Improve Cybersecurity with this One Simple Trick!

Improve Cybersecurity with this One Simple Trick!
Image: Hands Grabbing Money

There are myriad factors at play that reduce, diminish, and outright subvert cybersecurity efforts, but none is more insidious or successful than how the very industries that defenders are trying to protect treat both their customers and their workforce.

Wait, you said “those we’re defending” and not “adversaries” or “threat actors.”

That’s right.

I don’t understand.

Tell me if any of these events ring any bells:

  • The Homestead Strike
  • Enron Collapse
  • The Haymarket Affair
  • WorldCom Collapse
  • The Tyco Scandal
  • The Battle of Blair Mountain

Enron and WorldCom you’ve probably heard of, at least if you’re of a certain age. They were MASSIVE cases of fraud. Enron and Tyco are some of the few cases of modern corporate shenanigans where the perpetrators of the fraud went to prison, but while an ex-con executive can rebuild their life, the same can’t be said by the rank and file, many in middle age, who were left back at square one, financially speaking.

Homestead, Haymarket, and Blair Mountain are probably not familiar to you because they’re not major topics in any high school history class (unless maybe you grew up in coal or oil country). Without getting too far down into the weeds, despite it being Labor Day, just understand that rather than pay a fair wage, display any regard for the health and safety of their workers, or otherwise be decent human beings, corporations would literally rather go to war with its employees.

That’s all well and good, but modern companies don’t behave that way. They could never get away with treating people like they did in the olden days, grandpa.

Oh?

My point is that for all the feel-good talk a company may say regarding security, it is almost certainly the last thing on anyone’s mind. At least for anyone who doesn’t have “security” in their job title. Business leaders are evaluated on business terms. Revenue, profit, share price. Notice what’s not in that list. Nobody cares about what the CISO cares about, and what the CISO cares about usually just annoys or angers everyone else. You want a six-or-seven figure spend on security software, services, and headcount? That sounds like a whole lot of overhead that adds nothing to the bottom line.

But a lot of companies are required to…

They’re obliged to meet a minimum standard. No more, no less. Why do you think risk management and compliance are so popular in corporate circles? Because you can’t go wrong checking a box. Something went sideways? Look for liability somewhere else: we were fully compliant.

Cybersecurity is simply not the issue we (in cybersecurity) think it is.

To improve cybersecurity it doesn't matter what your tech or security stack looks like, what vendors you’re using, or how many letters come after your name. It requires that the organization align incentives between and across business units. If a profitable AND verifiably secure enterprise is a CEO’s rating bullet, you can bet security is going to get a boost in budget, authority, and a greater voice at the table. If making a production quota without suffering any security policy violation were one of the factors that made up a COO’s bonus, you can bet they would become your best new work buddy.

The operative word in “secure enterprise” is “enterprise.” If everyone is not working together to achieve the same goals, the goals that are tied to rewards are the ones that will be given priority. That's what the market wants, and what the market wants, the market gets.