The ever-present threat of cyber attacks is taking its toll \u2014 not simply on security budgets, but on the psyches of business and IT executives, as well as employees. The constant vigilance against potential breaches has resulted in a rising chorus of \u201ccyber fatigue\u201d permeating boards that are tired of revisiting cybersecurity issues over and over again, with constant pleas from IT leadership for more money and bandwidth.\nIn a world where IT leaders admit a breach is no longer a matter of \u201cif\u201d but \u201cwhen,\u201d and avoiding negative PR is paramount for success, C-suite executives have begun to throw up their hands in exhausted surrender \u2014 as there seems to be no end in sight.\u00a0\nOrganizations, however, can wake up to a better way: According to a new KPMG report, \u201cHow to Bounce Back from Cyber Fatigue,\u201d a new model is needed to transform cybersecurity strategy from one that is draining and reactive to one that\u2019s energized and proactive. Moving beyond the mantra of \u201cfix and spend,\u201d executives should work to maximize the value of security investments in alignment with business priorities.\nShifting the Cyber Conversation: From Tactics to Business Understanding\nIt isn\u2019t the focus on cyber or the spend to fix security issues that needs to change, emphasizes Tony Buffomante, Principal, and US Leader of KPMG\u2019s Cyber Security Services practice. Instead, it is the nature of the conversation that requires a serious shift.\u00a0\n\u201cWe\u2019re not saying that cyber is not important, or that spending should stop,\u201d he says. \u201cWe\u2019re really talking about the fatigue felt in the boardroom.\u201d After the famous Target breach of three years ago, he explains, there was a flood of new discussion and dialogue between CISOs and boards. The result was typically a focus around technology, tactics and point solutions, which didn\u2019t necessarily link to the business as a whole. \u201cThis drove a broader disconnect between cyber and the business in terms of what was really important,\u201d he says. \u201cDirectors now say, \u2018I thought we were done with this, didn\u2019t we fix this?\u2019\u201d\nToday, CIOs and CISOs need to connect the cyber dots to what is really important to the business, Buffomante explains. Asking for another $5 million? The board needs to understand how that impacts the overall corporate strategy, such as expansion plans, and how the organization can mitigate risk to meeting their goals and objectives.\n\u201cThese are business conversations that, frankly, legacy cybersecurity leadership practitioners aren\u2019t always comfortable having,\u201d he says. \u201cThey\u2019re comfortable with the bits and bytes, but not about how to be part of the solution in bringing a medical device, for example, to market in the best way.\u201d\u00a0\nTypically, an organization may have a security breach, or an avalanche of funding \u2014 suddenly, there is a large list of tactical projects to knock off, but it was done in a vacuum. Now, frameworks should be built to weigh and score projects by their ability to reduce threats and risks; align with business priorities; and impact efficiencies.\n\u201cWhat we\u2019re trying to do is force more of a business conversation,\u201d says Buffomante. That is, organizations should define the landscape of key business drivers \u2014 is it driving revenue? Controlling costs? What are the mission-critical, crown jewel assets? What would happen if those were compromised in some way?\u00a0 \u201cThose are the starting points that can bridge the gap and start a conversation.\u201d\u00a0\nA Five-Pronged Approach to Combat Cyber Fatigue\nThe KPMG report offers a five-pronged approach for organizations to combat the symptoms of Cyber Fatigue:\n1) Make measured investments in cyber capabilities based on risk: Risk has to be quantified based on breach likelihood and corresponding business impact. Then, decision-making must be linked to the amount of risk the business is willing to assume.\n2) Regularly measure the effectiveness of your security investments: This includes assessments of the true, total costs (beyond hardware and software to less tangible elements such as those tied to third-party service contracts) as well as a detailed capabilities model that is conducted regularly.\n3) Develop\/align the right cyber risk management model: This incorporates fundamental cyber security practices as well as your risk tolerance, and should align to your larger enterprise risk management framework to help ensure consistency in measuring and reporting risks.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n4) Continually update your model to reflect emerging threats: Cyber should be accepted as a systematic business issue that will need ongoing funding to address, adding new capabilities as the need arises. This shifts the focus from a technology spend to an innovation spend that facilitates corporate growth and can evolve fluidly as business models dictate.\n5) Build and promote risk-aligned security organization: One of the important, but often overlooked aspects, is building and continually developing a risk-aligned culture in the security and larger organization. This often entails a transformation that would shift the focus from security projects and activities to risk mitigation initiatives. \u00a0\nCISOs: Spend Smarter on Cyber With a Seat at the Table\u00a0\nCyber fatigue can fester when CISOs aren\u2019t driving toward the necessary conversations and business just sees cyber teams as slowing them down.\u00a0\n\u201cThere needs to be a reframing, where CISOs proactively reach out to businesses and understand what their key priorities are, and business folks are open to it and invite IT and cyber to be part of these decisions,\u201d says Buffomante, adding that cyber should really be part of a business innovation budget, not just a percentage of the IT budget. \u201cThe leadership teams all want a higher level of reporting \u2014 if you approach them in the right way, in their language, they\u2019ll embrace the conversation.\u201d\nFrom a tactical perspective, there are several things CISOs should be doing to help combat cyber fatigue in their organizations, including gathering their real spend data; doing a technology portfolio rationalization exercise to demonstrate ROI; and taking a hard look at the skills that currently exist in the organization.\u00a0\n\u201cThe right operating model, for example, might be security architects and engineers spending more time with the business and not have them doing third-party vendor risk assessments which is more commoditized work,\u201d says Buffomante.\nThe bottom line: Combatting cyber fatigue isn\u2019t about spending less, but spending smarter to get the value proposition away from fear and uncertainty to \u201cbetter, faster, cheaper.\u201d\u00a0 With a different model in place, says Buffomante, the CISO can go to the board and say, \u2018These are the services we provide for the business \u2014 these are high value and ones that mitigate risks.\u00a0 In other cases, for less strategic areas and based on our risk tolerance, we are going to accept this risk, or potentially transfer some of it via cyber insurance.\u2019 \u201cThat\u2019s the kind of conversation the board wants to have,\u201d he says.