This headline was in the news a few weeks ago: “Hackers are passing around a megaleak of 2.2 billion records”.
Headlines like this are common in the cybersecurity space. What isn’t so common is to think about how such messages influence how potential victims feel about cybersecurity, and how security professionals approach their very own value chain.
Technology users see cyber threats as economic disablers and cybersecurity as an economic burden. Numbers like those above are so massive, they make readers feel helpless from the outset, as though they can do nothing. Such headlines and numbers are disempowering.
Cybersecurity professionals, on the other hand, feel obliged to frame their work and services in terms of the economic value they help to protect, without realizing that the economic value that they also create, both directly and indirectly, in this way goes unnoticed.
As a result of these dynamics, the easy strategy pursued by many in the cybersecurity business is to amplify the perception of threat – otherwise known as employing scare tactics.
Yes, it’s true that there are serious attacks leading to massive losses of value. Some computer network operations have disrupted democratic processes, paralysed critical infrastructure and led to gigantic heists. This is indeed worrying, by all standards. And the news should indeed report on these cases.
Lately, however, it is increasingly becoming common practice to stretch the facts a little too far, to exaggerate figures and threats, to jump to conclusions a tad too quickly, for personal, business, political and even military interests or reasons.
What happens then? A vicious circle develops: with each new alarmist security item, potential victims feel that much more insecure, helpless and unconcerned, thereby paving the way for more successful attacks and more alarmist news …
Is this exogenous growth model sustainable? Obviously not.
Cybersecurity is a shared responsibility and the weakest link is too often the human factor.
We need everybody to care. Here are five ways to change the narrative:
Cybersecurity is a competitive differentiator
Cybersecurity can be a competitive advantage. And not just for companies in aerospace or nuclear engineering. It’s a top priority for retailers, for instance, as highlighted in this recent study. Customers, partners and even employees will increasingly choose a company with a better security track record.
How can this narrative be better conveyed by cybersecurity professionals?
A bit of theory helps. Convincing companies to invest in cybersecurity corresponds, in economic terms, to increasing their willingness-to-pay (WTP) above the price of the investment.
For instance, when a company is reluctant to undergo a security certification such as ISO 27001, cyber professionals could easily inflate the perception of threat with worrying statistics and commercials to spur the company’s WTP for that certification. Or they could cut the price. The first option is not so ethical, the second not so profitable.
Why not consider that a low WTP may be the result of a lack of time, manpower, business culture, priorities? Determining what these considerations are can help produce a win-win, such as proposing a fast-track certification or cutting on the number of full-time equivalents required from the company to support the certification process.
And how can security providers determine what factors in their clients’ WTP? That’s simple: by asking what a target audience cares about, by engaging in a conversation about drivers and obstacles, cybersecurity professionals can produce better-targeted business strategies that can help derive direct value from security investments.
Surveys, or asking a few quantitative questions of many customers, are simple means by which to better understand general trends in quantitative terms. Focus groups are a great way to get qualitative feedback, and hackathons are a good example that is increasingly used in the cybersecurity industry.
And there are other solutions, like analysing customer behavior or inferring customer priorities through conjoint analyses. The common thread in all these techniques is that that they put the customer at the heart of the discussion and at the heart of the solution. This is what we want in cybersecurity.
You are part of the solution
By putting customers at the heart of the process, cybersecurity professionals help empower the companies they support. Security is a culture that modern organizations need to embrace bottom-up and top-down.
A corporation without a chief information security officer sitting on the executive committee is a corporation at risk. Security is a mindset that should be required of every single employee in the company. Too often, there is reluctance to create a security culture because it is associated with risk-aversion. This need not be the case. Security is never about not moving forward or not taking risks. On the contrary: it is about moving forward and taking risks while remaining conscious of what is at stake. An inherent security mindset helps employees and managers take better decisions.
Too often, we cybersecurity professionals see decisions taken on the basis of poor security judgment, whether it concerns a merger without conduct of due care and diligence, or foregoing an acquisition owing to a flawed perception of threat, potentially exaggerated by the press.
With the explosion of fake news, a fine understanding of one’s risk profile and conducting a granular risk assessment prior to taking important decisions are some of the paths along which security professionals must guide their clients.
Cybersecurity is a process
Another reason why many companies under- or over-invest in cybersecurity is because they are still led to believe that turnkey solutions exist. They don’t.
Whatever cybersecurity vendors may argue, no protection device can secure an organization entirely. Nor is security a service that can be fully outsourced. Even SMEs that do not have the resources to insource a security operations centre and resort to a service provider must have a security mindset when doing so.
Security is a journey, not a destination. It is a cat-and-mouse game: attackers constantly improve their techniques to find innovative ways into systems. Logically, defenders must constantly improve their techniques to keep them out.
This paradigm often gives the impression that security is a black hole, that no matter how much an organization invests, it can always invest more.
This does not have to be the case: cybersecurity professionals can gradually empower their clients to independently assess their risks and determine what investments are needed, in terms of the resources available. Some risks will indeed need to be mitigated, while others can simply be reduced or transferred, and a few accepted.
Furthermore, if indeed cybersecurity is going to cost, why not look at ways to leverage these investments to create direct value? Companies with sound cybersecurity programmes can provide security services to other firms within their supply chain or ecosystem, negotiate better premiums with insurance companies, or leverage the trust developed over time with partners and customers to derive new business models such as platforms.
Cybersecurity is possible
The vast majority of victims fall for lack of due diligence and due care, not because a foreign superpower leveraged half a dozen critical vulnerabilities to bypass their defences…
The fact that cybersecurity originates with computer and network security, means that it has a very strong technical connotation to non-experts. Indeed, there are multiple elements of the cybersecurity ecosystem that are quite technical. Nevertheless, these are not necessarily complex: there is indeed a shortage of skills in cybersecurity, but technological complexity is probably not the main reason. The fear narrative might actually be a more plausible cause.
The main problem is the lack of processes embedding cybersecurity across the different layers of organizations. The legal department, the media department, the finance department: every part of the organization plays a role in the security posture.
Developing a cyber governance programme is not rocket science. Having a cyber crisis management plan does not require years of research and development. It can be done in a few days or weeks.
Senior decision-makers who do not know enough about cybersecurity can no longer be taken as evidence of the fact that cyber is an obscure discipline. They are evidence of a lack of responsibility. There are hundreds of opportunities for everyone, at all levels, to learn about cyber: from kids to citizens to politicians.
The World Economic Forum established the Centre for Cybersecurity to force-multiply initiatives and offer a global, neutral, public platform of opportunities. Our role is really to help organizations help themselves – because we truly believe they can.
Cybersecurity is a positive word
Lastly, the one key reason organizations are still reluctant to be open about their security postures is a concern it will make them prime targets for vengeful hackers. This is an outdated fantasy: hackers no longer live in a garage and hack companies to inflate their reputation.
Nowadays, attackers go after money and data, not press and praise. Why would they go after a company if its security posture is acknowledged to be high when that of competitors is low?
Security through obscurity, as this is called, is a notoriously bad practice. Being outspoken about one’s security investments can be a powerful deterrent.
What this implies is trust: trust from the CEO, and potentially the board, that security investments have been thought through and that the company is not going to fall for a simple attack. Such trust is gained through interactions between the security teams and the rest of the organizations, gradually materialized in processes. In this light, pushing for cybersecurity to be part of an organization’s communication narrative helps to create the internal culture.
Cybersecurity is a fascinating discipline at the intersection of technology, policy and business – a discipline that is vital to the Fourth Industrial Revolution.
It should not be a source of fear. It should be a source of hope.
Cybersecurity is a positive word. Use it that way.
This article was first published in the World Economic Forum.
Adrien is a Project Lead on Cyber Resilience at the World Economic Forum Centre for Cybersecurity.
Check out My543, our comprehensive report card of all Lok Sabha MPs.