This past year has reinforced the challenge of confidently predicting the future. What we know for sure, though, is that the future will feature difficult conversations between organisations’ senior leadership and their information security teams about the state of their cyber security. There will be discussions about the size and composition of cyber security budgets, avenues for innovation, and debates about the effectiveness of ongoing programmes.
Because these cyber security discussions can be complex, it can be difficult for stakeholders to feel confident in their decisions. Indeed, a recent survey of US and UK cyber security professionals found that 70% lacked confidence in their organisation’s security posture.1 However, senior leadership teams make challenging decisions all the time. There is no reason why they shouldn’t have the same comfort discussing their cyber security posture as they do other core elements of their business. So, what’s holding people back? What is driving their insecurity?
This report shares our perspectives from our work with hundreds of business and information security leaders. We want to demystify the drivers of insecurity in the cyber security realm. In so doing, we can map a path toward cyber confidence, highlighting various areas that bring focus to decisions, increase clarity around relevant risks, and raise the effectiveness of a security programme along the way.
Simplicity: Focus the Discussion
The leaders of Berkshire Hathaway, Warren Buffett and Charlie Munger know a thing or two about making good decisions. They wrote in a shareholder letter, ‘Simplicity has a way of improving performance through enabling us to better understand what we are doing.’2 Sounds straightforward. Yet simplifying a decision can be easier said than done, particularly when it comes to cyber security. Indeed, rather than encouraging simplicity, media and industry reporting often does the opposite with commonplace headlines about the “complexity” and “ever-changing” nature of the cyber threat landscape. Whilst some of this analysis is valid, it is hard for decisionmakers to discern what should demand their attention.
Similarly, the rise of cyber risks has dramatically increased demand for cyber services. In turn, billions of dollars of capital has fuelled new companies, products and services.3 Yet amongst all this exciting innovation, many organisations end up purchasing expensive security solutions which they then struggle to use. Under the pressures of relentless threat reporting and unfamiliar technologies, it is unsurprising that leaders are concerned about buying ineffective solutions to problems they don’t understand. Focusing on your organisation’s key security objectives is a good way to start introducing clarity and simplicity to the discussion. Once you’ve established what it is you want to achieve, breaking each decision down into the individual actions needed to actuate it becomes a far more straightforward process.
Visibility: Surface Key Information
The second component of confident decision-making is having the right information. Unsurprisingly, a recent survey of US cyber security professionals found that the greatest factor in diminishing confidence in a security programme was poor visibility into its effectiveness.4 The concerns include difficulties gaining visibility across an IT environment (eg. where is our data?), sorting through too much threat information (eg. what is all this telling me?), and translating cyber risks into business priorities (eg. how do we protect the availability of our customer-facing systems?).
With executive teams already wary of growing cyber security budgets, a recent report surely raised eyebrows with the finding that the amount of cyber security tools an organisation implements could actually have a negative impact on security.5 Organisations using more than 50 security tools ranked themselves 8% lower in their ability to detect an attack and 7% lower in their ability to respond to an attack, than those with fewer tools. The findings confirm that there’s no technological silver-bullet when it comes to cyber security. Rather, confidence will stem from focusing on the right information, not accessing as much of it as you possibly can.
Familiarity: Practice Decision Making
Deborah H. Gruenfeld, a Professor of Organisational Behaviour at Stanford, has written extensively on the subject of confidence. Her writing explains how regular practice in a particular discipline not only builds confidence, but also improves quality.6
So what does “practice” mean in the context of cyber security? It means decisionmakers regularly engaging in discussions in a clear and informed way. It entails stakeholders with differing areas of expertise taking the time to understand their counterparts’ roles and responsibilities. It includes communicating with each other frequently enough to establish trust and credibility before decisions must be made. All these themes come together in cyber response exercises, which leadership teams are increasingly undertaking as they seek to practice their response and raise their confidence to manage a cyber incident.
A Roadmap to Cyber Confidence:
Our overarching goal with this report is to help leadership and security teams build confidence in their cyber security posture. To this end, we have brought together a range of articles, interviews and analyses, all structured around a series of straightforward guiding questions. They are designed to prompt our readers to assess the level of simplicity, visibility and familiarity they maintain in their cyber security programmes.
1. Do you understand the threat picture?
2. Are you focusing on the right risks?
3. Do your mitigation measures align with those risks?
4. Does your response plan reflect the most likely threat scenarios? Is it tried and tested?
5. Do you have a roadmap to recovery in the event of an incident?
These questions serve as a simple but powerful framework for leadership and security teams to assess their cyber confidence. Accompanied by engaging analysis and practical insights, we hope this report will encourage faster, better decisions that help organisations prepare to face tomorrow’s cyber security risk environment.
1 “Cyber confidence: building a trustworthy security posture”, Nominet Cyber Security.
2 “Keeping Things Simple and Tuning out Folly”, FS, September 2015.
3 “2020 Roundup of Cybersecurity Forecasts and Market Estimates”, Forbes, April 2020.
4 “State of Enterprise Security Posture Report”, Cyber Security Insiders, 2020.
5 “IBM Study: Security Response Planning on the Rise, But Containing Attacks Remains an Issue”, IBM News Room, June 2020.
6 “How to Build Confidence”, Harvard Business Review, 29 April 2011.