The ever-present threat of cyber attacks is taking its toll — not simply on security budgets, but on the psyches of business and IT executives, as well as employees. The constant vigilance against potential breaches has resulted in a rising chorus of “cyber fatigue” permeating boards that are tired of revisiting cybersecurity issues over and over again, with constant pleas from IT leadership for more money and bandwidth.
In a world where IT leaders admit a breach is no longer a matter of “if” but “when,” and avoiding negative PR is paramount for success, C-suite executives have begun to throw up their hands in exhausted surrender — as there seems to be no end in sight.
Organizations, however, can wake up to a better way: According to a new KPMG report, “How to Bounce Back from Cyber Fatigue,” a new model is needed to transform cybersecurity strategy from one that is draining and reactive to one that’s energized and proactive. Moving beyond the mantra of “fix and spend,” executives should work to maximize the value of security investments in alignment with business priorities.
Shifting the Cyber Conversation: From Tactics to Business Understanding
It isn’t the focus on cyber or the spend to fix security issues that needs to change, emphasizes Tony Buffomante, Principal, and US Leader of KPMG’s Cyber Security Services practice. Instead, it is the nature of the conversation that requires a serious shift.
“We’re not saying that cyber is not important, or that spending should stop,” he says. “We’re really talking about the fatigue felt in the boardroom.” After the famous Target breach of three years ago, he explains, there was a flood of new discussion and dialogue between CISOs and boards. The result was typically a focus around technology, tactics and point solutions, which didn’t necessarily link to the business as a whole. “This drove a broader disconnect between cyber and the business in terms of what was really important,” he says. “Directors now say, ‘I thought we were done with this, didn’t we fix this?’”
Today, CIOs and CISOs need to connect the cyber dots to what is really important to the business, Buffomante explains. Asking for another $5 million? The board needs to understand how that impacts the overall corporate strategy, such as expansion plans, and how the organization can mitigate risk to meeting their goals and objectives.
“These are business conversations that, frankly, legacy cybersecurity leadership practitioners aren’t always comfortable having,” he says. “They’re comfortable with the bits and bytes, but not about how to be part of the solution in bringing a medical device, for example, to market in the best way.”
Typically, an organization may have a security breach, or an avalanche of funding — suddenly, there is a large list of tactical projects to knock off, but it was done in a vacuum. Now, frameworks should be built to weigh and score projects by their ability to reduce threats and risks; align with business priorities; and impact efficiencies.
“What we’re trying to do is force more of a business conversation,” says Buffomante. That is, organizations should define the landscape of key business drivers — is it driving revenue? Controlling costs? What are the mission-critical, crown jewel assets? What would happen if those were compromised in some way? “Those are the starting points that can bridge the gap and start a conversation.”
A Five-Pronged Approach to Combat Cyber Fatigue
The KPMG report offers a five-pronged approach for organizations to combat the symptoms of Cyber Fatigue:
1) Make measured investments in cyber capabilities based on risk: Risk has to be quantified based on breach likelihood and corresponding business impact. Then, decision-making must be linked to the amount of risk the business is willing to assume.
2) Regularly measure the effectiveness of your security investments: This includes assessments of the true, total costs (beyond hardware and software to less tangible elements such as those tied to third-party service contracts) as well as a detailed capabilities model that is conducted regularly.
3) Develop/align the right cyber risk management model: This incorporates fundamental cyber security practices as well as your risk tolerance, and should align to your larger enterprise risk management framework to help ensure consistency in measuring and reporting risks.
4) Continually update your model to reflect emerging threats: Cyber should be accepted as a systematic business issue that will need ongoing funding to address, adding new capabilities as the need arises. This shifts the focus from a technology spend to an innovation spend that facilitates corporate growth and can evolve fluidly as business models dictate.
5) Build and promote risk-aligned security organization: One of the important, but often overlooked aspects, is building and continually developing a risk-aligned culture in the security and larger organization. This often entails a transformation that would shift the focus from security projects and activities to risk mitigation initiatives.
CISOs: Spend Smarter on Cyber With a Seat at the Table
Cyber fatigue can fester when CISOs aren’t driving toward the necessary conversations and business just sees cyber teams as slowing them down.
“There needs to be a reframing, where CISOs proactively reach out to businesses and understand what their key priorities are, and business folks are open to it and invite IT and cyber to be part of these decisions,” says Buffomante, adding that cyber should really be part of a business innovation budget, not just a percentage of the IT budget. “The leadership teams all want a higher level of reporting — if you approach them in the right way, in their language, they’ll embrace the conversation.”
From a tactical perspective, there are several things CISOs should be doing to help combat cyber fatigue in their organizations, including gathering their real spend data; doing a technology portfolio rationalization exercise to demonstrate ROI; and taking a hard look at the skills that currently exist in the organization.
“The right operating model, for example, might be security architects and engineers spending more time with the business and not have them doing third-party vendor risk assessments which is more commoditized work,” says Buffomante.
The bottom line: Combatting cyber fatigue isn’t about spending less, but spending smarter to get the value proposition away from fear and uncertainty to “better, faster, cheaper.” With a different model in place, says Buffomante, the CISO can go to the board and say, ‘These are the services we provide for the business — these are high value and ones that mitigate risks. In other cases, for less strategic areas and based on our risk tolerance, we are going to accept this risk, or potentially transfer some of it via cyber insurance.’ “That’s the kind of conversation the board wants to have,” he says.