Knee-Jerk Reactions to Data Breaches are damaging the case for Cyber Security

Cyber Security Transformation is not about implementing yet another technology product

Anybody who has spent a few years in InfoSec management has seen this happen: Following an internal near-miss or some high-profile security incident widely publicised in the media (such as the TalkTalk data breach in the UK), the same senior executives — who previously wouldn’t bat an eyelid over information security issues — suddenly start panicking: Priorities shift. Immediate solutions are demanded. Money appears out of nowhere by the millions. Tech vendors are lined up. Some product is purchased that will allegedly fix everything. A box is checked, then normality returns.

Over the short-term, only the tech vendors win — shamelessly — in these scenarios.

The CISO — if there is one — loses ground in most cases. Unless they’re just a technology hobbyist and they get another pet project to play with. Otherwise, they are likely to see their priorities turned upside down by the arrival of the new initiative and ongoing projects deprioritised in its favour.

This could be hugely demoralising for the CISO and their team who might have worked hard for years to get some projects started, that are now put on hold while other topics, that were repeatedly proposed and refused, are now pushed forward by the same executives who previously turned them down:

  • It damages the credibility of senior management with the cyber security professionals.
  • It makes life more difficult for the cyber security team in their day-to-day interaction with IT teams, as they are seen as constantly “moving the goal post”.
  • It perpetuates the wrong idea amongst IT communities that cyber security is just a topic you throw money at from time to time.
  • In the long run, it alienates talent away from cyber security roles.

Cyber security products — broadly speaking — tend to do what they are supposed to do, so the chosen technology solution may provide a degree of protection to the organisation, but only if it gets implemented properly. And that’s often the key issue. The product would have been selected in an emergency to plug a technical hole, not necessarily on the basis of the most thorough requirements analysis or market research:

  • It may not be suited to the company’s environment (e.g. deploying internal security products while key IT assets are in the Cloud, or deploying Internet security products if your Internet footprint is limited).
  • There may be competing products or solutions already in place internally that could have been leveraged (e.g. in different geographies or business lines). Ignoring those alienates and demotivates part of the organisation and may deprive the initiative of invaluable field experience around the topic.
  • There may be considerable process issues when trying to embed the new product into legacy practices (e.g. around identity and access management or patch management) potentially leading to escalating costs, deployment limitations or project failure.
Overall, the knee-jerk decision may end-up being an expensive “tick-in-a-box” exercise that achieves very little in practice.

Even for tech vendors, the situation may not be ideal in the longer-term. As deployment fails or stalls due to technical issues, and value is limited by the lack of compatibility with people and processes, vendors may face dwindling revenue from subscriptions or cancellation of maintenance charges, which may damage business models or investors confidence.

Senior executives need to understand the dynamics they create where they demand instant solutions to problems that are in reality rooted in decades of under-investment, adverse prioritisation or complacency. And the CIO and the CISO need to have the management gravitas and the backbone to stand up to the Board — with the right arguments — on those matters.

The harsh reality is that there can be no miracle solution — technical or otherwise — to such problems.

There may be a need for short-term tactical initiatives to demonstrate to the Board, shareholders or regulators that a new dynamic is being created around cyber security, but those have to be calibrated to the real maturity of the organisation around those matters, and the genuine threats it faces. As importantly, it must be accompanied by a thorough examination of the cultural roadblocks that have prevented progress in the past.

A genuine and lasting transformation around cyber security can only come from the removal of those, and from the definition of a long-term transformative vision for the function. A vision that must come from the top and resonate across the whole organisation, not just IT.

Contact Corix Partners to find out more about developing a successful Information Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.

(This article was originally published on Linkedin Pulse on 12th April 2016)

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.