We talk in cybersecurity of the gap between security and the business: how security people don’t speak the language of business and business managers see security people as at best hobbyists. The most mature organizations have bridged that gap, most common in large organizations and government entities that have worked hard to close it. And this is where what we call the Security Investment Paradox appears. We’re talking about the fundamentally opposed requirements of good business management and building reliable and secure services.
CFOs talk about how capital has two states: inert like a gold brick that doesn’t do much, and investment in a machine that produces more money. We look at this as the financial equivalent of matter and energy. And when a CFO gets entrusted with a machine, efficiency becomes the order of the day. It’s about removing redundancies, tuning the machine, making it a better machine to make money. This translates into human efficiencies, cost savings, lean management, removing waste from sales departments to R&D and from G&A to IT. Then security arrives.
CISOs exist to introduce inefficiencies – it’s core to the job. No single points of failure mean redundancy and higher costs. If the company has one supplier, get two. Not one data center, but two or three. Not one person for a key function, but many. Security isn’t just a tax or the office of “No” as an immature company sees it; security has become the margin killer that makes the machine more inefficient. If a CISO were to ask to reduce gross margin by 5% to improve resilience for the very rare disaster instances like tsunamis or invasions, the average CFO would say “we’ll accept that risk.” And that’s the Security Investment Paradox.
Right now, companies with a direct presence in the Ukraine or those that have a supply chain that touches the Ukraine are scrambling to ensure redundancies. This isn’t fear, uncertainty, and doubt (FUD) being used as a clumsy and ineffective tool by CISOs in immature organizations, it’s very real for all companies and government agencies and departments. In these kind of crisis situations, CFOs and peer executives free up the purse strings to gain redundancies and take on inefficiencies because the incredibly rare threat of a widespread war has become much greater. The risk equation has changed.
The only question that remains in government leadership circles and boardrooms alike is whether the highlighted paradox gets resolved after the risk recedes, as it one day will with the Ukraine crisis one way or the other. Are gains in redundancy and the consequent inefficiencies going to persist when we turn swords into plowshares?
We sincerely hope in this moment of unity in the face of disaster in our world system that we can achieve a better compromise. Sadly, the record shows that over time the Security Investment Paradox has not done well in the balance between making machines that make money better and the resilience of those machines in the face of disaster. We need to try harder after this disaster when preparing for the next, which brings us back around to the gap between security and the business.
For those still in the early stages of the security journey, use every crisis and disaster to bridge the gap and partner with the business. For those who are already mature, don’t just bridge the gap, but cross it instead. Use today as an opportunity for the organization to see the CISO as a business person first who can have a mature dialogue about the balance between efficiency and redundancy. To cite Winston Churchill toward the end of World War II: “never let a good crisis go to waste.”
Sam Curry, chief security officer, Cybereason