CISOs must rethink how to manage cyber risk as an organizational priority.
Each year, companies pour more money into their cybersecurity budgets — more than $262 billion collectively in 2021, up from just $3.5 billion about 20 years ago. Yet every year, the attacks, breaches, and losses continue to increase. Employing the same tactics while expecting different results is not a rational approach to managing cybersecurity risk.
Some security tactics, of course — defining acceptable levels of risk, using liability insurance to transfer some of that risk, and mitigating damage when it happens — remain important in reducing the impact of attacks. Yet, business leaders need to rethink their organizational strategy. Enterprise security is too important to be the sole purview of a handful of specialists, as it has been for years. It needs to be enmeshed into everyone's job around the enterprise.
Here are four strategies CISOs should consider to help put cyber risk management on a better path.
1. It’s time to normalize cybersecurity risk
First, organizations must change how they think about cyber risks. Cyberattacks have traditionally been seen as a unique, exogenous threat, separate from other aspects of corporate risk management. That needs to change.
Cyber risk is business risk. It needs to be incorporated into every company’s risk-management framework and managed with some of the same methodologies used in financial and operational risk modeling. If CFOs and COOs can sleep decently at night, so too should their security peers in the C-suite.
In many ways, cybersecurity is not a technology problem, it’s an organizational one. Security processes should be as fundamental to the enterprise as those for onboarding employees or designing great customer experiences. They need to receive the same consideration as every other necessary business function, along with commensurate funding and headcount.
Security also needs to be more proactive and less reactive. Just as a company wouldn’t wait to hire sales staff until after a product launch, it shouldn’t wait for a major incident before it funds a cybersecurity team and puts the right processes in place.
It’s a given that organizations will continue to endure serious breaches; the more important question is whether they took reasonable measures to prevent them, and how effectively they respond.
2. Focus on people, processes, and technology — in that order
Next, CISOs need to reconsider where they’re focusing their resources. Their budgets should follow a clearly defined set of priorities, and tech should — in most cases — not be at the top. The first priority is people, and that means investing in training your employees in proper security hygiene, in teaching and reskilling your teams, and in strengthening a security culture.
The next spending priority should be internal processes. How thoroughly, for example, has the organization rehearsed what it will do in the event of a ransomware attack? Internal and external communications, operational continuity planning, and how (or whether) to engage with the attackers are all best planned before the crisis hits.
Third, only after the most pressing issues around people and processes have been addressed, should CISOs invest in technology tools to help reduce and manage threats.
3. More carrots, fewer sticks
Nearly 9 in 10 data breaches are the result of human error, according to a recent study by Stanford University researchers. And despite the more than $1 billion that companies spend annually on security awareness training, that’s unlikely to change. Companies need to find new ways to reward good security practices.
Shaming employees for security slipups, for instance, doesn’t make them more vigilant. More often than not, it just scares them into silence and makes them less likely to speak up. Or they may try to solve the problem on their own and unknowingly make it worse. If they work in a highly regulated industry, that can lead to sanctions.
Instead, organizations need to foster a culture of openness around security, encouraging employees to ask questions and raise red flags. Some companies send out simulated phishing attacks and reward employees who successfully identify them with gift cards and other perks. Others offer public recognition for employees who pass the required security training. Nearly any form of positive acknowledgment is a step in the right direction.
4. Make security tools easier to use
Much of the billions of dollars companies spend on security technology goes toward shelfware that never gets used. In many cases, these are complicated tools that require experts who understand how to use them, and such people are in short supply. With a security labor shortage that isn’t going away soon, according to the Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG), security tech must become easier to use.
Simpler tools would not only enable CISOs to hire more people to handle essential security functions, but also they would open up the workforce to a more diverse array of individuals with different backgrounds and tech expertise. Engineers also need to spend more time providing easy-to-understand dashboards that allow senior executives and other less technical people to understand the current state of risk.
One of the reasons that my company, Elastic, offers a free and open technology stack is to encourage and enable a vibrant community of contributors. We also believe that opening products to the broader audience of developers makes them more secure.
Enterprise security cannot remain a siloed function handled by a crew of specialists. It needs to be part of everyone’s responsibilities. Making it so can help companies move beyond simply reacting to crises and into a new paradigm where they manage cybersecurity efficiently, like any other risk.
Nate Fick is general manager for security at Elastic.