When 'No' & 'Good Enough' Challenge Cybersecurity

COMMENTARY

In the realm of cybersecurity, the path to securing necessary resources often is strewn with obstacles, chief among them hearing the word "no." This response is not just about budgets, although financial constraints play a significant role; it's also about convincing leadership of the indispensable value of comprehensive cyber defense strategies. The reality is, every chief information security officer (CISO) will, at some point, face pushback — be it from a chief financial officer (CFO) who is skeptical about the return on investment of a new cyber platform, or a CEO who underestimates the vulnerability of the enterprise, believing a "good enough" EDR or SIEM solution will suffice.

However, the reliance on "good enough" in cybersecurity is a precarious stance at best. In physical security terms, it's akin to leaving the doors unlocked in a neighborhood where break-ins are rampant. These vulnerabilities are not novel; organizations have struggled to protect against them for decades. Weak passwords and phishing scams have persisted as root causes of security breaches because we have failed to effectively remove shared secrets from the process of verifying users, and social engineering makes it easy to reset or steal credentials.

Advanced cybersecurity capabilities aren't just technological upgrades; they're essential defenses against increasingly sophisticated attacks. Without the right tools and resources, organizations — especially those handling vast amounts of data — become significantly more susceptible to cyber threats. The aftermath of a "no" can be dire, transforming potential threats into real, often headline-making data breaches.

Influencing the Organizational Mindset

The challenge, therefore, for CISOs is not only in navigating the immediate impact of these refusals but also in influencing the broader organizational mindset toward cybersecurity. It's about painting a vivid picture of the potential consequences of inadequate defenses and advocating for the investments that are necessary to mitigate the risks. One recent and high-profile example was a mistaken $25 million payout by a finance worker after being duped by a deepfake video. Very costly errors like this are also why it's essential to recognize when an impasse may signal a deeper misalignment with an organization's values and priorities. In such cases, a CISO could find themselves exploring career opportunities elsewhere, whether by choice or by necessity. In either case, you'd want your new environment to be more receptive to and conducive of proactive cybersecurity practices.

That said, even the most forward-thinking leaders may face genuine budgetary constraints that can limit cybersecurity spending. In these situations, strategic risk management becomes crucial. CISOs must work closely with executive leadership to identify areas where some risk is acceptable, and other areas where it's not.

Reflecting on this, a notable moment from my own personal career came when we identified a gap in our security capabilities due to the absence of advanced tooling in our product infrastructure. Despite initial budgetary concerns from the CFO about the impact on cost of goods sold (COGS), we engaged in constructive dialogue, emphasizing the long-term benefits, such as foundational security protections, compliance with emerging standards, enhancing customer trust, and reinforcing our brand's reputation. By presenting the investment as a proactive measure for business growth and risk mitigation, rather than just an additional cost, we shifted the perspective.

This approach led to a unanimous decision to upgrade our security infrastructure, marking a significant stride in our commitment to cybersecurity. Documenting these decisions is vital, creating a paper trail that not only delineates agreed-upon risks and vulnerabilities, but also shares accountability. This narrative serves as an essential reference, underscoring the collective responsibility for cybersecurity decisions along with their outcomes.

The journey of a CISO in advocating for robust cybersecurity measures is complex, marked by negotiations and strategic compromises, and sometimes resulting in the exploration of new career opportunities. The key lies in persistent advocacy for comprehensive security strategies, strategic risk management, and, when necessary, the courage to seek alignment in environments that prioritize cybersecurity. As the digital landscape evolves, so must our approaches to securing it, ensuring that "no" becomes an impetus for innovation and dialogue, rather than an insurmountable barrier.