For years, cybersecurity professionals and many IT specialties have lamented that our concerns don’t get enough attention and (more importantly) funding from senior management.  We complain that we’re relegated to one of many back office functions like procurement, human resources, or facilities, functions that we, ironically, treat with the same level of boredom and disdain that we feel are directed at us.  Collectively those areas and several more fall into the category of operational risk.  While they can serve as a business enabler, normally their role is to keep the company from getting sued, fined, hacked, burglarized, burned down, or fleeced.  They are typically the functions that are common to all organizations and are not the source of revenue.  Consequently, the conventional wisdom holds that they are not a priority, in part, because there is no positive return on investments in those areas; their funding is only meant to prevent bad things from happening.

While there is some truth to this logic, it misses one crucial concept.  A substantial amount of “investment” on the revenue side of the business is also devoted to preventing bad things from happening and avoiding other costs.  Companies spend millions on competitive intelligence, customer surveys, quality programs, weather forecasts, commodity prices, and similar efforts designed not to generate new business but to keep the business they already have at costs at or below what they have been historically.  And that’s because lower costs mean higher profits.  So in an era where companies are frequently criticized for boosting profits solely through cost cutting, how can we be so insistent that cybersecurity is ignored because it does not produce a positive return on investment?  After all, appropriately managing cybersecurity risks, like all other parts of operational risks, helps the organization to avoid costs.

But therein lies the rub.  Senior management is not ignoring cybersecurity because there is no return on investment.  They’re giving it a lower priority because they don’t believe investments in cybersecurity have much impact on avoiding future costs.  That’s also why compliance tends to get more attention.  If the organization doesn’t do what they’re legally required to do, they get fined, embarrassed, or worse.  Those costs are easier to foresee and therefore funding to meet at least the letter of a regulation is provided, however grudgingly.  But let’s not forget that compliance and legal are part of operational risk, just like cybersecurity.  The general counsel is usually one of the top ranked executives in the company despite his/her focus on issues largely divorced from generating revenue.  That’s because a compelling case has been made that spending a lot of money seeking to ensure that a company complies with the law and its contractual agreements will avoid a significant amount of future costs. 

So why does cybersecurity get such a raw deal?  Could it be that the anticipated costs of cybersecurity attack are simply not that high for some businesses?  While breaches like that which Target experienced show that cybersecurity attacks can impose significant costs on a business and lead to lower revenues, damaged reputations, and executive departures, not all companies are similarly exposed.  But that’s only part of the issue.  Unlike the legal field, there is far less consensus among cybersecurity professionals about just how much investment is required to avoid a given amount of cost.  We assert that it is complicated with sophisticated adversaries who are constantly changing their tactics.  All professions resort to the “it’s complicated” line when they are presented with an issue that they should understand but don’t.  It’s why the most popular answer you’ll get from a lawyer is “it depends.”  That doesn’t mean that these issues are not hard.  They are.  Just start perusing a treatise on corporate taxation or the generally accepted accounting principles on the treatment of intangibles and see if your head doesn’t start to spin.  But our peers in legal and finance tend to get a lot more face time with the CEO and the Board.

So what does a lowly CISO do?  To begin, start by getting some real data on costs.  Lawyers constantly follow court decisions and regulatory actions because their company could be next.  The costs that their peers incur often offer the best insights on what the expected costs are to their company.  And of course those same decisions offer assistance on what to do to avoid those costs.  But even their lawyers hedge.  All companies must take risks.  Some economists even equate risk with profit.  That means that lawyers can never be certain that all future fines and adverse judgments can be avoided.  Sometimes the nature of the business implies some amount of legal risk.  And sometimes the benefits of taking risk outweigh the potentials costs. 

None of that should be unfamiliar to a cybersecurity team.  But yet it seems we fumble the message to the top.  Leadership wants a clear and concise explanation of the risks and their future costs with the understanding that there is no certainty.  They want to know what their peers are doing about it and how much an investment will likely lead to avoidance of higher costs or even reduction in current costs incurred.  That’s what they expect from all their line and functional managers.  Cybersecurity should not be any different.  Of course, in the end, the CISO may discover that the likely impacts associated with the cybersecurity risks that the company faces don’t rise to the level that business lines or some other functional areas face.  But that’s not so bad.  It just may mean that the next cyber attack won’t cost you your job or bankrupt the company.  Given the inevitability of breaches these days, being underfunded is hardly the worst possible scenario.  And if it is, there’s bound to be a stressful and career-limiting CISO job opening up somewhere.