Board Members – Stop Wasting Investors’ Money on Cybersecurity!

Board Members – Stop Wasting Investors’ Money on Cybersecurity!

Introduction

Pick your favorite business publication, magazine, research resource, top consultancy, or local butcher or baker. The data, systems, and devices that create, receive, maintain, or transmit sensitive information have exploded in all industries and their supply chains over the last two decades. And they are under attack. Cyber attacks’ acceleration, velocity, frequency, and severity are increasing.

Leaders and boards must deal with a perfect storm, a confluence of forces. The world economy is wrestling with higher interest rates and a potential recession, putting pressure on all organizations to cut costs. Geopolitical tensions with Russia, China, North Korea, and Iran are likely to increase the number of cyber-attacks. Cyber liability insurance lines have been hardening—Mario Greco, chief executive at insurer Zurich, recently told the Financial Times that cyber-attacks are set to become uninsurable.[1] Combined with the SEC’s proposed Disclosure Regarding the Board of Directors’ Cybersecurity Expertise, the Cyber Incident Reporting for Critical Infrastructure Act Of 2022 (CIRCIA), and a new push for additional mandatory cyber security regulations[2], protecting organizations’ vital digital assets is more complicated than ever.

Good news, C-suites and Boards are engaging in cybersecurity discussions and oversight. Ostensibly more good news, Gartner forecasts “spending for the information security and risk management market will grow to $172.5 billion (current U.S. dollars) in 2022, with a constant currency growth of 12.2%. The market will reach $267.3 billion in 2026, with a constant currency CAGR of 11.0% (2022 to 2026).”[3]

The bad news is that there continue to be suboptimal and fundamentally bad decisions being made over how and where to spend limited cyber security budgets. Something is not working… spending is up, and breaches of confidentiality, integrity, and availability of the data, systems, and devices are up even more! 

In a survey conducted at the 2022 RSA Conference, 73.48% of organizations surveyed feel they have wasted most of their cybersecurity budget on failing to remediate threats, despite having an over-abundance of security tools at their disposal.[4]  Only 13.81% of those surveyed indicated they wasted no money at all.[5]

In this post, I will explore the dismaying reality that cybersecurity funding is being squandered and suggest some specific actions management and the board can take to stop or minimize this waste of investors’ money.

The Challenge

How and why is cybersecurity funding being wasted? There are many potential reasons, all of which should be investigated in your organization. Following a four of the top reasons:

1. Too many new shiny objects/tools can add to the complexity stressed security teams are already facing. Investments are being made in tools without appropriate prioritization. According to one study, mature security organizations have deployed, on average:

• Small business: 15 and 20 security tools
• Medium-sized companies: 50 to 60 security tools
• Enterprises: over 130 tools security tools[6]

Does your organization have the talented individuals to master all these tools?  Does your organization have the staff to respond to alerts/alarms generated by these tools?  Alert fatigue is a real thing.  Underutilized, excessive tools can waste both money and time.  A Foundry Security Priorities Study found that the proliferation of tools can actually increase risk and complexity without improving outcomes and ultimately can reduce the return on investment, too.[7]

2. Comprehensive, enterprisewide risk analysis is not being performed. I regularly encounter organizations conducting good work in threat and vulnerability identification. Identifying threats and vulnerabilities is easy, especially with the overwhelming number of available tools. Unfortunately, these two factors are only two of five that must be considered in evaluating business risks emanating from cyber. Organizations must conduct risk analysis starting with their digital or information assets. Then, identify all reasonable anticipated threats and vulnerabilities. A risk exists only when a risk scenario or triple comprising an asset, a threat, and a vulnerability exists. Once a triple is identified, it must be evaluated by taking into account the likelihood of that threat exploiting that vulnerability and the impact were it to happen.  From those values, risk can be assessed and prioritized. Processes as described in NIST SP 800-39 Managing Information Security Risk and NIST SP 800-30 Guide for Conducting Risk Assessments[8] cover risk analysis and risk management in detail. Most organizations do not come close to conducting a fundamental risk analysis, which includes consideration of all five factors—assets, threats, vulnerabilities, likelihood, and impact.
3. There is not enough emphasis on not enough on filling risk management positions and too much on security operations, architecture, and engineering jobs. Organizations must develop and execute a cybersecurity strategy.  However, a reasonable and appropriate cybersecurity strategy can only be set once an organization understands its unique risks. Therefore, the first macro step is establishing, implementing, and starting to mature your enterprise cyber risk management program. This step enables an actual risk-based program and not one based on controls-checklists, journalists’ trends, threats, vulnerabilities and controls du jour, or opinions and emotions.
4. There needs to be less reliance on controls-checklists and threats, vulnerabilities, and controls du jour. Cyber risk management and, therefore, cybersecurity is not one-size-fits-all. You can’t achieve cybersecurity by engaging in a technical controls arms race. Implementing someone else’s controls-checklist results in needless expenditures, duplication, and redundancy. Please do not misunderstand me—I understand the importance of controls. Your cybersecurity program aims to implement reasonable and appropriate controls to ensure your risks are rated below your risk appetite. Controls (also called safeguards or countermeasures) are the tools your organization uses to mitigate risks to an acceptable level.  As I wrote in the preface to my book, “the single biggest deficiency I have observed is the failure of organizations to invest in cybersecurity based on their unique risks. You must start with your unique vision, mission, strategy, values, and services, examine all your unique data, devices, and systems that support your unique business, and then identify all your unique cyber exposures across your entire enterprise. This failure to identify your unique risks usually leads to a one-size-fits-all, checklist-based approach to cybersecurity. The upshot is overspending to treat perceived risks and underspending on your real risks.”[9]

The Solution

Do not cut cybersecurity spending!  That’s not the solution.

Board members, the following are five (5) actions to consider requiring management to undertake to stop wasting investors’ money on cybersecurity:

1. Formalize Governance. Establish a governance structure that clearly articulates who makes what cyber risk management funding decisions and how and when using what data and facts. A critical part of governance is establishing how to undertake cyber risk management. This includes making the crucial decision that your approach will be risk-based. See Getting Started with Enterprise Cyber Risk Management (ECRM) | Overseeing the Development of Your ECRM Framework and Strategy for information about the importance of governance and how to establish it.
2. Develop a Short Game and Long Game. There are must-implement cyber security controls. For example, suppose it’s time to renew your cyber liability policy. In that case, you may be faced with a list of must-implement controls like these cited in a recent JDSupra article: Phishing-Resistant Multifactor Authentication (MFA), Expanded Privileged Access Protections, Frequent Security Awareness Training, Rapid Patching for Critical Vulnerabilities, Extended Detection and Response (XDR), 24/7/365 Security Monitoring, and Isolated and Immutable Backups.[10] These items must be part of your short game. Implement what you must implement at a level appropriate for your organization.

Your long game must take a more strategic view and focus on establishing your enterprise cyber risk management (ECRM) program as a transformational endeavor. This involves developing and maturing strategic capabilities, including governance, people, process, technology, and engagement. In this strategic work, you designate and adopt an ECRM framework, an ECRM process, and an ECRM maturity model, among other tasks. Refer to Chapter 6: Set ECRM Strategic Objectives and Chapter 7: Take Six Initial Actions to Establish or Improve Your ECRM Program in Stop the Cyber Bleeding to get started.[11]

3. Prioritize expenditures by leveraging comprehensive enterprise risk analysis. If there was ever a time for prioritization of cyber risk management activities and cyber security tasks, it is now.  The single best way to prioritize your cybersecurity spending is to focus on those risks that are above your risk appetite.  To identify those risks, conduct a comprehensive, enterprisewide risk analysis.  If that seems overwhelming, prioritize your risk analysis work by starting with your “crown jewel” information assets.  What are those information assets without which you could go out of business

Simultaneously, stop implementing new systems and applications without formal “authorization to use/operate.”  Check out my blog post, Tips to Effectively Fund Your Enterprise Cyber Risk Management Program (ECRM), for more information. Using the principle of authorization to use/operate will stop building what I describe as “ECRM debt.”   Think of CRM debt as dollars that should have been spent on managing cyber risk. In contrast, other dollars were rapidly spent implementing new data solutions, systems, and devices without paying attention to cyber risks.  In healthcare, risk analyses must follow the Office for Civil Rights (OCR) Guidance on Risk Analysis Requirements under the HIPAA Security Rule.[12]

4. Converge/Reduce the Number of Tools Being Used. For starters, issue a moratorium on non-strategic tools. Next, formalize processes to reassess the use of cyber security tools on an ongoing basis.  We have seen tools layered upon tools, layered upon tools. When CISOs and their staff change organizations, there can be a tendency to bring in tools from previous company assignments.  Start today by requiring your team to inventory all the tools that are licensed and deployed.  Too often, tools are approved and become shelfware.  Once you have a complete inventory, complete an assessment of the extent to which each tool is being used and the value, if any, being derived.  Jettison the low-value, underutilized tools.

Speaking of tools, what I find is most commonly missing is a tool to establish, implement, and mature your ECRM program. The right software can simplify and facilitate the task of conducting enterprisewide risk analysis and cyber risk management. The wrong software—or worse, no cyber risk management software solution—makes it nearly impossible to establish, implement, and mature an effective ECRM program. Refer to Appendix B Enterprise Cyber Risk Management Software (ECRMS) in Stop the Cyber Bleeding to learn more about how to evaluate an ECRMS tool.[13]

5. Call on cyber security and regulatory compliance experts. ECRM is a specialty area that requires expertise beyond what is typically found in most organizational IT, security, or risk management departments. Your IT and risk management departments may be excellent at meeting your organization’s tactical and operational needs. Still, they may not have the time, independence, experience, or strategic expertise to evaluate your cybersecurity spending critically.  If this is the case for your organization, you may consider hiring a third-party service provider to help build your organization’s ECRM program. Buyer beware since ECRM consultants and service providers are not currently regulated or evaluated by a reliable, objective third party. Anyone can call themselves a “cyber risk management expert.” Therefore, it is incumbent on your organization to exercise due diligence before contracting with a cyber risk management consultant or service provider. Refer to Appendix A What to Look for in an ECRM Company and Solution in Stop the Cyber Bleeding to learn more about how to evaluate an ECRM company.[14]

Summary

These times are difficult for businesses to balance pressures to manage or reduce costs in the café of increasing cyber-attacks, a hardening cyber liability insurance market, and increased regulatory reporting requirements.

As a result, many organizations are wasting investors’ money.  Some see the pressure to reduce costs as an opportunity.  In a recent WSJ article, Mandy Huth, vice president of cybersecurity at Kohler Co., described how organizations might seize the opportunity to take stock of their cybersecurity strategy and use it to make course corrections.[15]

This post provided several reasons and suggested several actions executives and boards should ask to be undertaken to arrest any waste in cybersecurity spending that may be occurring in their organizations.

Questions Management and Board Should Ask and Discuss

1. Does your organization have a good governance structure in place, one that clearly articulates who makes what ECRM spending decisions and how and when using what data and facts?
2. Does your organization treat the enterprise cyber risk management (ECRM) program as a transformational endeavor?
3. How does your organization prioritize cybersecurity spending?
4. Are spending decisions based on comprehensive risk analysis followed by informed risk treatment decision-making using your organization’s cyber risk appetite?
5. Is your organization conducting comprehensive NIST- or ISO-based risk analyses/risk assessments?
6. Has your organization set its cyber risk appetite?
7. Does your organization maintain inventory and utilization data for licensed and deployed cybersecurity tools?
8. Have you made a recent effort to reduce un- or underutilized cybersecurity tools as a source of funds for more critical risks?
9. What is the most critical question your C-suite and board should ask about cybersecurity expenditures?

Endnotes

[1] Smith, Ian. Financial Times. “Cyber attacks set to become ‘uninsurable,’ says Zurich chief.” December 26, 2022. Available at https://www.ft.com/content/63ea94fa-c6fc-449f-b2b8-ea29cc83637d

[2] Nakashima, Ellen, and Starks. Tim. Washington Post. “U.S. national cyber strategy to stress Biden push on regulation.” January 5, 2022. Available at https://www.washingtonpost.com/national-security/2023/01/05/biden-cyber-strategy-hacking/

[3] Gartner Research. “Forecast: Information Security and Risk Management, Worldwide, 2020-2026, 2Q22 Update.” June 30, 2022. Available at https://www.gartner.com/en/documents/4016190

[4] Smythe, Zoe Deighton. Security on Screen | Security Industry Group (SOS|SIG). “70% of organisations feel they’ve wasted cybersecurity budget on failing to remediate threats, says Gurucul.” July 19, 2022. Available at https://securityonscreen.com/70-of-organisations-feel-theyve-wasted-cybersecurity-budget-on-failing-to-remediate-threats-says-gurucul/

[5] GURUCUL RESEARCH REPORT. “2022 Security Operations Efficiency Survey”. July 15, 2022. Available at https://gurucul.com/resources/whitepapers/security-operations-efficiency-survey

[6] Ariganello, Joe. Anomali Blog. “More is Less: The Challenge of Utilizing Multiple Security Tools.” April 14, 2022. Available at https://www.anomali.com/blog/more-is-less-the-challenge-of-utilizing-multiple-security-tools

[7] Eaves, Sally. CIO. “Too Many Tools in the Security Box and What to Do About It.” May 23, 2022Available at https://www.cio.com/article/350333/too-many-tools-in-the-security-box-and-what-to-do-about-it.html

[8] Managing Information Security Risk. NIST Special Publication 800-39. National Institute of Standards and Technology (NIST). March 2011. Accessed November 11, 2019. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf ; and Guide for Conducting Risk Assessments. NIST Special Publication 800-30, Revision 1. National Institute of Standards and Technology (NIST) September 2012. Accessed November 11, 2019. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

[9] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2021. Clearwater. Available at https://amzn.to/33qr17n

[10] Quintana, Stephen, and Sawyer, Woodruff. ” JDSupra. Cyber Insurance Requirements: The Next Frontier.” December 1, 2022. Available at https://www.jdsupra.com/legalnews/cyber-insurance-requirements-the-next-5944655/

[11] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2021. Clearwater. Available at https://amzn.to/33qr17n

[12] Guidance on Risk Analysis Requirements under the HIPAA Security Rule. OCR/HHS. July 14, 2010. Available at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf

[13] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2021. Clearwater. Available at https://amzn.to/33qr17n

[14] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2021. Clearwater. Available at https://amzn.to/33qr17n

[15] Rundle, James. WSJ. “Facing Flat Budgets, Kohler’s Cyber Chief Looks to Do More With What’s On Hand.” December 30, 2022. Available at https://www.wsj.com/articles/facing-flat-budgets-kohlers-cyber-chief-looks-to-do-more-with-whats-on-hand-11671566513?page=1