Threat Intelligence, Security Strategy, Plan, Budget

Today’s crisis in Ukraine highlights the Security Investment Paradox

Serviceman from Ukraine watches DPR rebel positions from a trench at the contact line near the village of Svitlodarsk, in Donestsk region on February 14, 2022. Today’s columnist, Sam Curry of Cybereason, says that CISOs need to use the Ukrainian crisis as an opportunity to show top management that they are businesspeople capable of having a mature ...

We talk in cybersecurity of the gap between security and the business: how security people don’t speak the language of business and business managers see security people as at best hobbyists. The most mature organizations have bridged that gap, most common in large organizations and government entities that have worked hard to close it. And this is where what we call the Security Investment Paradox appears. We’re talking about the fundamentally opposed requirements of good business management and building reliable and secure services.

CFOs talk about how capital has two states: inert like a gold brick that doesn’t do much, and investment in a machine that produces more money. We look at this as the financial equivalent of matter and energy. And when a CFO gets entrusted with a machine, efficiency becomes the order of the day. It’s about removing redundancies, tuning the machine, making it a better machine to make money. This translates into human efficiencies, cost savings, lean management, removing waste from sales departments to R&D and from G&A to IT. Then security arrives.

CISOs exist to introduce inefficiencies – it’s core to the job. No single points of failure mean redundancy and higher costs. If the company has one supplier, get two. Not one data center, but two or three. Not one person for a key function, but many. Security isn’t just a tax or the office of “No” as an immature company sees it; security has become the margin killer that makes the machine more inefficient. If a CISO were to ask to reduce gross margin by 5% to improve resilience for the very rare disaster instances like tsunamis or invasions, the average CFO would say “we’ll accept that risk.” And that’s the Security Investment Paradox.

Right now, companies with a direct presence in the Ukraine or those that have a supply chain that touches the Ukraine are scrambling to ensure redundancies. This isn’t fear, uncertainty, and doubt (FUD) being used as a clumsy and ineffective tool by CISOs in immature organizations, it’s very real for all companies and government agencies and departments. In these kind of crisis situations, CFOs and peer executives free up the purse strings to gain redundancies and take on inefficiencies because the incredibly rare threat of a widespread war has become much greater. The risk equation has changed. 

The only question that remains in government leadership circles and boardrooms alike is whether the highlighted paradox gets resolved after the risk recedes, as it one day will with the Ukraine crisis one way or the other. Are gains in redundancy and the consequent inefficiencies going to persist when we turn swords into plowshares?

We sincerely hope in this moment of unity in the face of disaster in our world system that we can achieve a better compromise. Sadly, the record shows that over time the Security Investment Paradox has not done well in the balance between making machines that make money better and the resilience of those machines in the face of disaster. We need to try harder after this disaster when preparing for the next, which brings us back around to the gap between security and the business.

For those still in the early stages of the security journey, use every crisis and disaster to bridge the gap and partner with the business. For those who are already mature, don’t just bridge the gap, but cross it instead. Use today as an opportunity for the organization to see the CISO as a business person first who can have a mature dialogue about the balance between efficiency and redundancy. To cite Winston Churchill toward the end of World War II: “never let a good crisis go to waste.”

Sam Curry, chief security officer, Cybereason

Sam Curry

Sam Curry is a 30-year veteran of the cybersecurity industry. He began his career in signals and cryptanalysis and was the first employee at Signal 9 Solutions, a small start-up that invented the personal firewall, executed the first commercial implementation of Blowfish, and devised early stealthy (symmetric key) VPN technology that was ultimately sold to McAfee. Sam would go on to serve as Chief Security Architect and as head of Product for McAfee.com before holding several positions at RSA including Head of RSA labs at MIT, Head of Product, and CTO, as well as Distinguished Engineer for EMC. After seven years with RSA, Curry acted as SVP and CISO at Microstrategy, CSO & CTO for Arbor Networks before it became Netscout, and as CSO for Cyberreason.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.