Over the past several years, my team and I have engaged in countless discussions with IT and business leaders of mid-market organizations. They are often looking to improve their security posture, adhere to regulatory compliance, or report to their management/board on the steps they are taking to prevent being all over the news over a cybersecurity breach. Typically, the technical leaders we’re speaking with, IT Managers, Directors, and VPs, recognize the need for enhanced security. Yet, they have a hard time securing budget, or convincing “the business” that this is a necessary expenditure. As such, cybersecurity initiatives tend to take a ‘back seat’ to other more prominent projects, especially ones with an easier to measure ROI and TTV (time to value). We are often told: “Guys, we love this! We understand the value proposition, the service is unlike any we’ve seen, and your price is reasonable… but, let’s chat again next quarter.”
I humbly submit, that postponing cybersecurity discussions until later is a recipe for disaster. As the title of this post says: security “next quarter” is worse than no security. Unfortunately, some mid-market IT leaders use plausible deniability as a reason not to even engage with a cybersecurity firm. They would rather not have a conversation, than acknowledge that they are aware of risks, and are choosing to do nothing about it.
Encouragingly, some progress is being made in promoting awareness of cybersecurity risks amongst organizational leadership. Undoubtedly this is spurred by constant barrage of cybersecurity events/breaches in the news, which makes business leaders nervous. What remains lacking is any urgency for action that this awareness should dictate. Indeed, prioritization of cybersecurity programs, purchases, and policies is seemingly difficult to achieve.
Read on for the reasons why projects are delayed, deferred, or remain unaddressed for years.
Cutting Through the Noise:
Some leaders argue that defining a ‘project’ or starting research is positive traction. This is a dangerous thought process. Having a project ‘lined up’ can lead to a false sense of security; lots of ‘road mapping’ and ‘busy work’ and reporting progress (or lack thereof) to management, while not actually delivering the necessary outcomes.
Another reason companies redeploy their budgets away from cybersecurity initiatives is because they don’t perceive the need. Afterall, “nothing has happened” to warrant spending on protection (yet) from threats that they aren’t sure are real (yet). Time and again, we have seen situations where there was no budget… until there had to be – to respond to a business-crippling security incident. This “I’ll believe it when I see it” attitude needs to be curtailed, quickly.
Finally, IT Departments de-prioritize cyber initiatives because of the difficulty in articulating the value proposition. It’s much easier to quantify how the new app or system being deployed can achieve better financial outcomes, compared to the seemingly endless pit of precious budget money that cybersecurity appears to require. Note, this is false; meaningful/measurable cybersecurity initiatives need not be expensive, nor require investment in tools, and/or hiring entire departments.
These reasons help explain how some decision makers within organizations (especially small to mid-sized enterprises where resources are limited) defer or delay implementing a cybersecurity solution. I won’t dive deep into the impact that this delay can have here (see our post on the true cost of doing nothing), but you can easily imagine the impact of a breach occurring without proper protection in place. Or, at least, that it would be worse without such protection.
Assuming such an impact, let’s explore how we create a sense of urgency for leadership; how we position this (dire) need against clear revenue-generators. How we “make tangible” the threat of something that hasn’t happened (yet).
Setting the Right Expectations
We ask questions of our prospective clients, to both qualify whether our solution is right for them, but also to get them to imagine the consequences of doing nothing. We need to sway business and IT leaders away from fallacies like “a breach won’t cost me that much” and “sure, a breach would be catastrophic, but I’m not going to be targeted.” Some of the key questions we had been asking prospective clients include:
- Do you know if you are ‘hacked’ right now?’
- How would you even know if you were ‘hacked’ right now’?
- If I was hacked, how much downtime could I experience? What would that cost the business? Who/what would be impacted?
- How am I doing against my peers/competitors in terms of cybersecurity readiness?
It is through such explorations that the need for an immediate solution becomes obvious.
Outcomes at the Forefront
Most of the engagements we’ve done in recent years had deeply intricate discussions around either: Technology (to SIEM or not to SIEM; EDR as a Service; the role of NAC); Compliance (PCI, GDPR, SOCII, …); or Service Replacement (I won’t name specific MDR or MSSP vendors but we’ve replaced them all). Most of these clients just wanted to answer: What can I invest in that will give me the broadest possible assurance that I’m unlikely to be breached? The focus on specific features/technologies is just a function of their technical nature – they think that they need to understand the interaction with the rest of their environment. While this is true, it doesn’t always serve the purpose of understanding the outcome that they’re really after; continuous risk reduction.
Overcoming Market Confusion
The problem such prospective clients face is noise in the market. So many cyber vendors are pitching tools, platforms, products, services… that they don’t even know where to begin. Many of them don’t even know the right questions to ask. Here’s a suggestion: Start with the end in mind. Ask yourself, ‘what problem am I trying to fix? And why?’ and ‘what would happen if I didn’t fix it and the unthinkable still happened?’
My hope with this blog post is to start a discussion, emphasizing that postponing your investment in cybersecurity services is never a good idea. The consequences to the business are too great to leave the outcome to a ‘dice-roll’. As an aside, this is why ActZero offers extremely attractive terms/pricing/risk-free options... all in an effort not to trap a client into something they don’t need, and to help where we’re most needed (SMBs). Business considerations aside, I would submit that on a personal level: being aware of potential risks and not doing something about them, is considerably worse than not knowing about them in the first place. Plausible deniability anyone?