Economics Driven Cybersecurity – A Cybersecurity winning formulae

Posted on June 12, 2017


Economics driven Cybersecurity is the ruthless application of business economics and operational priorities in confronting Cybersecurity risks.

Step 1 – Keep the main thing the main thing.

Step 2 – Command the risks that could stop you keeping the main thing from being the main thing.

The rest is distraction.

If you must ask the question ‘What is the main thing?’ then you need to take a long hard look at how you are conducting business. Start by asking:

  • Do you have a business risk impact assessment?
  • Is your risk impact assessment updated regularly?
  • What does resilience mean for my business?
  • Do I practice privacy by design and privacy by default?
  • Am I doing the basics?
  • Am I Breach ready?

If you answer No to any of these then you’re fighting a losing battle already. When it comes to the hyper-connected economy, evolution is in real time, not once a year time slices. Cyber Risk changes in the blink of an eye and so should an organisation’s posture to its risks by adapting to address any economic impact that could come from those evolving risks. 100% Cybersecurity is a pipe dream and the current use of technology is as much the problem as it is a solution. Being prepared for the inevitable Breach incident is a modern mandatory imperative and doing the basics should not be questioned or deferred.

Economics Driven Cybersecurity demands a razor-sharp clarity and awareness of an organisational risk impact profile. This should be baked in at an organisations cultural DNA. No black box will deliver this remedy. This is a cultural shift that can only be driven through awareness.

This is how the hackers and threat actors behave. They know intimately their Economic Drivers and refine and hone these diligently, mastering their art of attack. In contracts, Businesses will either adapt or wither on the vine. Currently businesses are playing the surprised victim in a blind reluctance to face the facts of their situation. Cyber war has been waging for years. Organisations will win this war by defence alone. Particularly employing on the one hand passive forms of defence that are little more than a lock on a door to the complex multi-modal defence postures that end up being their own worst enemy, as complexity becomes their Achilles heel. There is no simple answer, other than the clarity that sometimes ‘The best defence is a good offense’. An adage from the ‘Strategic Offensive principle of war’. Organisations should stop playing victim and ‘Go Hunting’. Be the king of your own jungle, hunt in your own digital ecosystem in a proactive and resourceful way that makes it a hostile environment for any perpetrators. Reactive response skills are like closing the door once the horse has bolted but regrettably still necessary.

Ever wondered why with all the high-tech investment, great minds, blinking lights and magic boxes we are as naked as ever in the face of digital malfeasants?

Hoping that the Security industry will come up with a silver bullet is simply naive. The elephant in the room when it comes to Cybersecurity solutions are the protocols of the Internet on which our hyper-connected world is built. They were not designed with security in mind, but designed for a trusted closed community of researchers.  The problem we have is these protocols are now the backbone of everything digital, the very TCP/IP suite of protocols of the Internet through to the email and web browsers that can deliver arbitrarily executable code from complete strangers to a user’s desktop. Any thoughts that these can be retrospectively re-engineered are deluded. It is a bit like trying to defy gravity. It’s not the fall that kills it’s the landing.  Security vendors simply feed off the human instinct for hope by keeping the goal post moving, dressing up their wares in the next great buzzword (Artificial Intelligence, machine learning etc) and so the gullible punter does not feel the sting. In fact, the gullible punters are complicit in championing their own folly.

“Doing the same thing and expecting a different result = …….” – Paraphrase Einstein.

Remember, the bad guys are equipped with the same capabilities as the good guys without the compliance constraints. which allows them to exercise more agile and creative innovation to keep them generations ahead. The biggest chasm in keeping pace with the threat is the compliance ball and chain that business must apply which the threat actors are simply not encumbered by.

So, in the fabled terms of Kipling’s Hare and Tortoise, businesses need to turn the very disciplines that encumber them into an advantage. Evolving the discipline of compliance with an Economics Driven Security focus and an organisational awareness cultural shift to a resilience, hunter, attitude.

Apply Economics Driven Security principles to:

  • Deliver to your Business priorities first and foremost.
  • Focus resources where they give maximum return on deployed capital, time and effort.
  • Talk a traditional Business language that makes sense to everyone, not just those with Computer Degrees.
  • Apply a resilience philosophy to business in a digital world.
  • Putting customer data first with a Privacy by design and Privacy by Default attitude to all practices.
  • Build the foundations of a resilient digital society. The logical conduit being the industry associations, Institutes / institutions, partnerships and supply chains that are so influential in business. They should be demanding that their ecosystems demonstrate they meet a minimum level of Cyber Hygiene by mandating Cyber Awareness Certification programs like the UK Governments Cyber Essentials.

If business does not, you can bet the tipping point will come when Governments will start sanctioning action. Self-regulate BEFORE legislating makes for a much more congenial life. Just look at the sanctions coming in the new EU General Data Protection Regulations (GDPR), which replaces the poorly adopted and fragmented former Data Protection Regimes across Europe that lacked any sanctions to motivate adoption/compliance.

So, acknowledge that 100% Cyber ‘security’ is a holy grail exploit, but know that 100% Cyber ‘resilience’ is practical and achievable and you will have taken you first step to a new age of Cyber Awareness for your business.