Investing in Cybersecurity: Are Execs Protecting Their Bonus Rather Than Their Organisation?

Sometimes the impact of a cyber attack can only be truly appreciated after it has happened. With that in mind, Kate O’Flaherty questions what motivates the team at the top to boost a company’s cyber resilience

Cyber resilience often comes down to attitude. Do top execs understand how cybersecurity is intrinsically linked to profit? Do security leaders communicate their needs effectively and convincingly to the Board?

In some cases, the answer to both somewhat rhetorical questions is a resounding “no”. It is no surprise that, according to McKinsey, there is a real disparity between what Board executives believe is critical to protecting the organisation and what the CISO and their team view as a priority.

To be candid, this is often because their motives are at odds. It’s more than plausible that a CEO might make a judgement based on the business’ profit, especially when said profit is linked to their bonus. So when signing off cybersecurity spend, are executives’ motives really to strengthen cyber resilience? Or is it more about spending as little as possible and doing the bare minimum to maximise the bottom line?

Hold tight, it’s time to dig deep.

Tight budgets

Everyone knows that budgets are tight. With current economic conditions adding extra pressure, organisations are reigning in all spend, including cybersecurity. If execs invest in the business, it’s likely to be in ways that will directly impact profit, such as sales.

When profit-driven decision-making leads to product-focused priorities, cyber protection is often “put on the back burner”, says Elliott Wilkes, chief technology officer at security company Advanced Cyber Defence Systems. “From an execs’ point of view, spending money on ways to increase sales is a more attractive idea. But it is not so enticing to use a large budget on a preventative method and something that has not yet happened, like a cyber attack.”

“If cyber breach incidents have been light, business leaders may tighten the reins on the cybersecurity budget” Elliott Wilkes

Past experiences will dictate how seriously execs take cyber resilience and whether this is linked to a firm’s bottom line. “If cyber breach incidents have been light, business leaders may tighten the reins on the cybersecurity budget,” Wilkes concedes. Those in the know will understand just how short-sighted and counter-intuitive this is. Imagine taking the seatbelts out of a car if it hadn’t had any crashes recently. It’s unthinkable.

When signing off on cyber spend, it’s often about ticking boxes while also saving money, says Michael Jenkins, CTO at ThreatLocker. “Businesses need to check compliance boxes. If they’re given the option of checking 10  boxes, but they only need three and can cut costs by ignoring the other seven, they’re going to save their money.”

Profit is always a significant consideration for those at the top, but tunnel vision can be risky. It’s essential for execs to consider how a cyber attack could, and would, impact the bottom line, says David Emm, a principal security researcher at security company Kaspersky.  “When it comes to IT spending, the benefits of cybersecurity may not be immediately apparent. Threat intelligence and security technologies do not directly produce more cash or boost sales,” he says truthfully.

Security oversights

Yet security oversights can leave firms more open to attack. When a profit-driven mindset leads to firms doing “just enough” to protect security or comply with regulation, it usually comes back to bite later. SolarWinds and Equifax are just two of many, many examples.

A profit-driven mindset can result in “leaving yourself open,” Jenkins warns. “You make lots of money, your profit goes up, and then you get breached and lose all your customers. This then damages reputation and your bottom line because you might have to pay a fortune for things such as recovery specialists.”

Make no mistake, falling foul of regulation can also cost a fair bit, especially given the hefty fines such as the EU update to the General Data Protection Regulation’s (GDPR) €20 million or 4% of turnover.

Additionally, regulators’ stances on personal accountability for senior leaders have been hardened, says Gareth Lindahl-Wise, CISO at Ontinue. “This is likely to sharpen focus, as the regulators are calling it out if there was negligent or deliberate decision-making not to be compliant,” he warns. “Businesses will always take risks, but regulators, internal governance stakeholders and the market will likely be the vocal commentators on your performance.”

While it might be viewed as a drag, GDPR has helped boost business resilience because its mega-fines “put an actual value on security,” says Jenkins. “Before, there was a fixed fee for data breaches in the UK, so a multi-billion-dollar company could just pay a fine after a breach. In fact, this was cheaper than paying the money to fix it. GDPR changed that.”

Boosting resilience  

There are ways to improve resilience, but many businesses still don’t pick the safest route to stop breaches because they think “it costs too much,” says Jenkins. This fails to consider that improving security isn’t always expensive. As Jenkins points out, cyber resilience can be achieved by simply training staff and using basic security tools such as two-factor authentication.

It isn’t always easy. In many cases, the delta between what needs to be done to increase organisational security and what can be done is vast, says Ian Thornton-Trump, CISO at Cyjax. This is especially true regarding legacy technology and software, where he considers “most of the organisational risk is concentrated”.

“If they’re given the option of checking 10 boxes, but they only need three and can cut costs by ignoring the other seven, they’re going to save their money” Michael Jenkins

Taking this into account, it shouldn’t be surprising that CISOs’ attitude to cyber resilience is usually in direct contrast to their CEOs’. Thornton-Trump says that Cybersecurity leaders often fight fires, struggling amid constrained budgets. “70% or more of cybersecurity budgets are allocated to salaries or managed security service provider outsourcing, leaving 30% or less for security software renewals. There is not a lot of room for any cybersecurity discretionary spending.”

While top executives could be influenced by getting their annual bonus, the motivation for most security leaders is usually more straightforward: To protect the organisation and earn their monthly income, Thornton-Trump says. “Most leadership folks in cybersecurity understand the symbiotic relationship between their role and the protection of the company.”

Does this sound bleak? It’s not all bad. Thankfully, times are changing, and many top execs know that cyber attacks happen to everyone. If you’ve experienced one, you will already know how much it can cost.

Many executives now understand that cyber is a top business risk, says Greg Crowley, CISO at eSentire. He adds that news reports of costly data breaches and ransomware attacks “have contributed greatly in that respect”.

And while the motivations of security teams and execs can differ, a profit-driven mindset can benefit the business if cyber resilience is considered part of a firm’s margins. “Executives need to safeguard company assets from risks of all kinds, including those relating to cybersecurity,” Emm points out.

“The bottom line is this: the board is there to ensure the business makes money. If CISOs highlight the potential consequences of not ensuring proper security measures, executives will understand the company’s profit margin is at stake if a successful attack occurs,” he says.

Risks and vulnerabilities

With this in mind, executives should always consider their organisation’s potential risks and vulnerabilities, says Crowley. He suggests that it can be measured by assigning values to the likelihood and impact of potential cyber threats.

Cost is a consideration, he concedes, but this can be worked out so that it makes financial sense. “For example, it wouldn’t be fiscally responsible to spend $100,000 to mitigate a $10,000 risk.  Once all factors are considered, including reputational damage, executives can allocate appropriate resources and prioritise cybersecurity measures accordingly.”

“The bottom line is this: the board is there to ensure the business makes money” David Emm

While it’s understandable that profits will influence decisions, security experts agree that the link between cyber resilience and the business bottom line needs to be clearer.

In the future, senior execs can benefit by buying into cybersecurity as part of their overall business risk. This should be reflected in the company’s risk register, Bharat Mistry, technical director at security outfit Trend Micro advises. “Cybersecurity needs to be treated as a business-wide issue and something that is the responsibility of every department.”

It might require a change of attitude, but it will ultimately boost revenue. A purely profit-driven mindset that does not consider security will “lead to ruin,” warns Crowley. “There has to be balance. A cyber incident can cost hundreds of thousands of dollars a day in downtime alone. Fines, recovery costs, ransom payments and reputational damage can destroy any business.”

In the end, it’s really down to communication. CEOs need to heed their security teams’ warnings, while CISOs should ensure they have a regular and clear dialogue with those at the top.