Is Cybersecurity a Luxury Item?

There’s an adage that the two best days of owning a boat are the day you buy the boat and the day you sell the boat. As I watch my cybersecurity peers struggle in a soft market while companies cut their security teams and budgets, I wonder if cybersecurity has become a luxury item, like a boat.

A few years ago, after the first widespread impact breaches (think Target, Anthem), security became a must-have, with most conversations centered around reputational risk. But the more breaches that have happened and the more data that the bad guys have collected, the less impact the threat of reputational damage has become. This is exemplified by the now well-worn phrase, “It’s not about if you have an incident; it’s when.” 

This doesn’t have to be the case. Security doesn’t have to be an all-or-nothing expense for a company. Not every company needs a luxury yacht, but every company needs a way to navigate the waters of data security.

Why luxury?

Investopedia defines a luxury item as “A non-essential item that is deemed highly desirable within a culture or society.” Let’s take these one at a time:

• Non-essential
• Deemed highly desirable

In some highly regulated industries, security is essential. There are compliance requirements for health care and (coming soon) critical infrastructure. There are companies where security is table stakes, regardless of compliance: banks, credit reporting agencies, the NSA, etc. A fisherman needs a trawler (but not necessarily an 80-foot superyacht).

For businesses without compliance or regulatory requirements, data breaches have become so commonplace that the effect of a breach is not as impactful as it used to be. Most people’s PII is already out there. Between the Office of Personnel Management (OPM), the mother of all breaches (MOAB), the National Public Data (NPD), and all the other major and minor breaches—and widespread bad password practices—your and your customers’ data are out there. These days, if a company loses its consumer data, it might not even be in the news. 

Is security deemed highly desirable?

Companies would love to have security. But at the end of the day, many businesses think it’s out of reach at luxury pricing. It’s something to aspire to when they have more money. It’s like putting off going on vacation until you retire.

It’s not that companies are thinking, “Let them have our data!” Companies still desire security, but at luxury pricing, they perform security in the hope of not being targeted.

The problem is the perception of affordability. Security remains a hot topic among boards and executive teams. When major zero days happen, people rush to understand the potential impact on their environment and consumers.

The companies I advise—seed stage through scale-up—all want security. Even at a supply-chain-focused tech conference I recently attended, security was mentioned as a major concern and desire by the leaders on the panel.

If it’s a luxury item, can you ignore security?

No, you can’t ignore security. But you can stop treating it like a luxury item that makes you ultimately do less. Understand what size boat you need. You can dream of owning a Vard Somnio, but let me show you what we have in an aluminum prowler. 

The thing about luxury items is that they often become less expensive with greater adoption and increased technology. In 1997, the first Fujitsu plasma flat-screen TV cost $20,000. Today, you can get a better TV for $149, delivered to your front door overnight. The 1997 flat-screen TV was a status symbol. 

Today, every home has a flat-screen TV, unlike boats. As cybersecurity professionals, we need to ensure that cybersecurity is more like a TV than a boat. A CISO’s job is to communicate that to the business.

1. Reframe affordability

A quick internet search gauges security budgets trending between 7 and 20% of the total IT budget. Planning ahead for that level of spending (or hiring, if you take into account that a lot of IT now is security) will help you understand what level of expectations you should have on spending. 7-20 is a wide range, but this will be dependent, again, on your specific industry, compliance requirements, and data.

We’ve been talking about people/process/technology in the IT industry since back in the 1900s. We also often talk about people being the strongest asset (and some say the weakest link) in security defense. Even if you cannot afford a 40-ft yacht, you could still get an aluminum boat or maybe make a friend with a boat.

At your company:

• Help people understand secure behavior and enhance it without technology. 
• Leverage your engineers to create internal automation.
• Engage the people in your business to help develop better security practices and solutions.

I once had my tech team create an automated attack surface management tool during a hackathon. It saved us $40,000 a year.

2. Leverage MSP/VARs when purchasing cyber tools

Before you buy a tool, carefully consider the build or buy options. Sometimes, the immediate answer is to build until you grow enough to buy. I love a good requirements document to help me really think through that problem.

I recommend that start-ups, scale-ups, and even SMB companies find collectives/collaboratives to purchase software as blocks. Your value-added reseller (VAR) or a managed service provider (MSP) can help you with this. Keep in mind that once you implement technology, you still have to manage it; even if you have a managed service provider—you have to manage the manager.

3. Understand the needs of the business

I would love it if every business could have an OpsSec, CloudSec, AppSec, ThreatSec, ComplianceSec, DataSec, ProductSec, IAM, SecEd, and Program Management department within Security. But they can’t. Even the fancy Fortune 500s don’t have all these (they only just finished rounding out the CISO suite). Know where your business is in its maturity. Know what the top priorities are. Know what the financial capabilities are to achieve those. 

Without that, you will lose every budget discussion, and the business will assume that security is unachievable and too expensive. That’s not beneficial to anyone. The more you understand how work gets done in the company, the better you can secure them for a rational, reasonable price. 

4. Outsource/Fractional workers

Whenever I start a new hobby (and I have started many hobbies), I buy all the necessary gear right out of the gate. This is how I gave away a brand-new, 10-year-old pair of roller derby skates last week. I had worn them once. 

A friend with a boat is better because you can reap the benefits of going out on the water without all the other costs (maintenance, docking fees, gas, license, insurance, etc.) or the long-term commitment.

A fractional CISO can come in handy—it’s like renting a boat for as long as you need one. Instead of trying to scrounge up $400,000 for an experienced, full-time CISO, and even more for engineers, hire a fractional CISO who knows how to plan, strategize, do all the recommended items on this list, and can do it in less time for far less cost. 

Now You’re PhFishing

There is no reason you cannot enjoy the trappings of luxury at a discount. With the right mentality and strategy, you can have excellent security that matches your needs without having to ignore it and hope for the best.