Cybersecurity Is Not the Issue We Think It Is

A former employer used to hold annual off-sites where business and technology experts would imbue us with their wisdom. In what was to be the highlight of one particular year’s meeting was an outburst by a distinguished professor from the country’s most prestigious business school who, in response to the umpteenth briefing to mention how amazing revenues were, exploded:

“You don’t go into business to make revenue; you go into business to make profit!”

Few people in cybersecurity understand this point. Nobody is actually in the cybersecurity business, not even cybersecurity companies, they’re just in business. Every decision made in the boardroom, the staff meeting, or an IDE is centered around the question: will this help us make money? To do otherwise is to ensure bankruptcy. How many people is your start up with the revolutionary nex-gen idea and elegant code going to help then, eh?

A Brief History of Business Bastardry

Profit above all is not a new phenomenon. Business owners would rather subject their fellow human beings to life-threatening conditions if it meant that they were able to keep raking in profits just one more year, month, or day. The full scope of how monstrous business has treated labor over the centuries deserves several books (see your local library), but for the sake of brevity consider:

Robber Barons in oil, mining and other industries early in American history would literally rather go to war against their employees than pay a living wage, provide minimal safety equipment or otherwise show any humanity to the people responsible for their fortunes.

Enron was heralded for years as a money-making machine. It made its executives rich and fattened the retirement funds of regular employees, who were encouraged to keep their nest eggs in company stock. When its world-class accounting fraud was revealed, it sent several executives to prison, and destroyed the wealth of those least able to absorb such a financial shock.

Facebook has paid out billions of dollars as a result of multiple successful lawsuits related to how it treats users.

TD Bank, Wachovia Bank, HSBC, Wells Fargo, and others, despite strong know-your-customer and anti-money laundering rules, have paid billions of dollars of fines because of … money laundering.

Ernst & Young agreed to pay a $100M fine after hundreds of the firm’s auditors were found to have cheated on ethics exams. No evidence unethical auditors led to the previous bulleted item, but…

While some business leaders are satisfied with merely making an honest buck, there is a not insignificant percentage of them that will do just about anything in order to make dramatically more money than if they’d just played by the rules and been decent human beings. This is what you, as a cybersecurity practitioner at every level, are up against.

“What about non-profits?”

“Non-profits” are still businesses. Whether they secure their funding from grants or contracts or donations, they still have to end the year with the same or more money in the bank than when they started. There are rules about what you can do with what would otherwise be called “profit” but make no mistake that the umbrella goal is still there: making money. Its just making money under the guise of doing good, which happens, just not on the scale or as deeply as you think it does (more on this in a second).

When Business and Security Collide

Imagine a scenario where you get a half-hour with the CEO to talk about all the critical problems associated with company systems. To do things properly would actually require certain systems to shut down for a period of time. Systems that are critical to the company’s ability to make money. To negatively impact operations would have a material effect on company finances, and its share price.

“We will accept the risk.”

Those are the last words you’re going to hear before you’re told that the meeting is over.

How can this be?! Don’t they realize the consequences of their actions?! Well, as a matter of fact they do. They’ve done the math. A compromise might never come, in which case an unbudgeted expenditure would be wasteful. A compromise might come tomorrow, but the cost to wipe and rebuild impacted systems so that they can be put back to work would be less than the total cost of remedying all the aforementioned issues. You’re trying to explain chess to people playing Jarts.

Businesspeople are not evaluated on how secure an enterprise is, they’re evaluated on financial metrics. The prevailing wisdom in business circles is to focus on ‘shareholder value’ which loosely translated means at least maintaining and ideally growing the share price. Activities that make financial metrics go from lower-left to upper-right on slide decks are good; things that do not are bad. Executives are only human, and they will respond positively to things that bring rewards, and react negatively to things that will result in penalties.

It’s not personal, it’s just business.

Can We Fix This?

The short answer is “no.”

TThe market economy isn’t going away any time soon, which means the business principles and thinking that make security so hard are going to persist. So if we’re going to have any sort of impact whatsoever, we’re going to have to change where we position security in the wider scheme of things, and how we define “wins” going forward.

If you ever get that thirty-minutes with the CEO don’t waste it talking about nerd stuff; ask them what their philosophy regarding security is. Some companies may want to do as much as they can to help the authorities bring the people behind pwnage to justice. Others may just want you to get those machines back up so they can get back to making money. What do they want security to do for them?

Now you can develop an appropriate strategy. You know what is and isn’t important to the company. You can avoid wasting time and making enemies by focusing on funding and staffing efforts that will support business goals. Yes, we’d all like the firm to fund our cyber counterintelligence cosplay, but for most of us workaday life is more about regulatory compliance, tuning security mechanisms, and doing things that will preclude a charge of negligence in the wake of compromise. Unglamorous and unsatisfying but necessary, and in keeping with what the company wants security to be.

Drilling down a bit, you should evaluate what you’re doing to find efficiencies and eliminate redundancies. Can you save the company money once? Great. Can you figure out how to execute your strategy in a way that reduces friction or otherwise has an impact over the long term? Even better. Can a security initiative serve as a discriminator and help sales win business? Now you’re a team player. The more you think of what you’re doing as good for the company, the more credibility, respect, and good will you develop and husband for those times when you really need it.

Reality Check

If cybersecurity really was the issue we think it is, we would have SOX for Cybersecurity. We’d hold platforms accountable for the harm they cause (in a meaningful way). We’d be a proper profession (insert your own self-taught surgeon analogy here). We wouldn’t make ‘dumb’ things ‘smart’, connect them to a global network, and then hope for the best despite decades of evidence to the contrary that such an approach produces good security outcomes. We would do any number of things that would actually improve cybersecurity at a global scale and at combat speed in perpetuity.

We do none of that.

Name the cybersecurity company that has wound down operations because they achieved their raison d’etre. We could solve a cybersecurity problem a year and still have decades worth of work to do and value to create. I’m not saying anyone is deliberately not making progress in order to keep the gravy train going. I am saying that the thinking required to make real gains in cybersecurity is not evenly distributed, as is the intestinal fortitude required to act. When you understand this, you can make the mental and emotional adjustments necessary to be useful.

Or you can begin your long, slow decent into high-functioning alcoholism, high blood pressure, and prematurely gray hair.