The Trouble With Cybersecurity Management
When navigating complexity in cybersecurity, iterative learning may have more impact than managerial experience.
Cybersecurity is becoming top of mind for customers and organizations, as highly publicized data breaches and cyberattacks at large corporations have revealed just how much damage a hacker can do by accessing or manipulating an organization’s systems. In addition to the immediate financial and operational consequences, a breached business often faces class-action lawsuits, regulatory fines, damage to its reputation, and a string of other ramifications.
Consider Yahoo. In April 2018, the company agreed to pay a $35 million fine for failing to report a 2014 data breach in which hackers stole personal information from hundreds of millions of user accounts. A month prior, a judge had ruled that the victims of the data breach had the right to sue Yahoo for negligence and breach of contract for not disclosing its systems’ security weaknesses.
Yahoo is not alone; a startling number of companies have faced public relations disasters surrounding security breaches in the past few years. On the one hand, the trend makes sense; cyberattacks are becoming more common than ever as hackers become more adept at penetrating systems. On the other hand, it doesn’t make sense, because while those carrying out cyberattacks are gaining more tools, so are the specialists who defend against them. Cybersecurity practices can — and need to — be better.
Despite the publicity around the Yahoo breach and other cases, most organizations still perform poorly with respect to cybersecurity management. Companies do not respond properly to cyber risk — instead, they underestimate or ignore altogether potential threats or rely solely on generic, off-the-shelf cybersecurity solutions. According to a 2017 report, a mere 19% of chief information security officers are confident about their companies’ abilities to address a cybersecurity incident.
Today’s ever-increasing cyber risks require businesses to use proactive decision-making in cybersecurity capability development. Allocating resources to cybersecurity should be a top priority of any manager. If an organization has strong cybersecurity protections and protocols in place before a breach, that organization can recover more quickly and incur fewer costs from cyberattacks. Unfortunately, proactive decision-making at the managerial level isn’t always easy or intuitive.
Complexity in Cybersecurity
It is best to work to comprehend cybersecurity in its full complexity, but complex systems are hardly intuitive. Managers’ problem-solving methods are typically reactive and event-oriented, meaning they will attempt to solve problems only after they occur.