Australia’s second-largest telecommunications company Optus detected a breach on Wednesday September 21. Overnight, the situation became increasingly alarming when the Australian Federal Police, Australian Signals Directorate and the Office of the Australian Information Commissioner became involved. Although the impact is still not yet fully known, some estimates suggest over 10 million customer records containing personal information were breached, as well as information on credit cards, driver’s licenses, and passports. This has impacted nearly half the Australian population.
Is this Australia’s Equifax moment?
Since the dust has not yet settled on this case, it is best to refrain from commenting on the lessons we could learn from this case. Instead, let’s talk about the ways we approach investments in cybersecurity, so that future investments are not made from a knee-jerk response to this incident.
As a former Chief Information Officer, I feel for the CIO and the CISO in the middle of data breach incidents. I had a couple of scary moments during my time. Bystanders and spectators tend to simplify such complex situations, latching on to key descriptors without broader context. The truth is always more complex than it seems, and the search for root causes can be painstaking.
In 2021, more than 85% of breaches involved human behavior, either because of a miss, a mistake or from malicious intent. That means that future cybersecurity investments cannot be totally focused on technology or technology services. The human element in cybersecurity is as critical as that of the computer and the processes that govern the IT environment.
The Currency of Fear
After such widely publicized incidents, we often hope that surely this will make boards and business leaders pay more attention to their cybersecurity investments. That it’s time to take advantage of the new heightened interest and ask for more funding.
But as time has shown, the currency of fear is not a lasting influencer of cybersecurity investment decisions. Over time, the incident and the urgency recede. How many such incidents have we experienced around the world? Remember the 2017 Yahoo breach in which >3 billion user records were breached? Or the 2013 Target breach in which 40+ million credit card numbers were exposed? Or the 2017 Equifax breach, in which the personal information of 143 million Americans was affected?
What Are We Protecting?
In a world with finite resources and a constantly changing business ecosystem, our investment in cybersecurity must start with one key question: what are we protecting? Only then can we figure out the means and the sequence to implement that protection.
Cybersecurity is no longer the sole concern of the enterprise. It is now the concern of governments and citizens. We expect that our personal information is at the top of the list of assets to protect the most, alongside highly sensitive business information.
The Value of Reducing Risk
It is difficult to justify a cybersecurity program based on the traditional ways an investment is made, that is, by the return on investment based on opportunity, revenue and cost drivers. Let’s face it, a cybersecurity program is there to reduce risk and by doing so, reduce the friction of facilitating business change and growth. This is why differently valued information requires different protective measures. The cost of investment, therefore, should align with the value of reducing the risk to the information.
Matching Cybersecurity Investment to the Value of Lower Risk
A better way to look at the value of a cybersecurity investment is by linking the investment to the maturity of the capability and quantifying the risk reduction for doing so. Quantifying the risk in the language of business leaders and boards means going beyond the usual operational metrics, such as number of threats thwarted, and instead measuring the value in financial terms of the business risk being reduced. Consequently, this action enables business growth and agility.
Creating a risk model requires rigor and deep market data and intelligence to test such models. The model should reflect your specific susceptibility to the risk and give leaders the ability to “war game” their investment sequencing and test their capability maturity plan against the enterprise’s risk appetite.
Figure 1. The Cybersecurity Value Model
A cybersecurity roadmap planning session can be powerful for interested stakeholders and cybersecurity teams when invited to participate and be part of informed decision-making.
Use this approach whether you are just starting on your cybersecurity program or assessing the optimum pathway to reduced business risk where it matters. Consider reviewing your past investments to get a baseline of the value of the risk reduction so far (and consequently, the value of enabling business growth and agility), then track your cybersecurity program’s impact on risk as you progress. When things change, whether from internal or external forces, you can use this approach to gauge which choice is the best for your business.
What About the Optus Data Breach
Understanding the root cause of the Optus breach would undoubtedly help us apply important lessons to our current cybersecurity programs and operations. But, by itself, this incident – or any other – should not be used as a justification for a future cybersecurity investment without understanding what you are protecting, the impact on risk against the value of the investment, and where the capability strengths and gaps are today in relation to your maturity plan.
The key questions for the leadership team, not just the CIO or the CISO include:
- Do you know what and where your key assets are?
- What are the layers of defense around your key assets? Are you comfortable with these settings given your company’s position on risk-taking?
- What mechanisms do you have to detect and frustrate further intrusion into other spaces if the outer perimeter is breached (akin to a gate being left open, a wall being scaled, or a lock being picked)
- How do you know and assure the identity of people and devices?
- What stops an intruder taking the identity of another who has been given ultra-wide access to your assets?
- What if that intruder came via a pathway you shared with a supplier or technology partner?
- If all these fails, and the intruder reaches the assets, what is the protection on the asset itself (e.g. another lock, encryption at rest and in-transit).
- How do you detect and stop an intruder taking the asset out your door?
- And finally, even when you are assured that all has been done to your satisfaction, with technology changing constantly, what would you do when you are breached?
- Have you war-gamed your risk scenarios and prepared your team (and your partners) for the event? Will the business recover and return to full health after the disruption?
As we watch what happens at Optus, we may never know the answers to all these questions. But asking ourselves the questions is worth your while if you want to be better prepared for such situations. \
Beyond Capability Maturity Assessment
The next time you want to assess your cybersecurity capability or the effectiveness of your cybersecurity roadmap and investments, think about how much more powerful that assessment becomes if you link investment planning to maturity growth and risk reduction. Imagine how many conversations you will have with highly engaged C-suite leaders when you shift your cybersecurity investment language to the language of business. Imagine a day when the advocacy for cybersecurity investments matches the enthusiasm for digital transformation.
What next for your organization’s cybersecurity posture?
The well-known management expert Peter Drucker once wrote that “culture eats strategy for breakfast.” This means you must understand how your organization thinks, talks and behaves when it comes to risk, including cybersecurity risk. If you want to know, a risk culture experience assessment is your first step. An investment in culture is a profound investment in process, technology and governance.
You don’t have to use the currency of fear to push for additional funding or advocate for support. Simply begin to put cybersecurity investment decisions in business-relatable terms, so you can articulate value in terms of capability maturity, return on investment and risk reduction. And, while you’re moving to this new cybersecurity value model, strip away the jargon, the opaque cybersecurity acronyms and tech-speak and start using generally understood business terms and familiar, accessible language.
ISG helps enterprises understand where they are at risk and how to make smart cybersecurity investments to protect their most valuable assets. Contact us to find out how we can get started.
About the author
