In 1943, Abraham Maslow came up with a hierarchical model that described the various needs that drive human behavior. Briefly, we humans need to satisfy the lower level before we will take on behaviors at the next level up. Our most fundamental need is survival; we need to eat, to sleep, and to be sheltered from the elements, or we die. So, we first act to cover those needs before we move on. Once we have that, we act to acquire security, or safety. With our physiological needs satisfied, at this level we protect ourselves. Clearly, if we are constantly looking over our shoulder, or risking being eaten in our sleep, we aren’t going to move on to more fulfilling activities. These two levels are described as humans’ “basic needs”, followed by “self-fulfillment needs” like love, esteem, and eventually, self-actualization.
Businesses have a similar hierarchy of needs. The business hierarchy also starts with survival, but now the business leader has to ask, “Do I have a source of sufficient funds and something to sell?” The second basic need is also the same; security. The question here is, “Can I safely transact my business in order to have something to sell and to get those funds?” These are the two basic needs: product/revenue and security. Self-fulfillment, or in this case, business potential-fulfillment is different. The needs that follow are trusted customer relationships, a recognized brand, and lastly, business expansion and corporate citizenship.
If you are currently thinking seriously about slashing your security budget, remember Maslow. Debilitating security capability creates a serious risk of failing to achieve higher-level goals like customer satisfaction and a winning brand. If the outcome of security reductions is a breach or public embarrassment, organizations will find themselves forced back to level two, establishing a secure foundation before they can get back fulfilling their potential.
Security Reduction is a Sawtooth, not a Curve
You may be thinking you can reinvest in security as finances improve, but during that time, the attackers are no less active, and you are now exposed. Large-scale tactical reductions in your security budget and capability result in a sawtooth wave of vulnerability. If you make an uncompensated reduction in security (furlough of security staff, for example) that happens as a step function. Your preparedness or response capability is immediately impacted, and your eventual reconstituting that protection will take place over time. Particularly where security team members are concerned, there will be at least a six-month gap between recruiting, interviewing, hiring, and ramping new security staffers.
Unless You’ve Overspent on Security, Doing Less is Probably not Enough
In 1947, Judge Learned Hand “proposed an algebraic formula to determine if the standard of care has been met.” Simply, if the cost of prevention is less than the cost of the damage multiplied by its likelihood, then the defendant was guilty. If we put this equation into place on the day after a large-scale reduction, we can see there is an issue. Unless the organization was seriously overpaying for their security, a major reduction will now have them spending much less on prevention while the damage, and the likelihood of damage have not changed. An increase in damages following a decrease in spending points to classically negligent behavior.
If you are thinking seriously about slashing your security budget, remember Judge Hand and the formula:
We can assume security buyers have current investment levels relatively correct. If those investments in protection are cut (in this example by 25%) without reducing exposure or introducing other controls, it creates an imbalance in the calculation of negligence. Protection costs are reduced, but the likelihood of breach has, at very least, stayed constant. Projecting forward using growth rates from the past 10 years’ data, you see that the 25% one-time reduction results in liability for 40% of cybercrime costs in four years.
Act with Intention Amid Chaos
Periods of high stress cause us to lean towards major moves to relieve that stress. If you are finding yourself in a budget bind because of current economic conditions, take the time to think through the impacts. Security is an easy target. Security is a cost center, and weaker security isn’t obvious to customers or external observers. Unfortunately, security is a competency that takes time to develop and where gaps can result in out-sized consequences. So, think about your choices, and if you need to reduce investment in your security budget, ensure that you’ve identified the resulting gaps, and have found ways to close them, before you act on any reductions.
Additional Resources:
Securing Success: Gaining Executive Buy-in for Cybersecurity
Why Cybersecurity Budget Cuts Are Not an Option — Especially in Tough Economic Times
