Wednesday, July 18, 2012

Myth: that secret coffee slush fund

The biggest myth in cybersecurity is that there is some sort of secret slush fund of money going to waste, such as buying coffee for employees. The cybersecurity guys firmly believe that this money can be better spent on improving security, such as appsec code scanners, a better IPS, training for employees, or more employees.

But this is not unique to security: every employee believes their department needs more money. I found this out when I became the CxO of a 100-person company, and every department head came to me in order to lobby for more money. Everyone believed in the coffee slush fund, and everyone believed they had a better use for that money.

But I didn't have any extra money to give them. All of the money was coming out of my personal pocket, or the pockets of the other two co-founders, or from the customers. Every dollar that came in was immediately spent again. I had invested everything I had in the company and was by then essentially broke. I was desperate for some secret stash of cash, but none existed. Any increase in one department's budget would necessitate a reduction in another department.

The same is true for any large company. All the money is spoken for. Sure, rich companies like Apple and Microsoft have a lot of cash sitting in the bank, but that's cash that belongs to the investors. If they spend that money, that then means operating the company at a loss. When companies operate at a loss, their investors desert them.

But it's not a "loss", you say, but an "investment" in the future. That's a fallacy. In the long run, we all die, and that applies to companies, too. Eventually, market conditions change. Look at Nokia and RIM as examples. They had well-run businesses in a growing market, then some upstart company came along and completely changed the market, bankrupting them. The only time "investment" in the future makes sense is when the company is starting up, or restructuring in an attempt to tackle a new market (e.g. Amazon ran at a loss for a couple quarters to push out the Kindle).

So-called "investment" in trying to increase sales by another 10% with the current business model isn't real investment – it's not knowing how to run your business. Using that model, you'll keep operating at a loss until the very end. Real business is quickly making a profit and repaying investors (stock buybacks, dividends), which means that ton of money in the bank can't be used to shore up cybersecurity. Cybersecurity spending has to come from the normal operations/cashflow. It has to come out of some other department's budget.

Everyone who goes to their boss lobbying for more budget believes they have an honest reason for doing so. But they don't. It's like how everyone believes they are an above average driver. The source of this belief cannot be an honest appreciation of the facts. Therefore, it must be a dishonest belief in one's own worth. Cybersecurity have this in spades. They've raised their profession into some sort of quasi-religion. Cybersecurity has become some sort of moral duty rather than a rational cost/benefit or threat analysis. They believe themselves to be of the greatest importance, and by extension, everything else in the company to be of lesser importance.

The same is true outside companies. In regards to cybersecurity legislation, I often hear statements like "we could make progress if it weren't for special interests". I always jump in at that point to say "but cyberscurity is a special interest". I never convince anyone of this, because of course, no special interest thinks of themselves as such.

The erroneous belief in the secret coffee slush fund infects cybersecurity in odd ways. Take, for example, the cliché of "defense in depth". In the traditional military usage, this phrase meant a tradeoff, such as moving troops from the borders to the depth of the country, so that they couldn't be wiped out in a surprise attack. In cybersecurity use of the term, it can't be a tradeoff. It's not about reducing defenses on the edge of the network in exchange for stronger internal defenses. Reducing defenses anywhere is a bad thing. Therefore, defense-in-depth invariably becomes yet another argument why the company needs to spend more on cybersecurity -- and less on coffee.

Surveys show that the #1 reason cybersecurity professionals are unhappy is because the company doesn't listen to them about spending more on cybersecurity. Go to the average conference and all the professionals are seething with frustration and resentment about this. They think if they can just put the problem in "business terms" like "return on investment" (ROI), then business leaders will listen. This fails, and cybersec pros can figure out why their arguments are failing. Well, it's because everybody promises unrealistic ROI in an effort to lobby for more money out of the slush fund (indeed, the CEO probably did the same thing when lobbying venture capitalists for money to start the business). Business leaders have become hardened again this argument – yes, ROI is their language, but no, you can't convince them of anything trying to use it.

Instead of trying to speak in business terms they don't understand, cybersecurity professionals should stick to the terms they do understand. If the threat has increased, tell the boss that, and explain how you are rearranging the existing budget to accommodate the increased threat. Tell the boss that you need to spend less on anti-virus to increase spending on web-app security – that you are adjusting tradeofs rather than trying to increase your budget.. What the boss really hears is "I'm doing my job to the best of my ability" not "I need more money". Once the boss hears this, she might then ask you "…would a larger budget help?".

Or think of it another way. There is no logical or moral argument you can make to business leaders to increase your budget. They have far more experience resisting such arguments than you have of making them. Instead, focus on the "social engineering" argument. When you tell them you are rearranging your budget (and not trying to increase it) to encounter a new threat, they will hear "new threat" rather than yet another lame excuse for more budget. Chances are still low that they'll give you more budget, but at least it's a higher chance than the other way.


I'm on both sides of this. As a technical expert in cybersecurity and pentester, I know for a fact that my customers are often not investing enough in cybersecurity. But at the same time, from the CxO perspective, I know that cybersec professionals are not honest in why they want a larger budget.

No comments: