In recent months, a spate of high-profile attacks on everyone from private companies to critical infrastructure has put cybersecurity squarely on the radar. But while most seem to understand the need for cybersecurity, many companies and organizations are still lagging behind, and it can be difficult to get buy-in from all levels, especially the C-suite.
CFE recently put together a group of leading experts in the industrial cybersecurity field for an open conversation about some of the prevailing trends in cybersecurity, including how to secure a cybersecurity budget from the C-suite. Joining Gary Cohen, senior editor of Industrial Cybersecurity Pulse, are Jim Crowley, Ryan Heidorn, Pranav Patel and Tyler Whitaker.
Crowley is an operating executive with deep domain expertise in industrial control system security. He has managed significant revenue streams at public companies and positioned companies for exit through strong revenue growth and new customer acquisition. Crowley has been the CEO of Industrial Defender for more than two years.
Heidorn is the co-founder and managing director of Steel Root, where he leads the firm’s cybersecurity practice. His expertise includes helping government contractors implement and operationalize cybersecurity requirements under DFARS and CMMC.
Patel is the founder and CEO of MediTechSafe and Resiliant. He has experience in product, services and software (SaaS) businesses across multiple industries including health care, aviation, energy, batteries, manufacturing and automation systems, and wireless/semiconductor.
Whitaker has been the CTO at Leading2Lean for more than 12 years. The company helps manufacturers implement lean principles and provides a lean manufacturing execution solution delivered via the cloud.
The discussion has been edited for clarity.
ICS Pulse: Do people still need to make a business case for cybersecurity at this point, justify its need to the C-suite? Or are we finally moving past that to where we can just dive in and try to start solving the problems?
Jim Crowley: The answer is yes, we still have to justify it. It can’t be an open-ended discussion. Certainly, people in the C-suite have complained for many years that IT (information technology) comes and asks for money, and they’re not really sure what the value is. Even though they know that they need IT, they know that they need automation and they know that they need to innovate. But unless you justify that IT spend, it sometimes can land on deaf ears. I think we have the same problem with cybersecurity. The budgets are opening up. There’s a lot more awareness now, but you still have to quantify and qualify what the ask is and what the return is going to be.
If you’re smart about it, you’re going to frame it in terms of a risk discussion. If I spent X amount of dollars, I’ll get Y reduction at risk. If you can frame it that way to the C-suite, then you may make some progress. Again, the C-suite often looks at security as insurance and compliance as a tax, and nobody likes to spend money on either one of those things. So you really have to have your ducks in a row before you go ask for the dough.
Ryan Heidorn: I think I’ve found less of a need in recent years to educate stakeholders on why security is important. But like Jim said, there’s still plenty of resistance to making the necessary investments. Especially when we see the market not reacting to major breaches as strongly, I know there’s still an appetite to roll the dice. So I think these issues ultimately probably end up getting regulated when you consider how critical security is to our economic security and national security.
One thing that I noted that might be an interesting jumping off point is when you’re familiar with the Cyberspace Solarium Commission that came out of Congress a couple of years ago, they released a report last year that basically recommended that Congress amend the Sarbanes-Oxley Act to incentivize a whole host of things like vulnerability remediation and incident reporting. I think we can expect to see changes to this effect that will influence how the C-suite sees cybersecurity going forward.
ICSP: When trying to get buy-in from the higher-ups, does it really just come down to speaking the right language? Jim, you mentioned taking a risk-based approach. Is it not just saying we need money, but trying to prove how that money will affect the bottom line and speaking a business case instead of just a cybersecurity case?
Crowley: Yeah, absolutely. What we help our clients with is to sort of focus on the hygiene. If you do the basics, you can take about 85% of the risk off the table, according to people like the Center for Internet Security. It’s a daunting task a lot of times if you’re starting from ground zero and you haven’t really done much other than maybe secure the perimeter, and now you have to worry about all the other systems and applications in our case in an industrial environment.
But if you can boil it down to say, “Look, here’s the starting point. Do these five things. Go ask for the money for this particular program.” And then show them how you’re going to measure your effectiveness of that program over time. It’s not just about reducing the risk, but also saying, “Hey, I’ve reduced the risk, and here’s how I’m proving that to you.” So when you go ask for the next tranche and the next tranche — you have money for technology, staff or for programs — you can lay it out in front of people, and they can see where you’re headed.
Pranav Patel: I’ll add to that. I think the way to think about this is cybersecurity for most companies is not a revenue-generating activity. So a dollar spent in cybersecurity is a dollar less spent in new product, acquiring customers and digital transformation. While it is essential in today’s environment to have good cybersecurity to retain value, it really doesn’t create value unless you’re a cybersecurity company. And when you think about it, in our own role, we want to invest into a company where share prices go up. There is always going to be a bias to an executive toward value creation, rather than retaining the value.
When you talk to most of the business guys, especially not in IT or a technology field, they probably think that they actually have cybersecurity. It’s true. They probably have perimeter controls and whatnot. But I think what they struggle with is, “Do I have an adequate security? What’s the right amount? Where should I locate resources versus where not?” To answer these questions, you really have to put together the business plan to show the optimal state as opposed to, “Hey, I just need more money.” I think that’s kind of where the business case part comes in more so than them knowing I need cybersecurity.
Tyler Whitaker: Yeah, that’s a really good point. From an ROI (return on investment) perspective, it’s hard to budget for cybersecurity when there is no return on investment. If you think about it in terms of compliance to actually play in the industry that you’re in, then the regulation side of this really provides framework for cost justification of cybersecurity. The other thing you need to look at is from a risk mitigation perspective, an insurance policy. Will you know what level of risk your organization can handle and what safeguards you can put in place to mitigate that risk as much as possible?
ICSP: What would you say are some of the top causes of frustration with respect to cybersecurity and the C-suite, the board, and the people who are making the decisions and opening up the wallets?
Patel: If you look at the estimates today, generally 25% of the technology projects fail outright. 20% to 25% don’t show any return on investment. Up to 50% of the projects go through massive reworks. If you come anywhere close to those stats, and if you’re a board member and you see a funding request, you know how you react, right? Basically, the important part of it is they understand cybersecurity is critical. They read the news. They don’t want to be on a front page of the New York Times. They don’t want to be personally held liable for it, but they also have a fiduciary duty.
Remember $1 wasted has lots of opportunity costs. There is a gap between the budgeting process and their experience of all the things that they heard in the past. Quite honestly, I think sometimes technology gets oversold. The procurement side probably doesn’t know all sides of the things, and you have surprises later on, and that creates a lot of frustration. I know it’s needed, but I don’t know if it’s going to be spent well. How you bridge those two gaps is really what causes a frustration among board members as well as the executive suite.