Last month's Twitter hack by two teenagers and a 20-something trolling for bitcoin unleashed a predictable wave of teeth-gnashing and doomsaying about the state of cybersecurity. The public's outrage was soon redirected to the next cataclysm in a year that's already had a decade's worth, however, the half-life of security angst is shorter and shorter since we've seen so many of these incidents over the years. Nothing seems to change and business goes on unencumbered as both businesses and individuals treat cyber threats as a background risk of our online existence, similar to how we see car and air travel and, before 2020, infectious diseases.
The outcry over the security incident du jour is also reflected in various surveys — typically sponsored by vendors pitching security silver bullets products (aka snake oil) — indicating how seriously executives, IT professionals and other security stakeholders (aka customers) take the issue. Indeed, such surveys typically show a steady increase in the amount of money, time and attention respondents claim to spend on improving their security posture. Nonetheless, the problems and concomitant calls for increased security spending, training and technology persist.
Perhaps the security problems are more extensive and complicated than most realize and that despite the increased effort, like Charlie Chaplin on the assembly line, the harder we work, the further we fall behind. Alternatively, executives and business professionals might suffer from a cognitive bias like hyperbolic discounting or projection bias, namely a preference for immediate gratification over long-term rewards. For example, ask most people about their weekly meal plan and most will load it up with healthy options like fruits and vegetables, but when asked to choose between an apple and a chocolate bar for lunch, the fruit doesn't stand a chance.
Actions reflect values and incentives
It's a truism that actions speak louder than words, so the inconsistency between self-reported priorities and observed cybersecurity activity likely results from enterprise decision-makers following their true lodestar. I was struck by the cognitive dissonance after reading a perceptive blog entitled How CEOs think by Robert Graham, a security researcher and developer whose unflinching candor is refreshing (emphasis added):
The only thing more broken than how CEOs view cybersecurity is how cybersecurity experts view cybersecurity. We have this flawed view that cybersecurity is a moral imperative, that it's an aim by itself. We are convinced that people are wrong for not taking security seriously. This isn't true. Security isn't a moral issue but simple cost vs. benefits, risk vs. rewards. Taking risks is more often the correct answer rather than having more security.
Rather than experts dispensing unbiased advice, we've become advocates/activists, trying to convince people that they need to do more to secure things. This activism has destroyed our credibility in the boardroom. Nobody thinks we are honest.
Graham correctly observes that CEOs, i.e. those ultimately responsible for an organization's priorities and resource allocations, see security merely as another area where they must balance the costs of damage prevention against those of security mitigation and insurance. Security then is a cost of doing business, not a core competency or competitive differentiator. As Graham puts it (emphasis added):
I can't express this enough: if it's not their [CEO's] core competency, then they don't want to excel at it. Excelling at a thing comes with a price. They have to pay people more. They have to find the leaders with proven track records at excelling at it. They have to manage excellence.
This goes all the way to the top. If it's something the company is going to excel at, then the CEO at the top has to have enough expertise themselves to understand who the best leaders to [sic] can accomplish this goal.
Thus, unless you're in the business of selling security, whether explicitly, such as, a vendor like Checkpoint, or as integral to your products like Apple, Google and Microsoft, there's no business benefit to being better than average since the incremental expense likely outweighs the competitive advantage. Graham nails the cost-benefit analysis:
It doesn't matter that this costs a lot of money due to data breeches [sic]. As long as the cost is no more than your competitors, then you are still competitive in your markets.
Graham proceeds to discuss the role big-brand analyst firms and consultants play in propping up the security theater, primarily by providing credentialed CYA gravitas and blame-shifting when something goes wrong. Unfortunately, such a herd mentality creates a race to the bottom as everyone does the bare minimum to claim compliance with security 'best practices.'
Employees just want to get their jobs done
If executives pay lip service to security as a value to be professed but not performed, employees often see security as a job impediment, tolerated at best, avoided when necessary. A recent survey by 1Password examined employee adherence to security policies and found that of the 20% who admit to not always following their company's security policies (meaning the number was undoubtedly higher), half do so primarily to improve their productivity. Indeed, a quarter of IT employees say they don't uniformly apply security policies, with 4 percent confessing that they don't enforce them at all.
Looking deeper, 1Password characterized the security rule-breakers as sharing one or more of the following attributes:
- Prioritize personal convenience over corporate security.
- Dismissive of one-size-fits-all IT rules, thinking it's unrealistic for IT to understand and manage the apps needed to do their job.
- Part of a younger generation (millennials and Gen Z) raised with technology and consequently more likely to resist IT authority.
The COVID-19 crisis undoubtedly weakened the enterprise security posture even more. An AT&T survey shows that stopgaps after being thrust into remote work environments with little preparation have only increased the likelihood of employees playing fast and loose with security policies, thus making organizations more vulnerable to cyber threats. Rerunning the familiar refrain that "employees are the biggest risk," AT&T cites their ignorance, apathy and inflexibility as the "biggest challenge to implementing good cybersecurity practices."
Top line - more spending doesn't equate to more security. Security consultants and vendors have predictably used the pandemic crisis and resulting disruption of business and workforce operations to reinforce their persistent refrains of the cyber-doom awaiting any organization that doesn't redouble its commitment to security by spending more on products and services. As we've seen in all aspects of life this year, fear is a most potent motivator, able to instill changes that were once unimaginable.
The Cassandras of cyber-dread aren't letting the opportunity go to waste and, at least in some risk-sensitive industries, it's working. A Deloitte survey of financial institutions found that spending on cyber-security in 2020 has increased between 8 and 15 percent (depending on how one measures) over last year. Bloomberg does the math, showing that such spending levels translate to eye-popping numbers: $900 million per year at Wells Fargo, $850 million at JP Morgan Chase and $700 million each at B of A and Citigroup.
Deloitte cites "increased pressure on boards and executive management teams" on cybersecurity issues as a principal reason for the increase. Unfortunately, it is unlikely that we will ever know whether the increased spending reduced the financial costs of security incidents at each bank. Still, at least the executives can say they did something. Graham nicely captures the reactive nature of most executive-level security responses, writing:
When things hit the news, like this week's Twitter hack, CEO's look for a simple product to patch the hole precisely because they don't want to excel at it. A common cliche in cyber-security is that 'security is not a product, but a process'. But CEOs don't want a process they have to manage.
As the 1Password survey illustrates, the problem with making security a process is that the process adds friction and overhead to someone else's job, friction that some employees will remove by avoiding or subverting the process. The trick that few seem to have mastered is building security into existing processes in ways that maximize user convenience without compromising effectiveness. As I recently discussed, it's an approach Google has applied in updates to its Cloud and G Suite services and a strategy that should yield a competitive advantage once executives learn that security shouldn't be a product, but integral to the product.