October is finally here, and you know what that means: Fall, Halloween, pumpkin spice lattes and National Cyber Security Awareness Month!
As a security practitioner, I spell “cyber security” as two words, just like “physical security.” That is just a nit of mine. Just because you add “cyber” doesn’t make the foundational word some exotic uber-technical term. I know some practitioner may disagree with me, but it is an easy action to agree to disagree and move on to make the world a better place. Whether or not you spell cyber security as one word or two words, I think we can agree that the topic is front of mind especially as we are addressing this global pandemic and remote work environment.
Predominantly, the conversations surrounding cyber security focus on risk management, vulnerability, loss, and cost – or the one that annoys me most: it’s not IF, it is WHEN. These are nothing more than scare tactics. Come on! Should we as innovators, disruptors and leaders let Fear, Uncertainty and Doubt (FUD) drive every decision (or non-decision) around cyber security (or mission assurance, data integrity, and any one of a myriad of terms)? Are we just waiting for the sky to fall and run around like Chicken Littles? I REFUSE. We can do, we must do better!
I want to have more sophisticated conversations around cyber security, focusing on investment, predictability and success with security as a core enabling function. Let’s align security to value, insight, metrics and ROI – similar to a capital investment strategy. That conversation starts with opportunity, excitement and achievement as the objectives, with due regard to risk and uncertainty. It also shifts the perspective of security investment from a “sunk cost” or “cost center” to a key business opportunity or profit center enabler in an information / data driven system of systems.
I get it. Cyber security is a challenging business – technology, operations, workforce, threats, regulations, and executive ownership. Any one of these topics is a tall mountain to climb, but if we reframe the problem into an investment opportunity, that is a challenge we are ready to summit.
With that said, let’s start that conversation around investment, predictability and value.
INVESTMENT STRATEGY: Just like a capital investment strategy, investments in cyber security are a long-term growth strategy complete with commitment, metrics, goals and returns. Those investments – infrastructure, services, applications, workforce, policies, marketing – all have a value and a return on investment (ROI). Historically, organizations have measured ROI of cyber security as measures to derive a “non-event” or a “mitigation of loss” argument, which is a trailing edge conversation (behind the moving body). However, all capital investment strategies are leading edge conversations (ahead of the moving body), which are designed to position the organization in an advantageous situation ahead of the anticipated business environment or opportunities. While this could be an exhaustive conversation, some key metrics may involve value delineation of business operations predictability, optimization and recapitalization of resources, increased quality of Probability of Win (Pwin) calculations, optimization of workforce composition (and automation goals), and increased business due to reputational enhancement.
The other component of an investment strategy that often gets omitted is the pacing of investment ahead of the perceived (and substantiated) threat landscape. Over investing and under investing are suboptimal expenditures and reduce the quality of ROI and create a challenging story to articulate, especially when requesting additional resources. The pace of investments in security must align and be an uplift for the overall business goals and corporate strategy, which involve several cycles of the correct inject of investments – what, when, who, why – and then a clear line back to the corporate strategy.
PREDICTABILITY: In most conversations, cyber security is characterized as a cost, one that has an unknown measure of ROI. However, reframing the conversation as measures to increase business predictability enable executives to shift the conversation into a value center discussion complete with opportunities, investments, risks, and adjacencies, particularly in on-demand or services industries (i.e. utilities, transportation, digital streaming). These traditional cyber security tools now have sufficient information and insight to provide operational stability to logistics, manufacturing, and transactional business models.
For example, adding an automated tool or service to conduct vendor risk management (VRM), sometimes referred to as supply chain risk management (SCRM) can provide insight into global events that would disrupt an organization’s supply chain. With insight into world events (nature, weather, governmental, population), the organization would be able to proactively adjust their global supply chain to either reroute, shift to other vendors, and/or adjust their own throughput for little or no realization to the customer.
VALUE: A long-term cyber security investment strategy can deliver insights into traditional network and business operations while simultaneously bring comprehension to adjacent business areas – finance, personnel, reputation, customer relations and a host of others. The ROI for investments has a direct realization component and an indirect value component.
- Uplift for new customers and markets, especially those who have been exposed or business operations disrupted by inter-industry competitors, i.e. gain customers who are dissatisfied with current provider and/or new customers who have had personal or businesses affected by a cyber compromise.
- Highlight operational assurance and predictability for higher quality proposals and Pwin calculations.
- Business advantage in highly regulated markets – as cyber security shifts from information sharing to regulatory compliance models
- Minimization of losses due to theft, fines and/or inefficiencies.
- Identification of vendors and/or partners that expose an organization to business disruption or compromise due to poor or no cyber security investments.
- Reputation advantage over market competitors, especially when going into new or underserved markets.
- Ownership from the Board and C-suite based on clearly articulated, measurable and goal-focused investment strategy with clearly stated ROI.
- Safe, secure workplace to attract and retain the best talent.
- Culture of transparency to bolster workforce morale and to be a leader for social justice topics.
- Privacy and business assurance and the opportunity to highlight as a discriminating advantage.
- Dependable growth calculations based on uninterrupted business operations.
- Identification of employees that wittingly or unwittingly expose organizations to compromise or data theft due to high risk online activities.
This is not a traditional, or typical, view of cyber security as an investment strategy. There are plenty of business models and operational frameworks to guide business decisions with each having a benefit and handicap. I offer we must advance the conversation, so it better represents what we are ALL trying to achieve – investment, predictability and value in the digital, connected environment. Risk mitigation has its place in the conversation, but it is not the primary conversation starter nor the loudest voice in the dialogue. We can and must do better.
Let the conversations begin!