Home Latest Feeds Technology News Cybersecurity spending is not the same as protection

Cybersecurity spending is not the same as protection

Cybersecurity spending is not the same as protection


One of the biggest mistakes organizations can make is to confuse cybersecurity spending with protection.

This leads to large security budgets that have nothing to do with better security. And managers are disconnected from the reality of how security investments actually work.

According to Garner, the problem lies in these seemingly contradictory statements that can be true at the same time:
• Spending a lot on cyber security does not mean that we are well protected.
• Investment is needed if we want to achieve better protection.

“Investment” can mean investing more money, time and effort to change from an older, less efficient process or control to a newer, more efficient one. The net result may be cost savings, but it still requires investment to create change.

There are organizations that spend a lot of money on security and are terribly protected. But there are also those that have created a great level of protection with a very modest security budget. Basically, money does not equal protection, but investment is absolutely necessary to achieve better protection.

However, budget approval is only the beginning of cybersecurity investments. Value is created by spending money to create conservation outcomes. These outcomes determine protection, not the money spent to achieve them. Just because we’ve bought and implemented some cool stuff doesn’t mean it’s better protection.

When leaders confuse the size of the budget with the level of protection, it leads to spending money on the problem. Thus, organizations with large security budgets end up with weak protection. It is worth determining what behaviors reinforce the notion that cybersecurity spending equates to defense.

Behaviors to avoid:

1. Treating the budget approval as a success

Many CISOs treat achieving a budget as a success. They build business cases, allocate funds, create cybersecurity spending on assets, and report to executives. This pattern reinforces drivers’ belief that they are getting better protection for the money.

The CISO reports on the progress of the money spent and the tools implemented at each board meeting. This creates a self-reinforcing cycle between the CISO and management. The CISO gets more money/success, and executives think they’re getting better protection, so they give the CISO more money and so on.

This continues until spending becomes so large that executives question what they got for the money, or when the organization is hit by a major cyber incident. In both cases, managers are disillusioned.

2. “Money is not a problem. I can get anything I need.”

A recent WSJ article quoted Howard Schmidt, Amazon’s CISO, who reports to the company’s CEO. Andy Jassy is known for taking safety seriously. “It really makes my job easier. Andy has never turned down anything I’ve said is necessary to get the job done,” Schmidt said.

This situation occurs regularly, especially in large companies with well-funded security programs. For CISOs in this position, this is usually said with pride because it is an indicator of leadership confidence. Trust is a good thing, but it also creates greater responsibility for the CISO. If something goes wrong, it’s perfectly reasonable to ask why the CISO didn’t ask for something that could have prevented the incident. This expectation only increases when the security budget is well-funded and leaders equate spending with protection.

3. The primary motivation for security investments is to meet benchmarks for cyber security spending

These benchmarks are a powerful tool for understanding where you are investing your money. If they are interpreted as a level of protection, they lead to throwing money at the problem. Expenditure benchmarks should be used as leading indicators of underfunding. There also needs to be a story about what the CISO is doing with the existing budget and what he will do with the new budget to change protection levels.

If you manage to move away from these three CISO behaviors, it is possible for managers to actively move away from the idea of ​​”money = protection”. What the CISO should do is the following.

• Don’t report money spent on devices without reflecting the change in protection level.
• Manage the expectations of executives who approve budget requests because they trust their CISO.
• Don’t rely solely on cybersecurity spending benchmarks to argue for better protection.

Ultimately, it is inappropriate for executives to treat the CISO as the arbiter of adequate protection and allow them to give them what they ask for. This behavior must be tempered with the understanding that security is a choice and a business decision. Managers should be thoughtful about the choices presented by the CISO.

Hardware, software, tests, interesting and colorful news from the world of IT by clicking here!



Please enter your comment!
Please enter your name here