Cyber Security

Why throwing money at cyber security doesn't fix the problem

Published on 21st December 2016

As a Cyber Security Recruitment Sourcing professional, I get an interesting insight into different organisational strategies around CyberSecurity, and consequently, the resources invested into "fixing the problem." A combination of experience (having worked in the industry), relevant conversation, and a plethora of articles reveal something that most professionals already know. More money doesn't mean better outcomes.

Take a recent Gartner report which states: "the majority of organisations will continue to misuse average IT security spending figures as a “proxy for assessing security posture through to 2020". To take it further, many organisations don't know what their security budget is. This is not only, inefficient and wasteful, it implies a reactive mindset and makes it very hard for a business to track things like ROI (one potential indicator of effectiveness) and adequately plan for emergency situations. Management thinker Peter Drucker is often credited with the adage "you can't manage what you can't measure."

I believe this is a big part of the core of the problem. A subset of this might be misappropriation of resources. Investing in security technologies is at an all-time high, but the number of incidents has not declined proportionately with spending. It seems to function as a safety blanket. Where a lot of strategies fall short is not investing into tuning that technology to run optimally, or investing into the people that have the capability to ensure it does what it's supposed to. What is the point of buying the 'Lamborghini' or the 'Bugatti' of SIEMs as an example, if you give the keys to a 4-year-old, and never service it??

So what do we need to do?

I believe we need to communicate the reality in a way the business Directorship understand. Put a $ Amount on Risk, financial impact (of incidents as a result of poor security posture), reputational damage, loss of future business, loss of productivity, the list goes on. If a director hears: "the impact of a breach in reputational damage alone will cost you $34 Million over the next 3 years", I'm willing to bet that the need to fix it moves up the priority list. These are metrics that make sense, because they hit you where it hurts, your Balan¢e Sh€€t.