EPISODE III – Making the Business Case: Where Does Your Money Go?
03 JUN 2016
Welcome to Episode III! I hope you enjoyed last week’s Episode which used a Modified Weinberger-Powell Doctrine to evaluate your cyber security solution.
This week’s Episode will focus on one specific area of cyber security decision making: How do you spend your money? Or more accurately: Are you spending your money wisely?
Let’s start with the obvious: cyber security is big business and will only continue to get bigger. We spent close to $75 billion USD in 2015 with projections showing that by 2020 we will be investing $170 billion USD in the field.
Similarly, the insurance industry (always looking to insure something) is predicting the “cyber insurance market” to grow from $2.5 billion USD in 2015 to $7.5 billion USD by 2020. (Personally, I think one big breach, followed by one nasty and huge class action payout, will make the “cyber insurance market” grow much more than what has been predicted.)
In 2014, in the US alone, $25 billion USD and 1.2 billion hours were spent trying to deal with cybercrime, one in five small-to-medium businesses were affected, and some projections indicate that the cybercrime will cost core business over $2 trillion USD by 2019.
In other words, a lot of money is being spent, lost, sunk, or has drifted away into the ether.
Where the money is being spent is interesting though. According to IDC, an IT analyst firm, the hot areas for growth are security analytics / SIEM (10%); threat intelligence (10% +); mobile security (18%); and cloud security (50%).
My bias is already well known and declared: where is the investment in people?
A metaphor may be useful here.
Does a safe car make a safe driver? No. Reality is, in over 90% of car accidents, human error is the primary factor.
Does a secure network make a user act securely and safely in cyberspace? No. Reality is, in over 95% of cyber incidents, human error is the primary factor.
In the car accident scenario, did we go into some mass hysteria and start spending billions and billions of dollars into creating safer cars? No. The strategy was mixed. We continue to try to get bad drivers off the road, we invest in creating safer cars, and we focus a considerable amount of our efforts in driver safety awareness.
But the same cannot be said for cyber security.
As indicated above, in 2015, we spent about $75 billion USD on cyber security solutions. Of that, estimates show that only $1 billion USD was spent on educational security awareness solutions.
Let’s so some quick math: we spend 13% ($1 billion of $75 billion) of our total cyber security solution expenditure on an issue that is responsible for 95% of our problems.
Not sure if that makes for good business.
Even at the 13% expected annual growth rate over the coming years, educational security awareness solutions would only make up about $1.85 billion of the projected $170 billion market in 2020. This would mean a decrease to 11% spending of total spending on our biggest problem as technical expenditures would outpace educational ones.
Again, I am not sure it is good business to neglect your biggest vulnerability.
If I can be blunt: I get it. Consulting companies, software developers, and insurance companies are going to serve their interests. And by the way, all these costs will be passed on to the consumer, which eventually will reach an untenable point creating pressures not only on your own organization, but the economy as a whole, which in time, will probably cost us entire percentage points of our GDP (if the $2 trillion USD estimate for cybercrime by 2019 is accurate, cybercrime alone may account for 2.5% of global GDP).
The cyber security business is, and will continue to be, very lucrative. But if you are a senior decision maker and hold the keys to your organization’s financial vault, ask yourself: is continual spending on technical solutions, while neglecting your people, good business? Does this course of action serve your own interests?
Your financial resources are finite. If your organization is going to spend on IT staff, licensed software, and 24/7 off-site threat intelligence centers with cyber response teams managed by consulting companies, you are easily going to get into the hundreds of thousands of dollars annually (and that is if you are just a small operation). If you are a large enterprise, you are already spending millions, likely have an in-house center and team, and will continue to do so for the foreseeable future.
At a recent presentation, I asked the group the following:
“How much value does cyber security add to your business? Where is the wealth generation in your investment?”
The group was stumped because they could not quantify or even identify any wealth generation at all. I responded with the following (paraphrased):
“Unless you are in the cyber security business as a vendor, selling a cyber security product or service, chances are there is no wealth generation for you. Cyber security is a cost for you. Cyber security is a tax for you. It is here to stay like insurance payments. And what do you do with costs and taxes? You try to find savings and minimize them.”
Of course I went into more detail with them, but the main point of the conversation should be evident: where is your money going?
Only one-third of US companies require employees to have some form of cyber security awareness training and in the financial services sector, one-third of respondents to a SANS survey could not quantify their IT budgets, but were still planning on spending considerable more money in the coming years on IT-related security and risk management.
Would you let your sales or marketing team burn through a budget and not be able to quantify their results? Unlikely. So again, where is the money going?
Please understand I am not knocking the technical specialists. You absolutely need them and they are vital to your survival. But sometimes it may be more valuable to spend $200,000 on education awareness training for all of your staff (preferably in a language they understand and not some tech garble and jargon which will make them tune out in 2.6 seconds) as opposed to allocating $2 million to your IT department (which will still to be frustrated to tears by the boneheaded things your general staff has done with their device anyways…dare to click here?).
Let us go back to the car metaphor. A car designer/manufacturer will not (one hopes) put an unsafe car on the road (yes, most of us know about the Ford Pinto’s fuel tank problems). Chances are that a car today will not go into production today unless the engineers are confident the car can withstand all the safety tests. Engineers will stake their reputation on the safety of the car, very much the same way IT professionals will insist that they have gone to incredible lengths to ensure the network is secure.
Yet for all their safety measures, none of their work will prevent unsafe or foolish behavior by the user, whether it is on the road or on the Internet.
In closing, think of it like this:
It would be nice to drive around in a Leopard 2A7, or M1A2 SEP, or Armata (these are tanks which, if you are ever on the receiving end of, will make your life very miserable).
But if you do have one, more than likely, you could drive around and not care about traffic signals, road conditions, or others sharing the road. Chances are you’d be the baddest ride on the road and unless you bump into another tank, have a bomb dropped on you, or try to penetrate an impenetrable wall, not much is going to stop you, especially since you have some extra options on your vehicle (that “boom” which it can produce is not a 1,000 watt subwhoofer pumping your favorite song).
In other words, you could be reckless and, for the most part, your damage would be minimal (article continues below picture).
But there’s a problem to that solution. First, despite the giddiness of the thought (still chuckling?), most of us can’t afford a tank, which normally has a unit cost of a few millions dollars per. Second, even if we could afford one, we can’t get a license to buy or drive one (assuming of course corruption of government officials is not your primary business activity).
So even if you have the money to buy a super crazy cool cyber security solution (one, that likely the government only has access to), you’d be asking for a world of hurt if you try to use it.
I don’t know what your street corner looks like, but if a Leopard was driving down mine, a few phone calls would be made to get that thing off the road, followed by a few questions from the authorities, the first of which would be, “so, umm, how exactly did you get this vehicle?”
Or perhaps it would be more like Trooper Daniel from the movie The Blues Brothers: “Boys, you’re in big trouble.”
Truth is that most of us drive Hondas, Fords, VWs, and others of the like. Some of us are lucky. We get to drive Ferraris (this one is pretty), Astons (prettier), and Lambos (Batmobile, please, this is a real ride). Those who drive these supercars would be your big enterprises.
But even as awesome as those cars are, they are still tin foil when up against a M1 Abrams. And if perhaps the Abrams decides not run you over, it has this offensive capability – the “boom” mentioned above – in the form of a canon, something you probably do not have.
This means we need to learn the rules of road, like stopping at a red light, or respecting the one-way street, or not driving 100mph on a road in the middle of the night with no street lights and that has not seen any maintenance in the last 50 years.
Why? Because there are only so many times you can go to the mechanic to fix the car, and there are only so many cars you can afford, and maybe, just maybe, one of those times you’ll do something so stupid I will get killed (which I hope never happens to any of you).
Invest wisely. Invest in your people. It’s good business. And it helps protect your interests.
See you next week and thanks again to all those helping to spread the word!