Don’t Let Cybersecurity Perfection Become The Enemy Of Progress

Cybersecurity challenges 

​But while most businesses recognize that complete perfection in physical security is neither realistic nor desirable, they often fail to make the same judgment when it comes to their cybersecurity arrangements. 

In their quest for perfect cybersecurity, the vast majority of organizations end up with misallocated budgets, poor prioritization, or completely overwhelmed IT and security teams, resulting in these organizations suffering from cybersecurity paralysis.

Cyber threats

A steady stream of stories relating to cybersecurity and data breaches has caused businesses to enter panic mode

​Certainly, cyber threats are a major problem, with the global costs associated with cybercrime predicted to rise to $10.5 trillion by 2025.

However, the steady stream of alarming news stories relating to cybersecurity and high-profile data breaches has caused many businesses to enter panic mode. This is exasperated by the overarching narrative from the media and security industry that “nobody is safe” when it comes to hacking.

Measured and sober risk assessments

While it is true that all organizations are technically “hackable”, it's important that they make measured and sober risk assessments when it comes to their cybersecurity.

They need to look at the bigger picture: cybercriminals tend to focus their efforts primarily on the most valuable and highest-yielding targets. As such, striving for cybersecurity perfection is simply unnecessary for a large swathe of the business community.

Physical and digital security

This is true for both physical and digital security: perfection can easily become the enemy of progress. Ultimately, trying to be perfectly secure is unrealistic and unachievable. Chasing such a goal is likely to cause a massive detriment to both productivity and innovation.

Rather than pursuing perfection, organizations must adopt a pragmatic approach to making themselves less vulnerable and focus their energy primarily on the risks that matter most to cybercriminals This more measured and strategic approach to cybersecurity is likely to produce the most efficient benefits, while also protecting and ensuring the organization's capacity for innovation and productivity.

​In the grand scheme, most companies will not get hacked

Hackers will select the easiest targets in terms of stealing data or extorting money

​It is important to recognize that cybercriminals are rational actors. Hackers will select the easiest targets in terms of stealing data or extorting money.

For instance, unless a new website can generate a large amount of revenue, there is no urgent requirement to make it 'perfectly secure', because the majority of hackers will not be interested in attacking small, unprofitable targets. 

Vulnerabilities 

But how can a company tell whether they are an easy target or not? Often, businesses will invest in scanning tools that indicate how many vulnerabilities exist within their infrastructure to gauge their current situation.

However, simply knowing the number of vulnerabilities that exist across their websites or systems is only the first step, and is necessarily useful information. If an IT department is told there are 100 vulnerabilities, what should they do with that data? Is that a lot, or is it very little? 

How serious are these vulnerabilities and which ones should be prioritized? 

​Instead, benchmarking can be a more useful metric, by showing an organization how “hackable” they are compared to their peers. Instead of trying to fix every vulnerability, companies just need to ensure they remain above the industry average for hackability, as this will help decrease the likelihood of an attack as cybercriminals are more likely to go after softer targets.

Also, companies can set milestones in the development lifecycle of their new apps and products to decide the right time to introduce robust cybersecurity measures. This will help organizations prioritize their cybersecurity efforts to maximize their impact.

Walking a tightrope: balancing risk aversion with innovation

Businesses do not allow overzealous cybersecurity measures to harm their capacity to innovate

​As the CEO of a cyber security service provider, here is my somewhat controversial opinion: security is not the most important part of any business. Of course, the threat from cybersecurity is rising, so every organization must implement a robust security strategy.

However, it is also vitally important that businesses do not allow overzealous cybersecurity measures to harm their capacity to innovate, take risks, and embrace new tools and technology. Unfortunately, this is the case within many organizations. 

Addressing vulnerabilities 

Today, CSOs, CISOs, and IT leaders face many competing priorities within their organizations. They are pulled in multiple directions and are expected to juggle an overwhelming amount of information while also making quick decisions to ensure all vulnerabilities are addressed.

As a result, many are suffering from burnout and are deciding to quit the industry altogether. 

Risk-averse approach

Meanwhile, others have adopted “healthy paranoia” in their efforts to defend against the growing number of security threats in existence. This leads them to become resistant to adopting new technology and being extra forceful with their input.

This risk-averse approach is akin to using a sledgehammer to crack a nut: a disproportionate amount of effort that results in unintended negative impacts on other parts of the organization. 

Tunnel-vision approach

​While risk aversion can be healthy, implementing overzealous security measures are likely to stifle company culture

​While risk aversion can be healthy, and it is in the best interests of a company to invest in cybersecurity, implementing overzealous security measures are likely to stifle the aspects of a company culture that can lead to global success.

A tunnel-vision approach to security that neglects innovation in favor of preventing total disaster could produce a culture without the aptitude for innovation or the appetite for taking chances on new ideas. This will demoralize the workforce, leading to lower productivity as the company is too fearful to take worthwhile risks, all of which are harmful to a company’s long-term survival as it loses market share to more fearless competitors. 

​Cybersecurity is a marathon, not a sprint

​Fortunately, businesses do not need to panic when confronted with the scale of cybercrime, because for most organizations the risks are much lower than they may assume. Security experts can see threats around every corner, and while this is an important skill, it also needs to be kept in check. 

Businesses must regularly take a step back and regain a sense of perspective on which risks are real and imminent, and which may become a danger in the future but do not require immediate measures. 

Risk assessment 

Companies can improve their cybersecurity incrementally, rather than race to fix every vulnerability

Of course, that is easier said than done, but there are tools and services on the market to help organizations assess risk realistically while providing warning of potential threats. This way, companies can improve their cybersecurity incrementally, rather than race to fix every vulnerability as soon as it is discovered.

By equipping IT teams with such tools, companies can take the necessary steps to reduce the risks of a cyberattack in the long term while spending fewer hours and resources on cybersecurity, thus ensuring budgets are spent more effectively.

A balanced perspective on cybersecurity