Enough Security: Change for a Dollar
Let’s continue on with our discussion about enough security, and focus on outcome #1 from the if-then decision: We need to spend more.
If we look at the decision statement ([customer expected security] – [your security] >0), what we are saying is that the customer is demanding more security from us (remember competitive analysis from the previous blog post) and our current program is not delivering what they want. We need to close the gap. Back to our foundational question of how much security is enough, I would submit that there are two possible levers to pull to get us to where we need to be: change and cash.
What is the business goal? Keep improving security until we reach the needed level without collapsing delivery of business results that could lead us to realizing risk #1 and we go out of business.
Change is disruptive. Change is messy. Change is costly. Most organizations have what I call a change acceptance rate. The organization can only handle so much change occurring at the same time. Too much change and the organization crashes out because you have overloaded the circuits. I have seen many a security strategy that calls for 15 security initiatives in the calendar year when the organization is launching both a new CRM and ERP system while revamping all sales territories/commissions. If the change acceptance rate of organization is high, the CISO will knock it out of the park - but if not, you can guess who is likely to come up short.
On the other hand, too little change can lead down a dark and stormy path as well. Customers are already demanding more from the security program, and the organization is not moving fast enough. I see this in some strategies that ‘slow play’ the delivery. The CISO is taking a very risk adverse approach to make her bonus, or possibly look like the hero in delivering more (with a backstop if they don’t). A word of caution: I have seen this strategy fail as often as one that asks too much. You could be seen as ‘too safe’ for a growing business.
The moral of the story is that CISOs need to know what the change acceptance rate for their business is, and craft a strategy that aligns with it.
What is the business goal? Keep security from being a financial bottomless pit. I have been guilty of falling into this trap. I need more kit, more consultants, and more people to handle some threat/vulnerability/regulation. Where does it end?
A recent Gartner study stated that in 2018, the average company spent $1178 on security - per employee. So you can see why the CFO trembles each time the CISO walks into the room. Why is this happening? Frankly, I blame the vendor community (yes, I see the irony as a vendor now myself). You see it in the press and articles “Are you spend enough on security?” The answer is invariably “no“ and you should buy our super secure Widget2000. It will help you overcome the Dastardly X vulnerability. CISOs are hooked!
If we go back to the initial customer discussion, CISOs should invest in things that customers are expecting. Not on things that are cool, or that will pad your resume for the next gig. Spend on things that reduce the possibility of the #1 risk occurring. Not a dime more. CISOs need to be as much a financial steward to the organization as a risk mitigator.
Back to the code: Loop minimum ([Rate of Change Acceptance] or [Cash to execute]). What I am saying here is that in order to reach ‘enough security’, the organization should iterate through whichever is smaller (the changes that the company can undergo or the cash they can spend at one time) until they reach the security level that the customer is expecting from your program. Why the minimum? We call this “best use of capital”. We will cover this in next week’s blog post.