Challenging the ‘good enough’ cybersecurity mindset

As the digital footprint of businesses expands, so does their cybersecurity risk. Even though this increases potential threats, CISOs are still battling the attitude that whatever walls they’ve already put in place are good enough.

That’s what CompTIA found in its overview of the state of cybersecurity. In it, nearly 2 in 5 respondents cited a widely held belief that the perception that security is “good enough” is a challenge to their cybersecurity initiatives.

It tied with the cybersecurity skills gap among internal employees in top challenges overall.

“Most companies now recognize this notion of ‘good enough’ is oversimplified, but they don’t have a lot of practice figuring out what should replace it,” said Seth Robinson, VP for industry research at CompTIA, and author of the report.

Part of this problem is a historic attitude that cybersecurity is part of the general IT team’s job. 

“If you rewind a couple of decades, you’d be hard pressed to find a company that would have a dedicated security team,” said Robinson. “Now today everyone has one.”

The stakes were also lower because cybersecurity was mostly the result of a security perimeter. The value of digital assets was also much lower, so there was less incentive to commit cybercrime, where stealing information and digital assets is a lucrative criminal enterprise today.

As the way businesses operate and their protection needs change, few companies had the metrics required to understand how their security was doing, according to Robinson.

The overarching problem, Robinson said, is that there’s complexity involved in cybersecurity and understanding the threat landscape.

CompTIA found that organizations are struggling to improve their security because of technology priorities, a lack of metrics to measure the effectiveness of security programs and a low understanding of broader cyber technology and threat trends. 

Also adding to the problem is many organizations lack security or are uncertain how to contract security out to a third party, CompTIA found. 

The cloud security revolution

If a company is still struggling to understand the value and importance of cybersecurity, cloud computing should be a tipping point, Robinson said.

“Cloud computing was the natural extension of this internet age where all of a sudden, you’re realizing your secure perimeter isn’t good enough. You need to be thinking of security differently,” he said.

If an enterprise still isn’t there yet, security professionals should examine how they have been presenting the risks and what needs to change, said Deron Grzetich, West Monroe national cybersecurity leader. 

“Has the CISO portrayed the risk to the business itself?” he said. “That’s where the CISO falls flat a bit in not being able to translate some of the technical concerns they typically have into potential business impacts.”

CISOs may also be fighting against a C-suite that is driven more by innovation and getting product to market than cybersecurity. 

That’s especially true with newer companies where the attitude is “we just need to be the fastest gazelle” in the race, Grzetich said.

In those cases, CISOs should focus on translating the cyber maturity of the program, and how its state or lack thereof can affect the business in a negative way. 

That could mean presenting a risk analysis, and illustrate how relying on the idea that security is “good enough” could have serious reputational, financial and regulatory impacts.

This is also where finding and tracking metrics can help, Robinson said. Including them in a risk-management approach is a “way to speak the language of business,” he said. “What we’re ultimately trying to do is create a case for why you want to mitigate risk, or how much investment can mitigate how much risk.” 

That view of cybersecurity can also move it from being a cost center and cost of doing business into a strategic part of the business.

This resonates with business leaders because they are always asking “what level of investment are they comfortable making to bring that risk profile as low as possible,” Robinson said.