In the previous post, I talked about deciding to take action for identified network cybersecurity “health” issues. This is where things get interesting and often where the ultimate failure occurs.
Let’s go back to the medical health comparison for a moment. In an ideal world of healthcare, you've criteria defined for assessing health and then criteria defined for determining and administering treatment. Medical professionals use scientific methods for assessing health and then apply the wisdom of experience to prescribing treatment. This works fairly well, for the most part, but there are systemic issues that cause this to break down.
In the US, for example, medical professionals do indeed diagnose illness and prescribe treatment, but it’s ultimately health insurance companies that dictate whether the prescribed treatment is acceptable. Yes, that’s correct… the health insurance professional who’s usually not a health care provider makes the call about whether what the doctor ordered is allowed. If the cost of the treatment is above a set amount there is a high likelihood that it will be denied.
Unfortunately, this isn’t at all unlike what we see in the cybersecurity world. The security professional who makes the solution decision will then have to appeal to someone who controls budget resources in order to get what they need to fix the problem. I’m sure everyone reading is very familiar with this. It’s frustrating and can feel like a circus act. In the end, you quite often don’t get the resources you need.
The main issue of course is always about finances and a top decision-maker in a large organization has a fiduciary responsibility to maximize shareholder value, which usually means keeping operation costs down and profits up. Beholden to the shareholders and in the absence of any law requiring a prescribed set of treatments for cybersecurity issues, investment often comes down to pure finances.
Perhaps most troubling is that there is a large grey area here. Once issues are identified, a key decision-maker may choose to ignore the risk and hope that it does not negatively impact shareholder value before their tenure is up. Profit and growth incentives may cause the management, for example, to discount the cybersecurity risk and postpone necessary investments. Moreover, in the absence of any legal requirements to take action, all that the officer needs to be able to prove is that the cost of fixing the problem may be greater than any negative outcomes.
We can also look into other industries for cautionary tales. Ford Motor Company took this risk with the Ford Pinto in a landmark case in the 1970s. The decision-makers calculated that the cost of fixing a hazardous gas tank issue that could lead to potential fire and death was greater than the financial losses from compensations for the losses. As it turned out they were very wrong, and the reputation of the company suffered severely in the following decades.
So, I guess this leaves the question, who will be the first one to make the wrong decision about cybersecurity issues and does it make sense to seriously consider some sort of preventative regulation before that happens?