Parallels across industries make this author think a reckoning is coming.
Completely as an aside, I’ve been casually looking at new SUVs, and I’m particularly interested in some of the advanced safety features that recent models have to offer. From automatic braking to lane-crossing warnings, these features make a lot of sense for someone who commutes 35,000 miles a year like I do.
I visited one local dealership, eager to see a unit that had the active safety package in which I was interested. The color was hideous—there’s no way I would have purchased it—but the salesman and I got to talking. He was intent on selling me a less expensive trim level (in the color I wanted) that didn’t have the active safety features I specifically sought.
Once he realized that I wasn’t going to be talked out of the safety package and we could just have a conversation, I asked him why there were so few units available with this particular set of additional features. He looked down at the ground, then up toward the sky, and finally shrugged his shoulders.
“Nobody wants to pay for safety, son,” he said candidly.
Initially, I was surprised. Four years ago I was in a car accident that would have been avoided (or at least mitigated) by the technology I am so eager to buy. I can’t see purchasing my next automobile without it, given the ubiquity of these features today. As I was thinking, “Why wouldn’t people want these kinds of safety features,” it hit me. It’s the same thing I’ve heard over and over again in meetings and when talking to fellow vendors at conferences. Everyone wants safety and security—they just don’t want to pay for it.
At this point, I’ve literally lost count of the number of companies—both big and small—that I’ve spoken with that “don’t have the budget for new tools,” or “already have all the security we need.” Fast forward anywhere from three to twenty-four months, and many of those very same companies have been in the news offering free credit monitoring services to the thousands (or millions) of customers that have been compromised by their cavalier attitudes toward the safeguarding of your personal information. They’re facing extensive fines, loss of stock value, and numerous lawsuits, all of which cost far more than any vendor’s solution.
New stories of compromised companies are in the press weekly, and the public is becoming inured to receiving breach notices. Fines stack up, lawsuits get settled, and companies go about their business of collecting your private information. With the combined loss of data from Facebook, Equifax, and the Office of Personnel Management, there’s almost nothing that hasn’t been uncovered and stolen about yourself, your family, and your friends. Yet, while market reports say the cybersecurity field is booming, no individual customers seem to actually have a budget they can use.
Conversely, security professionals often find that when clients do have money to spend on a platform that the vendor has promised will stop everything from zero-day malcode to termites, the eager purchasers often haven’t implemented the most basic of security hygiene practices first, hoping that an all-inclusive, does-everything package (it doesn’t) will take care of every security issue they might have (it won’t). A solid security plan must be multi-faceted, and it must be well funded. Full stop. Boards of Directors need to start viewing healthy security budgets as a cost of doing business and not as an albatross. The best investments a company can make are in sound cyber security hygiene practices and training, followed by sets of tools for protection and defense, and completed with other tools for investigation and remediation. However, none of this is useful without a capable, trained, and not-intentionally-overworked security staff who keeps the ship afloat.
As CIOs and CISOs, we need to invest in people, training, and tools (in that order), because you can be very sure that our adversaries are doing the same.