Nobody cares about security.
There. I said it. I said the thing everyone feels, some people think, but very few have the temerity to say out loud. But before you call me a blasphemous heathen, I will ask for just a few moments of your time to offer context. I even have some ideas and solutions.
When I say “Nobody cares about security,” I mean it in the same way I remind folks that nobody cares about backups. What they care about is RESTORES.
To quote my friend and colleague Tom LaRock, backups are worthless. Restores are priceless.
Ultimately, the thing we need is the ability to get our data back if something catastrophic happens. This means we need A) the data itself and B) the ability to restore it. In order to have those things, we must first perform backups, and we’re forced to perform them regularly. (And, I can’t emphasize enough, that those backups must be tested. Otherwise, you have Schrodinger’s Backup ). Over the decades that the IT industry has existed, we’ve consistently improved both the technology and techniques of backups, from the “grandfather, father, son” rotation scheme of the 80’s and 90’s to the “3-2-1” rule first used in 2009 and onward. We’ve done so NOT because we care about the backups themselves, but the sheer frequency of unexpected and catastrophic data loss events serve as both object lessons and cautionary tales that drive our willingness to invest effort and money in backups nevertheless.
So much so that, when some part of the organization questions the necessity (and the costs – from software to hardware to staff time) of backups, there’s usually a recent event that IT professionals can easily point to and say, “Remember how horrible that was? Remember the cost? We don’t want THAT to happen again, do we?” The ability to backup and efficiently restore data is an insurance policy that guards the company against even greater lost revenue.
The opposite of love isn’t hate, it’s apathy
This brings me back to my original point: Nobody (i.e., business leaders) cares about security. What they care about is avoiding lost revenue due to application downtime, extortion, and lawsuits.
Now, that’s a pretty hefty list, and one might think it’s more than enough to justify (almost) any cost of beefing up a company’s information security posture and capabilities.
But look at that list of consequences again and consider it from a purely business point of view. Each of those concerns can be addressed in other ways, from built-in redundancy to cyber liability insurance. These mitigations are (or at least appear to be, from a business standpoint) less expensive than the investment needed to improve infosec.
What’s worse, many of you reading this will notice that I left two commonly cited consequences off my initial list: fines and damage to reputation. I did that because the prevailing attitude among business leaders is:
- Damage to the company’s reputation SOUNDS bad, but (so the thinking goes) it’s really too amorphous to quantify. Plus, many companies in recent memory were the victims of massive cyber attacks, took a hit to their reputation or stock price, but saw it rebound a week later with no other ill effects. (again, that’s the belief. More on this later)
- The fines currently in place appear to be lower than the expected cost to improve the company’s security posture.
However, the financial bottom line is only part of the reason businesses ignore their information needs. The other reasons are equally challenging to address:
Infosec issues are, almost by their very nature, complex. They are certainly more complex than having up-to-date backups. They might be more complex than any other category of risk the company will face. Cyber threats are constantly changing and expensive to preemptively address. There’s usually no single “right” answer to “How much infosec do we need?”
To put it another way, the broad answer to addressing both the issue of backups and infosec is that one needs to establish healthy habits. But the habits for backups are akin to remembering to brush your teeth in the morning. Important, but straightforward. Whereas the habits needed for proper information hygiene are akin to making healthy heart choices: the path to optimizing your cardiovascular health might involve not just one but a range of habits – from eating healthy foods (and avoiding unhealthy ones) to getting the right amount of exercise and sleep. But even within those broad instructions lie a range of nuances. What, exactly, are “healthy foods”? (Organic? Low-starch? Unprocessed? Keto friendly?) What type of exercise will be most effective? (Cardio? Weight training? Crossfit?) Underlying all of those variations is the very real chance that none of it may help – not because the person isn’t committed, but because there are so many other factors – from age to genetics to individual metabolism – that it still might not work. And even after adjusting for every single other variable, there’s the genuine possibility that a person can do everything right and still succumb to some other disease or physical failure.
That last point – that despite our health goals, we may still have health problems – is far closer to the reality of infosec than many readers might realize. A few years ago, Cisco CEO John Chambers stated, “There are only two types of companies: those that have been hacked and those who don’t know they’ve been hacked yet.”
Abe Silber, CEO at CyberCure.com, succinctly identified the core issue:
“The problem with security is that it’s impossible to measure your ROI. Even if we can measure the cost of a security incident (not an easy task) it’s almost impossible to measure the likelihood of preventing them (hence ROI) based on different security solutions. So it’s not that business people don’t care. It’s that we (IT practitioners) have no way to show them what they get for their money. If I spend x amount on honeypots, how less likely am I to get hacked?
(We can try to make the case that) Security helps you not lose money, like insurance. But unlike insurance, it’s not guaranteed protection. I can tell you firsthand that it’s easier to sell a CEO a $25,000 cyber insurance policy than a $10,000 security solution.”
This is only the beginning.
In my next post I’ll start to propose a way forward – a set of actionable decisions you (and your company) can make to get people to not only care about security, but to support and participate in healthy security behaviors.
In the meantime, if you want to share your own ideas, I’d love to hear them in the comments below.
Build a robust cyber incident insurance market. End (gradually) the embargo on revealing shoddy engineering known as “responsible disclosure”. Insurers will come to require various types of hopefully effective data hygiene and secure practices to reduce costs.
Interesting idea, although the insurance market we have today continues to dis-incentivize good security behaviors. It’s cheaper and easier to pay out after a breach.
“Nobody (i.e., business leaders) cares about security. What they care about is avoiding lost revenue due to application downtime, extortion, and lawsuits.”
That sounds like a purely semantic distinction to be. Would you also say they don’t care about food, but only about not starving? Or that they don’t care about clothes, but only about avoiding a citation for indecent exposure? When there’s such a short and direct line from A to B, there’s effectively no difference, even to the people involved.
It is (a semantic distinction) but an important one for security folks to understand. People don’t care about clothes for the sake of clothes, or food for the sake of food. There’s some other value. It might not be exposure or starvation. It might be status, or comfort, or whatever. But divested of those things, the pure labor necessary becomes distasteful (excuse the pun).
Let’s look at food some more. OK, we eat so we don’t starve. Fine. But why did we make the leap from hunter-gatherer to agrarian? It wasn’t easier. It wasn’t better. It wasn’t more nutritious. It wasn’t safer. It is, by almost every measure, a more difficult lifestyle that is more time consuming and risky. BUT… we (humans, as a society) understood there was a long-term value that made the short-term effort worthwhile.
My point is that we fail to present that long-term value coherently and meaningfully to leadership, and so it continues to be perceived as “security for the sake of security” and is therefore not appreciated.
Great article framing out and reminding us of the dangers of ignoring a good cybersecurity policy
THANK YOU!