It is customary to begin an article on cybersecurity with statements about huge increases in threats and attacks and mounting cyberspace losses from fraud, identity theft, ransoms, data exfiltration, blackmail, etc. Few, who confront cyber issues daily, question such assertions, but there are some who say “prove it!” But, when you delve into it, proving such claims is difficult because of the paucity of reliable data and the biases baked into the statistics that we do have.
So, it validates some of my previous views to read an article that attempts to lay out the reality of cybersecurity based on some reasonably-objective data. The article, by Chris Maurer, Kevin Kim, Dan Kim and Leon A. Kappelman, appeared in the February 2021 issue of Communications of the ACM with the title “Cybersecurity: Is It Worse than We Think?” Spoiler alert: It is!
The article describes the results of a survey from which the authors conclude that “there is a harsh reality lurking beneath the surface within many organizations.” Very dramatic! They say that while organizations declare “the right things” in public, there appears to be a “lack of urgency” in actual security practices, especially in terms of “integration with the business.”
The authors offer several conjectures about why this is the case, as follows:
- There is little incentive to divert resources into security projects and away from other projects with demonstrable near-term returns
- Senior management is reluctant to involve security staff in strategic-planning meetings because they are concerned that security requirements will inhibit other seemingly more profitable activities
- There may be a defeatist mentality across organizations since they think that they will be successfully attacked no matter what they do to try to protect themselves
These conjectures fit in well with my experience and that of my peers. The truth of the matter is that many business managers do not understand today’s technologies and the risks that accompany them, and they are incented to maximize the measures upon which they personally are evaluated. These measures typically don’t include bearing the consequences of data breaches and the like.
As I have suggested previously, one action that could greatly assist in promoting cybersecurity is to have an independent cybersecurity risk management group, not reporting to technology or senior management but directly to the Board of Directors, similar to how internal audit departments may be configured. They should also have separate budgets similar to what I saw with Y2K remediation, where funding came out of a general expense pool and was not charged to, or governed by, business unit managers.
Until and unless we make changes across the board to the governance of cybersecurity risk, we cannot expect the dangerous situations, in which we find ourselves, to improve. Such governance changes will not occur spontaneously. We need laws and regulations that encourage such changes and the means to enforce them. Again, I turn to Y2K remediation where, by law, senior managements and members of Boards of Directors had to sign a document saying that they would be criminally liable if it could be shown that their organization failed to ensure that its systems were Y2K compliant (or was breached, in our example). This had a salutary effect on the project. As one senior manager said of the Y2K remediation project: “I don’t care how much it costs, but just keep me out of jail.” Personal responsibility and culpability are sadly lacking in the cybersecurity area, but are badly needed if we are to see real improvements.