Cybersecurity is a Drain on the Bottom Line...Part 3...Price v Value

The price is what you pay for good or services.?Value is what you derive from those goods or services over time (Thank you Warren Buffett).?This is sometimes referred to as Total Cost of Ownership (TCO).?So, what is the TCO of implementing a robust cybersecurity program when compared to cost of only doing a little bit, or nothing? This comparison can be frequently overlooked as part of the decision-making process. Cybersecurity projects should not be framed in terms of all of nothing, but rather in terms of good, better or best. ALSO, don't forget doing thing is an option that comes with its own risks and rewards. To make sure we’re all on the same page here, let’s use a very simple example.?

I am the CISO of ABC Company and I want to hire more staff on my security team, train that staff, and give them the all the tools they need to deflect, detect, react, respond and recover to cybersecurity incidents.?My full loaded (fully loaded means I include things like travel costs, software licensing, employee benefits, etc) budget proposal is $5M USD.?That is a lot of money and some CEOs (epically in the mid-market) would get some sticker shock at that price tag. So, I would have to provide a very clear explanation to the rest of the C-Suite, about what value we're getting for that price.

I can’t expect the CEO to know what I know about security (otherwise, why am I needed), and I can’t expect him to read my mind and understand what I want to do, why I want to do it, and how my plans are going to help the business make money, save money or prevent future losses.?He just sees that number, thinks it’s high, and sends me away to cut items from my budget proposal until I hit a number that he and the CFO find more reasonable.?They clearly is not grasping the TCO, and it’s my fault for not doing a better job at explaining things to him. I want to be very clear on that point, and thank you Jocko Willink for your book Extreme Ownership. You don't get to explain something once, fail to get the response you want and blame the other person. Responses are much deeper than a simple "yes" or "no", and it's your job to uncover those reasons and adjust accordingly. That's a big topic and out of scope for this article (but one I can cover in a future article if anyone is interested). For the time being, suffice it to say that as the leader, you and you alone, own the outcome.

If I don’t assume ownership of the messaging, I will make one of the most common mistakes in business by assuming that my target audience knows as much as I do about my area of expertise – this is called information parity.?However, in truth, there is significant information disparity – the CEO and CFO don’t know anywhere close to as much as I do about this aspect of the business - not every aspect of the busines, just this one. In their defense, t’s not their job to upskill themselves (although that would be nice, it’s not bloody likely), it’s my job to explain to them the difference between price and value.

While the price may be $5M, that is not simply a sunk cost (like candy and comic books).?There is an ROI for the security controls and countermeasures that I implement - they are either helping you make money, save money or prevent future losses. You must quantify these things in terms of their financial impact ot the business. You need to speak their language if you hope to convince them that your super-great ideas are indeed, super and great.

There is also a cost for not doing anything (taking no action).?Some of the costs of underinvesting in cybersecurity or not making any changes to your existing posture, if an incident were to occur (remember – football, no pads), are: loss of customer confidence, loss of market share, protracted litigation, government oversight, negative media attention, lost revenue, lost opportunity costs and damage to brand reputation.?Each of these will not occur in isolation – oh, no no no – they will be cumulative, many occurring simultaneously.?

As a result of a breach you will likely have some sort of required notification legislation that must be followed.?To know who to notify, you have to have an investigation, which means hiring a forensics team. Then, you will need an eDiscovery team to mine the data that was targeted to identify which data elements were exposed and where those data owners live (data legislation typically is based on the location of the impacted individuals, and not the business location). ?Then, you will have to meet with or report to the government auditors or industry regulators that will invariably come looking for an explanation, why you were out of compliance with your required governance regime.?Then, you will likely get hit with either a class action or shareholder derivate lawsuit – or both – which means retaining outside counsel.?Then, you will need to hire crisis communications experts because you have to inform your staff and clients what happened, why, how, and what you’re doing about it (this is not an optional step either – it’s required by law).?Then, you will experience a loss of customers as they move their business to one of your competitors (and rightfully so) since you have broken the trust relationship between you and your customers by violating your fiduciary responsibility to protect their data.?Then, you will need to pay for another regulatory audit to ensure that you are back in compliance with whatever regime you are beholden to.?Then, you will need to hire security architects to help you redesign your security program to a level of maturity that your customers, investors, shareholders and board members are comfortable with.?Then, you will have to hire penetration testers to determine if your security controls are working as designed. ?Finally, you must increase your overall security vigilance, to try to make sure this horrible situation doesn’t happen again and repeat the whole, very expensive, cycle.?

As the CEO of the ABC Company, you are back to reviewing my $5M USD budget proposal which suddenly doesn’t look so bad.?You are going to invest to the level that I initially recommended, only now you have paid another $20M in interest, which takes the shape of regulatory fines, legal fees, consulting fees, lost revenue and lost opportunity costs.?AND, you have your investors, shareholders and board members crawling up your six during every quarterly meeting to update them on the progress of your security efforts.?

When the price versus the value is explained in that level of detail, I think you would be hard pressed to find a CEO that still thinks underinvesting in cybersecurity is a good idea.?Now to be clear, you still may find your CEO and CFO don’t buy what you’re selling and still slash your budget.?Despite your best efforts at informing and educating them, the decision may still be made to forego the investment and hope like hell they don’t get hit.?For all avoidance of doubt, I think this is a bad idea and will end up in disaster – granted, I have only seen this happen about 2,000 time, but hey…there is a chance (however small), that you can underinvest and come away unscathed. I also concede there are things I don't know and they are probably more complex than I think they are.

Maybe you won’t get hit today or maybe not tomorrow, but someday and probably sooner than you would like, you will.?You will break many bones.?You will lose many teeth.?And, you will wish you would have put pads on.

The key takeaway here is education and communication with CEOs and CFOs who speak a different language.?As security professionals the responsibility is ours to make sure the other executives understand the full risks of underinvesting in cybersecurity along with the benefits of investing reasonably.?It is our responsibility to speak in a language that they understand and can relate to, devoid of unnecessary technical jargon or confusing acronyms.?It does us no good to talk about speeds and feeds, ACLs, IOCs, TTPs, threat actors and polymorphic malware – they will just start wondering what’s for lunch.?We have to change our approach to one of price versus value, and business impact.?We need to explain the costs associated with risks, the likelihood of those risks manifesting, the impact of those risks and the financial, legal, regulatory and customer challenges that will be faced afterwards.?

The CEO and CFO still may not give you everything you want, but you can rest peacefully with the knowledge that you are explained things to them adequately and they have chosen to act in contraction to your advice. ?The CEO makes the ultimate decision so it’s our job to advise them on what we think based on our expertise.?It’s not our job to chuck our toys out of the pram for not getting our way and start pointing fingers.?

It’s time cybersecurity professionals learned more about the businesses they protect, how those businesses make money, and what the success criteria are placed specifically on the CFO and CEO.?Only one in ten CISOs are board ready, so this is clearly a problem. I don’t think this is a silver bullet, but it will certainly go a long way in helping organizations make better security decisions.?

This is the last part in this series. I hope you enjoyed reading!