Why Spending More on Security Is Not Always the Right Answer

There is no doubt that governments and private sector businesses have been complacent about cybersecurity. Consider the news about enormous ransomware takedowns, huge databases of breached personal information being traded for pennies on the dark web, and the endless spam that is now morphing into a deluge of increasingly personalized fraud that comes at us through voice calls and SMS messages as well as emails. These are the symptoms of a cancer that was allowed to spread throughout the body of society because insufficient effort was made to contain it within the limited organs that first made cybercrime possible. Our societies wanted networked technologies but treated the word ‘security’ like a magical incantation, which if mentioned somewhere near the end of a presentation to investors would somehow prove that the measly amounts spent on actually securing the product or service would be sufficient to prevent any harm from occurring. Now we live in the world that is the product of that complacency.

Half the Indian scammers who call me know my name, phone number and one of my email addresses, and also think they can intimidate me by repeating a password from one of the thousands of freebie accounts I signed up for during the late 1990’s. The get-rich-quick entrepreneurs of that period thought that information would be as valuable as oil, and many still believe that is true, although there has never been an oil business that allowed every jackass employee and subcontractor to take a copy of all the company’s oil home with them. As far as security is concerned, our societies are reaping what they have sown in the past. It is natural to now see a backlash, apparent across much of mainstream and social media, with many cybersecurity professionals talking as if massive increases in cybersecurity expenditure are inevitable. They are wrong.

Let me be clear. If something is worth doing, it is worth doing securely. That means spending the appropriate amount of money on hiring and training the right people, giving them the right tools, and allowing them to participate in the design as well as the delivery of every product and service. But it does not follow that security spending should increase overall. The correct conclusion, in many cases, is that security spending should fall because it is not worth creating an ill-considered product or service when the proper cost of security has been factored in.

The astute will immediately perceive the problem with my analysis. Reckless businessmen and inept government bureaucrats are not going to do less just because you would like them to cause less harm. They will still overstretch, overpromise, and indulge ambitions that cannot be realized in practice. They will continue to underestimate the cost of security for the same reason they underestimate the cost of everything, even though we already know all about the psychological factors that cause projects to overrun and budgets to be exceeded, time after time, again and again. Incompetents are not going to retire from the workplace just because you would like them to.

There are fields of endeavor where the inability to do a job correctly means others can prevent you from doing it at all. Consider the need to protect food from being tainted, or the safety of people who work with heavy machinery. Governments give themselves the power to close down businesses that pose a threat to the health of others. Now compare these powers to those exercised to maintain cybersecurity. Even if some will increase spending on cybersecurity because they understand the need to do so, there will be others who want to compete even though it means they will have to cut corners and put everybody at risk. Governments are not proactively closing those businesses down. At best, they are waiting for a rare case where the blame is so obvious that they can levy a hefty punishment. But fining a business for a data breach that affects millions of people is no more reassuring than being told there will later be repercussions if you are poisoned by the food you eat.

Farmers work for low margins and are subject to many regulations. Contrast that with the world of unicorns. Our society literally labels the most successful start-ups with the name of a mythical creature whose existence was the subject of an elaborate scam perpetuated for hundreds of years. People used to think horned horses were real. Books were written about the power of unicorn horns to purify food. The reality was that Viking traders during the Middle Ages would sell the horns of narwhals to credulous Europeans living to their South whilst never revealing that the horns came from a kind of whale, not a kind of horse. Our society is in a similar state of delusion about cybersecurity. People are going to keep buying and selling cybersecurity even when the content is a lie and the results can only disappoint. Now we will fool ourselves into believing mantras like ‘security by design’ really will purify the most rancid and wretched of endeavors. We will do this because we lack the maturity to prevent the inception of mistakes, so must keep suffering them before we can learn from them.

A lot of people are going to make a lot more money from cybersecurity, and I can hardly blame them for trying. But more cybersecurity is not the equivalent of better risk management. Abraham Maslow wrote in The Psychology of Science that “it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail”. If I was responsible for the building of a barn, then I would want to work with people who are good at wielding hammers. Risk managers for networked businesses should rightly choose to work with excellent cybersecurity professionals. However, increasing security is not the same as reducing risk. Not every barn needs to be built. A good risk executive should know there are also times when the best outcome is to avoid risk by not making the mistake of pursuing a goal that cannot be realized with the resources available. Sometimes the right way to optimize risk is to not start an endeavor that requires more spending on cybersecurity than your organization will ever pay for.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.