Large firms with multi-million IT and security budgets should not end up in the mess we have seen with recent ransomware incidents. Period.
Recent ransomware incidents at Travelex in the UK and Bouygues in France profoundly challenge the way cyber security is being managed in many large firms. And they add their names to an ever growing “hall of shame” which already includes British Airways, Marriott, Equifax and – sadly – countless others.
Large firms with multi-million IT and security budgets should not end up in that mess. Period.
Calling in one of the Big 4 firms to “sort things out” afterwards will not cut it. At the heart of the matter, is not just the need to “do things” (protective and layered “defence-in-depth” measures are well known and have been for decades) but the governance surrounding execution in those firms, the way the prioritisation of security investment was handled over the years, and the cultural and managerial aspects surrounding those.
“We can’t afford this” is an excuse we keep hearing too often with senior executives around security. Many CISOs take it as budgetary constraints. It is simply adverse prioritisation. And if security is not visibly towards the top of the agenda with management, you cannot expect good execution to follow regardless of the investments you make.
One trait many of the firms affected recently by cyber security incidents have in common, is their relatively good economic health. Those are not failing businesses chronically losing money or drastically challenged by digital disruption, as could be the case for example in the retail sector. They are healthy and established market players churning up healthy profits.
How do they assess the threats they face? How do they manage their levels of exposure or protection against those? How do they determine the investments necessary to ensure adequate protection?
Clearly, not very well…
One thing is certain: They are not really short of cash. It may be a simplistic view from a CFO perspective, but the reality is that – post breach – money will invariably appear out of nowhere to get things “fixed”.
That’s the most pathetic part of all those incidents: Shameless executives, who previously would have argued that they “could not afford” security measures, handing out millions in search of non-existent quick-wins or technical silver-bullets. And shameless tech vendors and security “consultants” lining up, without for a second daring to tell their clients what they need to hear: Buying more tech won’t help you, until you address the cultural and governance attitudes which have led you in that mess in the first place: Endemic short-termism, cognitive biases, or frankly in some cases, threat ignorance and lip service to compliance requirements.
Of course, once the entire business has been down for several days, priorities are put into perspective and mindsets change, but for how long?
Across the street, various competitors or suppliers would have been rattled and may also start thinking differently, but again, for how long?
Once the dust has settled, losses will be added up; they may not please the shareholders, but in a context where many things could go wrong for large firms, do they really matter if the health of the business is strong? For St Gobain, Maersk and others – badly hit by the 2017 NotPetya outbreak – lost sales associated with the cyber-attack were estimated in the hundreds of millions and direct costs related to crisis in the tens of millions. Unpleasant, not invisible but manageable on a multi-billion balance sheet. So it is easy for the cynical agenda to persist… but it is the kind of managerial culture which can only breed more regulation.
Of course, where personal data is involved, the regulators now have the power to impose significant fines and have indeed proposed very hefty ones (in the hundreds of millions for British Airways and Marriott) under the GDPR. But unsurprisingly, those have been challenged and the jury is still out.
Here lies one the real milestones of 2020 around cyber security: Non-stop breaches – related or not to personal data – are strengthening the position of the privacy regulators against “pro-business” lobbies.
If those heavy fines are upheld, they will alter fundamentally the economics around cyber security and the “affordability” argument will change hands in many firms.
The fact that a positive attitude around security and a positive prioritisation of security matters could have limited – if not prevented – those breaches in the first place, is the message the security industry should be pushing, instead of greedily trying to grab the biggest part of the remediation bill.
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.