You may have heard the adage, “Insanity is doing the same thing over and over again and expecting different results.”1 Often misattributed to Albert Einstein or other geniuses, its genesis was a 1981 Narcotics Anonymous pamphlet. How apropos, as most of today’s cybersecurity programs rely on concepts developed in the 1980s and early 1990s. To use a 1980’s phrase, “You’d have to be delusional” to believe a 20th century approach to cybersecurity would be effective in today’s 21st century hyperconverged cyber environment!
Sadly, many organizations continue to practice their own special version of cyber insanity, investing heavily in revamped versions of stale technologies and then wondering why they continue to be the victims of cyber attacks and incidents.
Cybersecurity is big business, with some think tanks estimating cybersecurity spending will rise nearly 10% and hit almost US $100 billion in 2018. Spending in both public and private sectors on antivirus software, virtual private networks (VPNs), intrusion detection, monitoring and other traditional cybersecurity technology to safeguard data continues to rise amidst fears of data breaches, ransomware, and attacks from cyber criminals and nation-state actors. These increases indicate that boards of directors and senior executives recognize the need to invest in better protecting the information that fuels today’s national prosperity and national security, even global economic growth, yet these very same leaders are becoming increasingly frustrated. Many express that with all their spending on cybersecurity tools, one would think their organization would perform much better than they actually do. To be fair, many organizations have improved, yet I contend that we are underperforming and should do much better at a lower cost to protect our information, our intellectual property, our brands and reputation, and our competitive advantage.
Many boards and senior executives ask me for help. They want to reduce their cyber risk and, while most express suffering from “cyber spending fatigue,” they are not shy about investing more resources as long as they show a good return. Nearly every organization I work with has laser-like focus on fixing their “cybersecurity problem” through the purchase of another tool or technology. Focusing on technology alone to fix a problem reminds me of what US Airmen call “target fixation,” where you get so fixed on one thing that you do not recognize the threats around you, resulting in a crash or getting shot down. Cybersecurity involves people, process and technology, yet too many practitioners focus on technology and ignore people and process. To stop the insanity, we need to look beyond solely spending on another tool and first invest in building a cybersecurity culture that balances people, process and technology to improve our ability to manage cyber risk.
Without an effective cybersecurity culture, your organization is fighting a losing battle. Gustavo Grodnitzky, Ph.D., makes the case that by focusing efforts on supporting the behaviors and performance we seek, we will develop the culture we desire.2 When it comes to cybersecurity, I agree with Dr. Grodnitzky: “Culture trumps everything!”