News

The Urgency to Treat Cybersecurity as a Business Decision.

Atop

December 15, 2020


Cybersecurity is facing slowing budget growth, frustrated at-risk executives and shifting regulatory focus. As the lines blur between business models and the technology that supports them, CIOs need to consider the risks, security priorities and investments that impact their business outcomes.

Overview

Key Challenges

  • Cybersecurity spending growth is slowing through 2023, while boards are starting to push back and ask what they have achieved after years of heavy cybersecurity spend.
  • Boards and senior executives are asking the wrong questions about cybersecurity, leading to poor investment decisions.
  • Many current approaches to improve cybersecurity are falling short of providing appropriate and defensible levels of protection.

Recommendations

CIOs focused on IT cost optimization, finance, risk and value to optimize risk and corporate performance should:
  • Use this research to build a business case and executive narrative to change how cybersecurity is treated in the organization.
  • Improve cybersecurity readiness by treating it as a choice and a business decision.
  • Drive cybersecurity priorities and investments by using an outcome-driven approach that balances investment and risk with the needs to achieve desired business outcomes.

Introduction

Gartner projections show the growth in cybersecurity spend is slowing. Cybersecurity grew at 12% (CAGR) in 2018, and it is projected to decline to only 7% (CAGR) by 2023. Gartner clients are also reporting that after years of quarterly reporting on cybersecurity to their boards, that boards are now pushing back and asking for improved data and understanding of what they have achieved after years of such heavy investment.
Following the Equifax hack in 2017, the CEO stepped down and made very clear that the hack was a fundamental reason for doing so. The final U.S. House of Representatives subcommittee report issued in December 2018 indicated “Equifax’s CEO did not prioritize cybersecurity”.
In July 2019, the U.K. Information Commissioner clarified that the severity of fines under GDPR is based on the existence of adequate, reasonable, consistent and effective controls. This establishes a different type of standard to pursue appropriate levels of cybersecurity protection. The limitations of current approaches to security priorities, investment and governance described below are not in alignment with — or well-suited to address — this new standard. A better way to address this standard is to approach security as a business problem and align it with business needs. Organizations need to understand the limitations of their current execution and change their approach.
The information presented in this research should be used to build a business case and executive narrative to change how cybersecurity is treated in the organization. It describes the limitations of many current behaviors and approaches. It also establishes a foundation to pursue a new approach to cybersecurity measurement, reporting, priorities and investment

Analysis

Address Failing Approaches to Cybersecurity

Cybersecurity has been on boards’ agendas for almost 10 years, the headlines keep coming, and it remains a well-invested area in many companies with a lot of attention, despite the slowing of cybersecurity budget growth. There remain broad challenges to the effectiveness of cybersecurity as it is implemented across enterprises globally (see Table 1)

Table 1: Current Challenges to the Effectiveness of Cybersecurity
Source: Gartner (February 2020)

Societal Perception Is Creating Bad Engagement and Bad Investments

Current societal perception of cybersecurity can be characterized largely by fear, uncertainty and doubt, disconnected from the realities of addressing it. Every time there is a material cybersecurity incident in the headlines, there is some commentator on TV asking the perennial question: “Why can’t they just fix this?” Society treats cybersecurity like a black box of technology. And security people are treated like wizards. Execs give them some money, the wizards cast some spells, and if something goes wrong … somebody made a mistake and … I guess we need some new wizards.
Societal perception leads to a double standard characterized by: “Everyone understands that banks occasionally get robbed, but digital banks better be perfect.” We feel sorry for the employees of a bank who are present when a criminal says, “fill the bag with money.” But when a digital bank experiences a loss, everyone wants to know who made a mistake.
Societal pressure has created guidance for boards that tells them to get smarter about cybersecurity. So over the last 10 years, boards have been learning how to hack and how security controls work, and they’ve endured endless treatises on threats. This has not helped them answer the key, legitimate question related to how much security they need.
Societal pressure has also driven governments to create regulations. While regulation forced organizations to act where they were doing nothing, it has also created bad decision making in the context of checking boxes. Executives believe that compliance will save them. Many of them know or sense the reality that compliance does not equal protection, but the regulators give them no choice. At worst, compliance forces us to spend money where we don’t need it and keeps us from investing where we should.
Organizations Are Asking the Wrong Questions About Cybersecurity
The most common questions related to cybersecurity governance for the last 15 to 20 years establish a familiar pattern of demand emanating from executives (see Table 2).

Table 2: Common Cybersecurity Questions and Their Limitations
Source: Gartner (February 2020)

These questions, and their answers, lead to bad decisions on priorities and investments in cybersecurity. At best, they lead to an approval for some version of security budget. At worst, they lead to a false sense of security that “everything will be OK.” Everything is not going to be OK.
Investments and Approaches to Improve Cybersecurity That Will Fall Short
It is well-known to most executives that cybersecurity is falling short. There is a consistent drumbeat directed at CIOs and CISOs to address the limitations, and this has driven a number of behaviors and investments that will also fall short. The following behaviors and approaches are common in the Gartner client base.

The "open check book" application

Money alone does not solve the problem, and a major component of future cybersecurity success is the engagement of executives. You don’t just need money; you need smart money, spent in a business context. When senior executives say they will provide any money the CIO and/or CISO need to address cybersecurity, they are abdicating their role in oversight and participation in the process.

Many CIOs and CISOs will report that “money” is not a problem. Their board has made clear that it will support any level of investment necessary to address cybersecurity. This declaration is usually presented as a powerful show of support that is in contrast to the decades of the 1990s and 2000s where most security programs struggled for funding support. Unfortunately, this open checkbook makes it harder to engage executives in a productive conversation to improve cybersecurity.
CISOs will commonly state that cybersecurity is the business executives’ risk. But, an open checkbook puts the risk and responsibility clearly on the shoulders of the CISO. If an organization is hacked, the board and executives can say: “We said we would give you anything you needed; why didn’t you ask?”
Access to budget is clearly important, but if that access comes at the expense of executive engagement, it will harm the cybersecurity outcomes of the organization.

The risk appetite failure to execute

A common approach that many organizations have been pursuing since 2017 is the development of a risk appetite. Conceptually, this has great promise. In practice, it is falling severely short of the promise in most organizations.
A risk appetite is a representation of the business’s desire to accept risk. This is a modern concept and a reflection of the evolution from checklists to a risk-based approach. It is an important admission that risk is inevitable, and that risk is a tool that can be taken in measured doses to support business success. A clearly articulated risk appetite should give the organization an opportunity to express how much risk it wants, and this can be used to guide cybersecurity investment. All in a business context!
The reality is that many risk appetite efforts have become platforms for the executives to express “yeah, we don’t like risk around here.” And “we have zero tolerance for cybersecurity risk.” But these expressions are largely at the extremes.
The real failure of risk appetite efforts is that they need to include a measurable scale of risk and an underlying governance process that enables effective risk decision making. Most do not have these components.
Lacking these basic components dooms risk appetite statements to be another exciting approach to addressing risk-based needs that will fall short of its promise. When concepts like these sit at the Peak of Inflated Expectations, only to fail, they lose their power to do good in the marketplace and are abandoned. When they are revived years later because they are actually very good concepts, people dismiss them and say, “we tried that and it doesn’t work.”

Quantification is not a panacea 

Quantification has been growing in interest within the Gartner client base since 2017. It is fueled by completely understandable needs to present risk and security in terms of money (is that a $5 million risk or a $50 million risk?) and likelihood of damage (what is the percentage chance of getting hacked?). Boards are demanding it, and increasing numbers of clients are buying in to the idea that this may be the answer they have been seeking.
Quantification has reached a near-fever pitch of inflated expectations in 2020. There are several observations that indicate it will not materially impact most organizations. And we recommend every organization match its interest in quantification against these considerations to determine if it is right for the organization.
First, quantification is an extremely heavy lift. It takes significant resources in time, money and FTE to develop credible and defensible results. This heavy investment continues for as long as you are engaged in it to maintain the value. Smaller organizations will struggle to have sufficient data for their organizations to create credible and defensible results. And they will lack the resources to execute.
While we have fielded hundreds of calls from organizations that are interested in learning more about quantification, a negligible number have reported credible and defensible success to Gartner. The ones that have reported success tend to be extra-large enterprises with sufficient data and resources.
Beware of misuse. We have several examples of organizations that have engaged in quantification exercises that produce exactly what they need as far as charts, evidence of rigor and quantified results. The problem is that down inside their calculations sit assumptions and “expert opinion” that essentially dictate the result. If you use the veneer of quantification only to get what you want, you are lying to yourself and your executives, and you are not supporting improved cybersecurity.
And finally, an organization should assess the value of the results in supporting improved decision making. As part of an evaluation, explore a thought exercise related to how the results would be used. In Gartner’s experience, quantification has shown value in supporting how much cyberinsurance an organization needs, for example. But it does not support daily investment decisions that every organization needs to make related to priorities and investments in cybersecurity.
In the end, quantification may make sense for some organizations supporting certain key investment decisions, and it may be worth the investment. Quantification absolutely will not be the panacea that many people believe it to be.

Internal Audit and Regulatory Compliance Remain as Primary Drivers

Many board level executives still believe that internal audit and regulatory compliance are their primary guides to address cybersecurity. There are several indicators of this, including:
  • Cybersecurity board reporting buried in the audit committee
  • A focus on addressing internal audit findings over building an effective program
  • The number of organizations where cybersecurity reports into an organization called “audit and compliance” or “risk and compliance”
  • The checkbox mentality is alive and well in many organizations:
    • Which framework should I use?
    • Our program is based on ISO or NIST.
    • We are seeking program certification.
The limitations of this mentality are well-known. Compliance does not equal protection. Internal auditors should not dictate how much risk is acceptable or which controls are most important. Checkboxes create spend in areas where you don’t need it and take resources away from areas where you do need it.

Real Failures Caused by the Disconnect Between Cybersecurity and Business Decision Making

Gartner’s analysis of Equifax CEO Rick Smith’s congressional testimony following the Equifax hack in 2017 showed a disconnect between executive understanding and levels of cybersecurity capabilities in the organization. This condition is very common in the Gartner client base. The final House subcommittee report issued in December 2018 indicated that “Equifax’s CEO did not prioritize cybersecurity”
These disconnects should create a wakeup call for CIOs, CISOs, and executives to the critical need to address cybersecurity in a business context and as a business decision. Use the following examples in an executive narrative to illuminate the risk of cybersecurity to business outcomes beyond hackers and data breaches.
  • Cybersecurity investment increases heart attacks. A study funded by the U.S. National Science Foundation highlighted that the cure may be worse than the disease. “Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes.” Corrective actions are intended to remedy the deficiencies in privacy and security of protected health information. Remediation activity may introduce changes that delay, complicate or disrupt health, IT and patient care processes. After data breaches, as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined.1,2
  • Inconsiderate engagement of risk. A banking executive chose to ignore a risk assessment recommendation for multifactor authentication on a new customer-facing online banking application. This executive had the authority to shut it down, and ironically, it may have been the right business decision to protect customer experience. The failure is that this executive had no understanding or accountability for the security of the application.
  • Engineering failure in a cyber-physical system. A field engineer gathered configuration telemetry from a large field installation across several acres of large moving machines. The information was fed into a simulation program back at the manufacturer’s headquarters. Due to a misconfiguration, the simulation program began reconfiguring the live field installation hundreds of miles away, risking millions of dollars in damage and human safety. All the field techs shared the same ID, and there was no consideration of security in the product management process.
  • Cybersecurity as an existential threat. The manufacturer of a device for shop floors globally had ignored cybersecurity in the development of its internet-connected product. The foundation software was open source and riddled with vulnerabilities, supported by a completely unnecessary and fully functional operating system. The dark web identified all of its devices connected to the internet and the company became host for every imaginable cybercrime, from money laundering to distributed denial-of-service bot controllers. The executives were notified, but did not care, because none of their shop floor customers complained. This is a business waiting to be sued out of existence for liability.
  • Lack of executive understanding related to third-party risk. A financial services organization, with full support of the board, decided to pursue a business strategy of outsourcing many of its business functions. The security team established a rigorous assessment process to inform business decision makers about security risks and to make go/no-go recommendations on working with certain partners. A business decision was made to engage one particular partner, despite a material recommendation to not engage that firm due to security weaknesses. Six months into the engagement, the company suffered a material breach for the same control weaknesses that were raised in the recommendation. The board held the security officer responsible for the failure. Follow-ups with the board focused on improving the board’s understanding of third-party risk and emphasizing the impact of business unit decision making on material security posture.
These examples show that business decision making — disconnected from the realities of business impact — can lead to serious business harm. These are the situations that matter, but executives are distracted by compliance, hackers and how much they are spending.
Broken governance is a business decision that impacts cybersecurity readiness, but is made with no consideration of that impact. We have forms that executives sign to “accept the risk,” but mostly those forms are not worth the paper they are written on. There is little or no accountability, and in Gartner’s experience, there is little evidence that the risks are described appropriately in a business context. So, the executives don’t really understand the risk they are signing off on.
Non-IT executives don’t typically inquire or insist on certain levels of security in the technologies that support them. For them, security just comes with the technology, because “what idiot would build an unsecure system?” If IT and security people engaged them over their desired levels of security, they would discover that implementing that level of security would increase their cost, lengthen their delivery schedules and negatively impact functionality, including customer experience. So those conversations generally don’t happen.
This disconnect between executive decision making and effective cybersecurity is what should keep executives awake at night. And it should focus their attention on new ways to approach the problem. The first critical step is to create a business context around cybersecurity.

Create a Business Context Around Cybersecurity

To create a business context around cybersecurity, you have to first understand the business context of your organization. Every organization — public, private, for profit, not for profit, charity, governmental, defense and nongovernmental organization (NGO) — has a business context. They all have budgets and costs, desired business outcomes and supporting business processes, sources of revenue and customers. And they all have technology dependencies.
These dependencies create a need for investment to protect the technologies that support their business outcomes. Understanding an organization’s most important outcomes, its most important processes, and its most important technology outcomes is the first step in putting a business context around cybersecurity 

The Limitations of Current Standards, Frameworks and Maturity Models for Cybersecurity

Cybersecurity standards and frameworks are published recommendations to secure an environment. There are dozens of them, including the most popular, the NIST cybersecurity framework and ISO 2700x.
The principal objective of these standards is to reduce cybersecurity risks. They generally include collections of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best-practice assurance and technologies.
Process maturity models use the guidance in the standards and the frameworks to extract best practices and techniques in determining capability levels. Together, they guide priorities and investments to achieve desired levels of cybersecurity capability. Their biggest limitation is that maturity models measure how good capabilities are, not what they are achieving!
As organizations achieve higher maturity, these maturity models, frameworks and standards begin to lose their value. Around a maturity level of 2.5, they become poor guides in helping an organization determine further priorities and investments. Above 2.5, the complexity of potential investments must be crafted more closely to the context of the organization.
Regulators have also signaled that cybersecurity capabilities must have characteristics beyond those commonly represented and audited in maturity models and existing standards.
Maturity models have helped organizations prioritize billions of dollars in spend over the last two decades, and that has netted admirable results. Gartner maturity data for all industries indicates an average between 2.6 and 3.6 for all industries. Organizations need something more powerful that has that direct line of sight to delivered levels of protection.

Outcome-Driven Metrics for Cybersecurity

Organizations struggle to determine the right amount of cybersecurity protection and investment. They need to shift to measuring levels of protection to guide investment.
In 2020, typical security audits focus on the existence of controls. An assessment of an audit standard for the NIST Cybersecurity Framework showed that 73% of the audit questions are related to the existence of controls, not their performance or levels of protection.
Outcome-driven metrics (ODM) for technology risk are an abstraction of tools, people and processes to reflect how well an organization is protected, not how it is protected. ODM can be used to enable more effective governance over cybersecurity priorities and investments. ODM creates the language necessary to have meaningful business-focused conversations with executives and boards 

The CARE Standard for Cybersecurity Readiness and Investment

Elizabeth Denham, the U.K. Information Commissioner, clarified in July 2019, that the severity of GDPR fines following major breaches is not related to organizations getting hacked or the number of people impacted; there is an expectation that organizations will be hacked.3 Society may suffer a double standard where it expects digital banks to be perfect, but the regulators do not.

The commissioner clarified that the severity of fines is related to the presence of adequate, reasonable, consistent and effective controls. Gartner believes this to be the best available signal from a regulatory authority for determining how much security you need. This clarification offers the opportunity to define a new standard based on a new way to approach appropriate levels of protection (see Figure 1).


Figure 1: the CARE standards for Cybersecurity

The CARE Standard for Cybersecurity


Ultimately, these are value judgements that must be credible and defensible. In these four characteristics are a myriad of opportunities to do what is best for the organization. It supports the creation of a balance between protection and running the business. It also embodies the incentive to build a better security capability that delivers better outcomes, not just spend more money on security 


Cybersecurity Readiness Is a Choice

The purpose of a security program is not to protect the organization, because that is an impossible goal. The purpose of a security program is to balance the need to protect with the need to run the business.
If we can’t protect the organization entirely, what should we do? Cybersecurity readiness is a choice. Create adequate, reasonable, consistent, and effective controls that are credible and defensible with your key stakeholders — your shareholders, regulators and customers — that you are spending the right amount on the right things in security. This, in effect, is what the U.K. Information Commissioner is describing as its standard for setting fines.
Risk, value, and cost optimization guide priorities and investments to the right balance between the need to protect and the need to run the business.
Risk optimization demonstrates the organization has the right priorities and the right investments to create a balance between the need to address risk with the need to achieve its desired business outcomes.
The urgency to treat cybersecurity as a business decision has never been greater. Organizations now have the understanding and the tools to do it.

Evidence

1-  “Study: Ransomware, Data Breaches at Hospitals Tied to Uptick in Fatal Heart Attacks,” Krebson on Security.

2-  “Data Breach Remediation Efforts and Their Implications for Hospital Quality,” Health Services Research.

3- “U.K. Regulator on Why It Is Pursuing Record Fines Against BA, Marriott,” The Wall Street Journal

 

Source: Paul Proctor, 12 February 2020, Gartner, Inc. and/or its Affiliates.