Many current approaches to improve cybersecurity are failing to provide adequate levels of protection. Common perceptions around it, are that it is a technical problem. That, it is best handled by IT or that it’s an IT expense, with poor ROI.
These perceptions result in poor engagement with executives, unproductive exchanges and unrealistic expectations. Ultimately, they lead to poor decisions and poor outcomes.
Cybersecurity is also a black box.
Many executives don’t comprehend and appreciate it. Therefore, their approach falls between minimum compliance, industry standard and full coverage. All three approaches are erroneous. While regulation forces organizations to not ignore cybersecurity, it has also created poor decision making in the context of checking boxes. It forces executives to spend money where they may not need it and keeps them from investing where they should.
Industry comparison is another trap. Different companies, even in the same industry, maybe in different phases of growth, different size, geographies and have different risk appetites. Every organization has a business context and it must look at cybersecurity within that context. Then, full coverage is a misnomer. The purpose of a security program is not to protect the organization, because that is an impossible goal. The purpose of a security program is to balance the need to protect with the need to run the business. A blank check, at the cost of executive engagement, wastes money, harms the outcomes and shifts the blame to CISO.
The modern approach to cybersecurity is a risk-base approach. It acknowledges that risk is inevitable. Thus, the business should manage risk in measured-doses to support success. Organizations should quantify the risks and clearly articulate their risk appetite, which in turn guides their cybersecurity investment. All in a business context!
The urgency to treat cybersecurity as a business decision has never been greater. Executives can delegate the implementation of cybersecurity to CIO or CISO but they shouldn’t delegate the responsibility of it. Thus, organizations now have the understanding and the tools to do it.
(The article is written by Sharad Gupta, CTO, Clix Capital)