Gartner’s new article, 8 Reasons More CEO’s Will Be Fired Over Cybersecurity Incidents, sheds light on a handful of critical challenges CEOs have when managing cybersecurity. It is a compelling read, one that led me to wonder, does this have to be the reality? Is there something we can do to change this course?
These are heavy, complex questions. And, they will be different for every organization, every security team, and even every CEO. But, after mulling this over and bouncing ideas off other security folks, it became clear. The answer is no—this does not have to be a universal reality.
Here’s what myself and my security peers rallied around: It’s almost 2020, we’ve been at this for 3 decades, and still have not made the progress we would have hoped. Einstein said it best when he defined insanity as doing the same thing over and over but expecting different results. The only way forward is to take a completely new approach to security.
Currently CEOs, among many other C-Suite executives, view security as an all or nothing. Once breached, they question if security is present at all within their organization. They also view security as a cost center. A black hole where money goes in, and value never comes out.
For any of us who have been around the space know this is not a fair assessment given that breaches are inevitable. I know too much to confidently say my organization can go head-to-head against a motivated nation state. Just start with the fact that I have a Marketing team I like to characterize as good-intentioned but clicker-happy. That’s why I say, 100% security is a losing battle.
But what if CEOs knew the ins and outs of the cyber battlefield, then picked areas where 1) they can win at security and 2) if they did win, it would bring value to the company. Sounds ideal…but here’s the catch. By default, CEO’s and organizations will also be picking places where they choose to lose. Welcome to the game of risk.
This is not a new concept for organizations. Risk management is a mature field, with many risk functions already defined and established (credit risk, operational risk, liquidity risk, people risk). For those unfamiliar with the finer points of risk management, think of it like an investment portfolio. It’s not about looking at the costs of investment, but rather the returns you get. CEOs can invest in areas of security where they believe they will see the most value. They can also expect to take hits and absorb losses—all without getting kicked out of the game. The reason this works? Because the CEO and the organization have already defined what they deem to be an acceptable amount of risk.
Risk is the future of security because it finally allows a possibility for success. Organizations already leading the charge are defining what success means for their security program and ultimately, shifting the power of control into their court. This is monumental, some may even call it a paradigm shift. The attacker has always held the upper-hand because security, defined as an all or nothing, is an impossible goal. But if we move to redefine what security means, then let’s follow in these organizations’ footsteps and define it in a way where we, as defenders, can win on the battlefield.
The journey will be hard. It calls for new processes and a new toolkit. But if you’re ready to champion this new future, check out part 2 where we dive into the three building blocks every CEO will need to get started.
Interested in reading more of our blogs? Check out “SPICE It Up And Gain That Funding For Your Security Operations” next!