The late-November news that a large hotel chain had suffered a massive hack, with data on as many as 500 million guests stolen, was an undeniable shock.
But within the information-security industry, it was hardly a surprise.
Despite consistent increases in security spending – a nearly 25% increase between 2017 and 2019’s projected worldwide totals, according to Gartner researchers – IT security professionals have routinely said they regard hacks and data breaches as virtually inevitable.
For the last two years, more than 90% of respondents in career surveys by the Information Systems Security Association (ISSA), a trade group for IT-security professionals, have said they believed that “most” organizations were either “significantly” or “somewhat” vulnerable to a damaging cyber attack.
“Board members don’t want to be the next headline,” said ISSA Board President Candy Alexander, herself an experienced chief information security officer (CISO). “But it comes down to the bottom line. Do we spend more money on development and services, or do we go ahead and strengthen our security? Only rarely is it the latter.”
Yet Alexander and other experts also stress that simply throwing money at the latest danger isn’t the right answer. To make organizations more secure, they say, IT security teams need to view threats and investment programs from a broader perspective.
Below, we examine a range of experts’ proposals that may help CISOs argue successfully for new resources, while also demonstrating that existing resources are being used effectively.
Assess the harm that has been avoided thanks to existing investments – but define harm appropriately broadly.
IT security teams seeking new resources should first show how existing programs have (or haven’t) worked. For example, a CISO’s team might plot the last year’s major threats, describe how the company’s current security measures addressed them, and quantify the savings produced by having such measures in place.
University of Kent Assistant Professor of Cyber Security Jason Nurse advises CISOs to think broadly in this regard, assessing past and potential damage using categories including reputational, physical, psychological and societal harm, as well as basic financial harm.
“A lot of attention is placed on the financial impact,” Nurse said. “But realistically there are other types of impact that result from a cyber attack. Identifying these could help convince a board that security is important even beyond the financial perspective.”
For example, this could include factors such as loss of customer or supplier confidence in the company, damage to physical infrastructure, the worry and fear instilled in employees or users, or increased societal distrust of important digital services.
Create a full-company risk assessment that compares IT security risks with other business risks.
IT security is fundamentally about managing risk. But mature corporations manage risk globally, not in isolation. Pitches for greater IT security resources should be thus made in the context of an organization’s overall risk profile, says RAND Corporation researcher Sasha Romanosky.
Romanosky's work has shown that the cost of security incidents is often small compared to overall company revenue. To portray threats accurately, CISOs should therefore be integrated into an overall enterprise risk-profiling team tasked with normalizing risk assessments across the organization, he argues.
This in turn can help a security team make comprehensive and credible arguments for its specific goals, while tailoring those goals to meet overall corporate objectives.
“This isn’t just about getting money for the security group,” Romanosky said. “But you get better at understanding where risks fall across the entire firm.”
Shape IT-security programs around the organization’s overall corporate strategy.
ISSA’s Alexander too agrees that CISOs need to analyze their companies’ overall strategies, and develop security programs around concrete new programs or initiatives rather than general threats.
“There is often a lack of ability for CISOs to make the business justification and incorporate this into the business-planning cycle,” Alexander said. “They need to understand what the corporate goals are, and how their security plan will interact with that. When you appeal to the business case, that’s in line with the language that boards understand.”
In some cases, this may require IT-security teams to cultivate additional skills in order to understand the budgeting, marketing and corporate-strategy perspectives alongside the core technology issues. Industry peer groups and conferences can help them acquire the knowledge – and crucially, the language – needed to develop security programs in this way.
Ask whether past “best practices” regarding security budgets still make sense, and explain why they may not.
As a rule of thumb, corporate security budgets have tended to average around 5% to 8% of overall IT budgets.
Symantec EMEA-region CTO Darren Thomson notes that this is based on several assumptions: that the threat landscape is not becoming more complex, and that infrastructure requirements are growing at a reasonably steady pace. Neither of these assumptions are valid today, he says.
First, as attackers begin using machine-learning or artificial intelligence, or tapping vast, poorly secured internet-of-things networks, their attacks are becoming more sophisticated. Second, many organizations are now shifting to hybrid security systems that include cloud-based elements, producing parallel security environments that must be managed and maintained.
Additional pressures stem from the costs of complying with laws such as Europe’s General Data Privacy Directive, and the rising cost of salaries driven by a worldwide shortage of IT-security skills, he says.
Clearly identifying these cost drivers may help CISOs convince even non-technical board members to reexamine conventional budgetary wisdom.
Promote an organizational culture of security
Many breaches are traceable to mistakes such as clicking on a well-crafted phishing email. The rise of Net-enabled personal gadgets has also resulted in employees increasingly bringing unsecure devices into the corporate environment.
The creation of an organizational culture of security thus offers potentially great returns in terms of mitigating risk – and is a goal that even the least tech-savvy board should be able to understand and support.
To be sure, this is no easy task. CISOs must work closely with other departments to create awareness, taking an “integrated psychological, technological and business approach,” Nurse said.
Nor does experience show a clear way forward. While simple scare tactics don’t seem to work, research provides no unambiguous answers regarding what does. However, training, continuous feedback, and sensitivity to employees’ different cultural contexts and responses all appear to be important factors.
An increasingly dangerous threat landscape makes it more vital than ever to bridge the communications divide that’s grown up over the years.
We encourage you to share your thoughts on your favorite social platform.