Overcoming Cybersecurity Apathy

A colleague of mine asked a question that continues to perplex those in our industry: Why do so few organizations take cybersecurity seriously until they suffer a major incident? We hear from IT people in cybersecurity about how they try to get their organization to invest in areas of vulnerability, pleas that too often fall on deaf ears until it’s too late. Then, after the damage is done, the purse strings loosen and, all of the sudden, it’s top priority.

Nothing sells flood insurance like a good flood. And as with an unexpected encounter with Mother Nature’s devastating power, a major security incident forces the hand. No matter what one may have anticipated, the levees, metaphorically speaking, are breached, and the only option left is to do what it takes to reclaim the land, spending whatever necessary to avoid a recurrence. This isn’t necessarily a permanent change of heart. After a long, pain-free period without a major incident, folks tend to become complacent again. Investments in prevention taper off, and the cycle repeats.

It’s possible that business leadership is in denial, that they just don’t understand that the risks apply to them. Or, financial pressures may be limiting cybersecurity investments in general.

While apathy, denial and financial pressure could all factor into an organization’s weak posture toward defense of a cybersecurity incident, a particularly pervasive issue is the overall ambiguity associated with cybersecurity – at least in the eyes of the business leaders tasked with approving investments.

Cybersecurity is complicated. The risks are complex and can be hard to quantify for a specific organization. Which actions should be prioritized and which products should be purchased are not as obvious as with other areas of information technology.

Leaders in organizations without a large robust security team—most leaders, in other words—may hear a near-endless barrage of “must buy” product recommendations. But it’s hard to spend money on something when it’s not understood. I’m reminded of being at the car dealer and being asked to pay an extra grand for undercoating and fabric protection.

Contrast this with backups. Practically everyone—IT professionals and otherwise—understands that backups are critical. It’s simple enough to get behind the idea of making a copy of important data and putting it somewhere safe. When it comes to what’s needed to make this possible, organizations typically use one, or maybe two, solutions.  It’s easy to for them understand and justify what they’re paying for.

This is not true for cybersecurity. Sure, business leaders know they don’t want to be hacked, breached, or hit with ransomware. They don’t want their businesses disrupted. They understand the consequences can be enormous.  At the same time they reason, however, that they may not get hit, or that if they do, it might not be that bad. Deep down they also know that no matter how much they spend on cybersecurity, there is no guarantee they won’t get hit anyway.

What the lucky business leaders see—those who have not yet fallen victim to a successful, serious cyber attack—is that year after year they spend more and more on cybersecurity solutions. Year after year they’re told they need to buy even more.  At some point their eyes glaze over, they tune out the noise, and they draw a financial line in the sand. We, they proclaim, will decrease our cybersecurity budget this year.

Four Tips for Securing a Healthier Cybersecurity Budget

So how can IT leaders help reduce this ambiguity and help get business leaders and cybersecurity professionals on the same page? What will have to happen to encourage the C-suite to trust that their security team is taking a pragmatic approach to protecting the organization and not just building a wish list of tools to play with?

Here are four suggestions that may help.

1. Ease up on the scare tactics. While threats are real, attempting to invoke panic about every threat like Barney Fife at Iwo Jima hurts your credibility. Your leadership will start to discount what you tell them because, in their minds, you’re always freaking out.
2. Be selective in your proof points. Execs don’t need to see every horrible statistic or disaster experienced by other organizations. Use the ones that most directly apply to your world, your industry – organizations that look like yours.
3. Be pragmatic. Factor in costs and risks before asking for more money. Evaluate your current investments. Are those solutions providing—or could they provide—what you need? Are they cost effective? Do those providers offer additional capabilities that could meet your needs as opposed to bringing on a new vendor? Perhaps you’re still using a legacy solution and paying a premium price. Could you replace it with a modern solution with expanded capabilities at a better price point? Managing the protection and associated costs should be an ongoing practice.
4. Use graphics when suitable. Develop visual representations that illustrate the assets you are trying to protect and the solutions used to protect them. Illustrate gaps or problem areas that need addressing. Keep in mind that not every picture is worth a thousand words. The cybersecurity landscape is enormous, but failing to keep things as simple as possible will thwart your efforts to gain trust.

At Prescriptive, we’ve seen the benefits of boiling concepts down to their simplest form, such as with our Baseline 5 Cybersecurity framework. Even if we end up needing to go into more detail—and we often do—we find that tailoring a diagram to address what is specifically relevant to our customer helps avoid unfruitful, tangential discussions.

As an example, we might employ an illustration like the one below accompanied by a glossary of straightforward, easily-understood definitions for each term and acronym.

When working with our clients we can fill in the categories with the actual products in use (or those proposed) and highlight areas we want to address.

Admittedly, there’s no silver bullet to convince organizations to allocate adequate funds toward cybersecurity. But cybersecurity challenges will likely only grow going forward, and regardless of the effort required to convince leadership to spend money, it will always be easier than dealing with the consequences of failing to invest. Remember, the obstacles to getting your executives on board are, well, humans, and your ability to leverage human nature—rather than fight it—will always bring you the highest return for your efforts.