Cybersecurity is a Drain on the Bottom Line...Right?

If you are a cybersecurity professional, you have likely heard the phrase, “Cybersecurity is a drain on the bottom line” more times than you can count.?Cybersecurity professionals and leaders consistently hear this comment, or some variation of it, from CFOs and CEOs around the world and have for as long as I’ve been in the business (25 years).?Security is seen as a cost center (meaning that it doesn’t make money, which would be a profit center) that does little more than position the company against an unknown threat that may or may not manifest.?I have also heard it contemptuously referred to as an “Insurance Policy”; if something bad happens, then fine, but if nothing bad happens, you have wasted company resources.

Why does this conversation take place so frequently in so many businesses around the world??I believe, like so many other things in business, it comes down to money.?Now, I am not na?ve; I know business need to make money and be profitable in order to exist.?However, as the difference between price and cost become more visible, I will show that investing in cybersecurity does not take money away from profit, rather, it serves as an enabler to conducting business safely and responsibly against the backdrop of today’s threat landscape.?

The difference between what you generate in revenue and what you spend to in order to generate that revenue, is profit.?Spending more on anything within the business requires you to either raise prices or lower profit margins.?When cybersecurity is carelessly tossed into the category of a cost center, it is seen by the CEO and CFO as only something that costs money and not something that generates money.

This is something that I believe is the fault of cybersecurity professionals, myself included.?We have not done a very good job of explaining the benefits of a strong security posture to anyone other than other security professionals, let alone the financial benefits to the CEO or CFO.?I have witnessed this firsthand at security conferences like Black Hat, DEFCON and BSIDES.?There is a general disdain for the C-Suite, a lack of trust and a pervasive opinion that our non-technical colleagues are somehow less intelligent.?This opinion is honestly unsurprising when you think about it, since our goals and objectives have never been aligned very well with the rest of the C-Suite.?As cybersecurity professionals, we frequently find ourselves at odds with the other areas of the business and seldom (if ever) is a meaningful effort made by either side to understand each other.

Cybersecurity to practitioners can sometimes be viewed as an all or nothing endeavor.?You are either going to do all the things that are recommended, or you are wrong.?You can’t do some of them either…you have to do them all! Additionally, as a group (not exclusively however), there is a general lack of understanding regarding how businesses actually work. ?For example, I don’t think I have ever been part of, or heard a conversation amongst cybersecurity professionals, where quarterly earnings, profitability or EBITDA was discussed.?I think it’s because technical people tend to think about technical things which are more binary than businesspeople, whose primary focus is the health and well-being of the business.?This is far a more nebulous concept, without a right or wrong answer.?While these things are tangentially connected, there exists a significant knowledge gap between what the CISO knows and what the CEO or CFO knows.

This misalignment has caused a number of problems over the years such as underinvesting in cybersecurity staff, not providing training and failing to invest in technology.?In the face of these challenges, CISOs remain accountable for the organization’s security posture and any security failings introduced by their approach, which is likely only a fraction of what that CISO would like to do.?They also bear the full brunt of a data breach, likely ending in her dismissal.?So, back to our original statement, is this disconnect due to CFOs and CEOs being more focused on profitability and CISOs being more focused on security?

This situation has led to things like the Joe Sullivan trial and conviction, where the CFO and CEO were not held accountable at all for the failure to protect Uber’s data and properly report on the breach.?Sullivan alone shouldered that burden, however he did not have full autonomy to make the decisions he knew would be in the best interest of the company nor did he have the budget authority to invest as much as he would like, in the areas he felt were most important.??Circumstances like this, where there is accountability, but little responsibility has led to what the National Cybersecurity Center calls the Great CISO Resignation. ?CISOs are either quitting their jobs or are predicted to do so due to the lack of autonomy, lack of support, lack of budgets and lack of resources, yet full responsibility of the security posture of the company and full blame if something goes wrong.?There are also work/life balance issues that impact their overall mental and emotional well-being.?Imagine how frustrated you would be if you knew what you needed to do be successful, but you were not only not allowed to do it, but your budget was reduced, and you were not taken seriously by your peers, UNLESS something bad happened, then it was all your fault, and your ideas were marginalized and labeled as erroneous at best and foolhardy at worst.

A recent PWC survey of more than 700 US executives placed Cybersecurity as the number one risk they will face in 2022.?Wait a tick Chris.?Did you just say THE NUMBER ONE risk that many leaders believe their businesses face in cybersecurity??Well if that’s the case, how come they consistently underinvest and undervalue their CISOs so much, to the point that they are quitting in droves??How does that make sense to anyone??HINT: It doesn’t – and I have an idea why and what to do about it.

Tune in next time for part 2!