fundamentally, money does not equate to protection, but investment is absolutely necessary to provide better protection.
However, budget approval is only the beginning of investment in cybersecurity. Value is created by spending money to achieve environmental outcomes. These results determine protection, not the money spent to achieve them. Just because we’ve bought and implemented some cool stuff doesn’t mean it’s the best protection.
When managers confuse the size of the budget with the level of protection, this leads to spending money on a problem. Thus, organizations with large security budgets end up with weak protection. It is worth identifying which behavior reinforces the notion that spending on cybersecurity equates to defense.
Behavior to avoid:
1. Treat budget approval as a success
Many CSOs see the budget as a success. They build business cases, allocate funds, determine asset cybersecurity spending, and report to executives. This pattern reinforces the confidence of drivers that for the money they get the best protection.
The director of information security reports on the progress of the money spent and the implemented tools at each meeting of the board of directors. This creates a self-reinforcing cycle between the chief information officer and management. The CIO gets more money/success and the executives think they get better protection, so they give more money to the CIO and so on.
This continues until the costs become so high that executives wonder what they got for the money, or until a major cyber incident occurs in the organization. In both cases, managers are disappointed.
2. “Money is not a problem. I can get everything I need.”
A recent WSJ article cites Howard Schmidt, Amazon’s chief information security officer, who reports to the company’s CEO. Andy Jassi is known for taking safety seriously. “It really makes my job easier. Andy never gave up on anything I said was necessary to get the job done,” Schmidt said.
https://www.wsj.com/articles/amazons-security-chief-keeps-focus-on-recruiting-and-retaining-talent-11670883520
This situation occurs regularly, especially in large companies with well-funded security programs. For CIOs in this position, this is usually said with pride because it is an indicator of management confidence. Trust is good, but it also creates a lot of responsibility for the CIO. If something goes wrong, it’s perfectly reasonable to ask why the CIO didn’t ask for something that could have prevented the incident. This expectation only increases when the security budget is well funded and managers equate spending with protection.
3. The primary motivation for investing in security is meeting cybersecurity spending benchmarks.
These benchmarks are a powerful tool for understanding where you are investing your money. If they are interpreted as a layer of protection, they result in throwing money away to solve the problem. Spending benchmarks should be used as leading indicators of underfunding. There should also be a story about what the CISO is doing with the existing budget and what it will do with the new budget to change the protection levels.
If you manage to move away from these three CISO behaviors, it is possible that leaders will actively move away from the idea of ”money=protection”. The Chief Information Security Officer must do the following.
• Don’t list money spent on devices without reflecting changes in the level of protection.
• Manage the expectations of executives who approve budget requests because they trust their chief information officer.
• Don’t rely solely on cybersecurity spending benchmarks to justify the need for better protection.
Ultimately, it is inappropriate for leaders to treat the CISO as the arbiter of adequate protection and let them give them what they ask for. Such behavior must be tempered with the understanding that security is a choice and a business decision. Managers should carefully consider the choice offered by the Chief Information Security Officer.
Hardware, software, tests, interesting and colorful news from the IT world click here!
