Where should we be on the spectrum between unlimited spending on cybersecurity and doing nothing at all?
By Joseph McCafferty
December 7, 2016
Many companies are struggling with how much risk to take, if any, when it comes to cybersecurity. Some are spending vast sums on security measures to protect their data, and yet they still have hacks and breaches. It's enough to make those responsible for information security at such companies want to throw up their hands and say, "we give up."
It doesn't have to be that way, says Norman Marks, a risk-management expert and former chief audit executive at several large companies. During a keynote address at the IT Audit and Controls conference taking place in New Orleans this week, Marks attempted to answer the question: "How much cyber-risk should I take?" The answer, says Marks, is different for every company, of course. Yet he says many companies haven't answered this question for themselves or they may be going about finding the answer the wrong way.
According to Marks, companies must always accept some cyber-risk, since they can't spent unlimited resources to secure their data. On the other side of the spectrum is doing nothing at all and taking massive risk on cybersecurity. Striking the right level of protection and contributing the resources needed to achieve it requires some soul searching on the part of companies to develop an understanding of just how much cyber-risk they are willing to take.
One of the main messages of Mark's talk is that companies spend too much time focusing on the weaknesses and getting them fixed, without making the cost/benefit determination or deciding if fixing the vulnerability isn't a wise business decision. "We have to run IT audit as part of the business. Simply because we identify a vulnerability doesn't mean we need to spend a million dollars to fix it," says Marks. "Only do more when it is justified on business grounds. Is the solution giving the return on investment that claims to?"
Marks says IT audit can provide more value not by just flagging those weaknesses, but by giving senior management the information it needs to make better businesses decisions about accepting or managing cyber-risk. "IT audit can bridge the word of the business and the IT group. Help the business people understand the situation. How much it would cost, how much it would reduce the risk, and what the opportunities are. We can also help the IT folks what the solution would do to the whole business, not just the IT department."
The Business Case for Cybersecurity Spending
He says companies can't afford to respond to every threat without thought of the expense. "Who could afford to monitor all these threats and then to take action to defend against them? Not many. Companies should think more about outsourcing some of the cybersecurity efforts," says Marks. Sometimes the measures we put in place would cost more than the threats they are attempting to defend against.
In fact, Marks says taking a more cost conscious approach to cybersecurity can unlock value and opportunity. "We can't hold our company back from taking risk when it makes sense to take risk. We have to help them make the right business decisions. What are the risks of doing nothing? What are the alternatives? Will the measure I spend on reduce the risk enough?"
To drive home the point, Marks ended with an old adage: The person who always seeks to avoid failure will never find success. "These vulnerabilities are exploding all the time. Realize that you can help the business understand the risk they are creating, what they can do about it, and whether and when to move forward with new technology," says Marks. "All comes down to dollars and sense because that's how we run the business."
Joseph McCafferty is head of audit content for MIS Training Institute. He can be reached at firstname.lastname@example.org.