Why You Are Likely Underinvested in Cybersecurity

By Randy Rose, Director of Cybersecurity, Tasman Global

By Randy Rose, Director of Cybersecurity, Tasman Global

In June 2017, Alex Blau of ideas42, a behavioral science research firm, wrote a compelling piece for Harvard Business Review on the behavioral economics behind the continued underinvestment into cybersecurity by business executives1. His article sums up four principle findings of a year-long research project conducted by his team, and recommends the following strategies for Information Security Officers and teams to overcome these findings: appeal to the emotions of financial decision makers; replace your CEO’s mental model with new success metrics; survey your peers to curb overconfidence; and focus on breaking into your own system.

Interestingly, these four recommendations are precisely in line with the philosophy of Tasman Global’s Cybersecurity Division. Alex’s team spent a year gathering data and identified direct connections between the lack of serious investment in cybersecurity and commonly identified patterns of human behavior as studied by psychologists. Our team is comprised of industry experts who have been gathering similar metrics over the course of many, many years while crafting their skills in mission critical defense and intelligence environments. While digesting Alex’s article, we recognized that the same general findings were pervasive across all sectors, including government, military, and healthcare, when it came to investing in highly technical areas, especially cybersecurity. Executives make decisions based on risk, not on technical data tucked away in a network packet or the changes made to a system registry following an upgrade. Therefore, our team specializes in translating the technical detail to business risk, tailored to your organization’s specific strategic objectives, buying down overall risk using the tools and people that are already on your team.

Much like ideas42, we have interviewed executives, engineers, IT and network administrators, security staff, end users, and even patients to gather their perceptions of the state of cybersecurity in healthcare systems. We identified the following cultural concerns that impact an organizations security posture:

  • Key leaders are not educated in the basics of cybersecurity;

  • Key leaders are uninformed about cybersecurity processes, procedures, and technology within their own organizations;

  • Data supporting key decision making is often too verbose, laden with jargon, and does not connect the issues to operational impact;

  • There is a lack of understanding in what is important (i.e., if everything is a priority, nothing is a priority);

  • There is a lack of clarity in how the technical data ties to actual risk;

  • Key leaders overestimate their security posture;

  • Cybersecurity is seen as the IT Department’s problem (i.e., the CISO works for the CIO rather than at the same level as the CIO);

  • There is a lack of understanding of cyber threats and their impact;

  • Cybersecurity is not recognized as a continuous process;

  • Executive leadership has difficulty justifying the provision of funds for such an intangible phenomenon; and

  • Cybersecurity is viewed as a technology problem, when, in reality, it is much more.

Chances are your organization suffers from one or more of these problems. In many cases, even organizations that recognize they have a problem are unable or unwilling to invest in fixing the problem. Indeed, the 2016 HIMSS Cybersecurity Survey revealed that respondents ranked the importance of a an organizational cybersecurity strategy as high, while ONLY 23% of healthcare organizations have an ongoing, consistent risk-management program.

We believe in a wholistic approach to cybersecurity that accounts for the misconceptions of executives and the many others who have an impact on the plethora of factors impacting a good cybersecurity strategy. Our solutions are tailored to each organization, based on a business risk analysis, unique budget constraints, pre-existing information and security technology and processes, personnel, and organizational priorities. Cybersecurity is not a technology problem; it’s a multi-disciplinary one.